bootrapping support

README.md

@@ -64,7 +64,9 @@ lldap:
   baseDN: "dc=netkingdom,dc=local"
 
 authelia:
-  baseURL: "https://authelia.local"
+  baseURL: "http://authelia.sso.svc.cluster.local:9091"
+  browserBaseURL: "https://authelia.local"
+  tokenBaseURL: "http://authelia.sso.svc.cluster.local:9091"
   clientId: "keycape"
   clientSecret: "secret"
   redirectURI: "https://auth.netkingdom.local/authorize/callback"
@@ -81,10 +83,22 @@ clients:
     allowedScopes: ["openid", "profile", "email", "groups"]
     grantTypes: ["authorization_code"]
     clientType: "public"
+  - clientId: "netkingdom-bootstrap-console"
+    displayName: "NetKingdom Bootstrap Console"
+    redirectUris:
+      - "http://127.0.0.1:8876/oidc/callback"
+      - "http://localhost:8876/oidc/callback"
+    allowedScopes: ["openid", "profile", "email", "groups"]
+    grantTypes: ["authorization_code"]
+    clientType: "public"
 ```
 
 Config is validated at startup — the server exits 1 with validation errors if config is invalid.
 
+`browserBaseURL` is used only for the human browser redirect to Authelia.
+`tokenBaseURL` is used for server-side code exchange. If either is omitted,
+KeyCape falls back to `baseURL`.
+
 ## Endpoints
 
 | Endpoint | Description |
@@ -93,6 +107,7 @@ Config is validated at startup — the server exits 1 with validation errors if
 | `GET /jwks` | RS256 public key in JWK Set format |
 | `GET /authorize` | Authorization endpoint (PKCE required) |
 | `GET /authorize/callback` | Authelia callback handler |
+| `POST /authorize/callback` | privacyIDEA MFA challenge submission |
 | `POST /token` | Token exchange (authorization_code only) |
 | `GET /userinfo` | Userinfo endpoint (Bearer token required) |
 | `GET /healthz` | Health check → `{"status":"ok","version":"0.1.0"}` |