Local Identity OICD bootstrap

docs/LocalIdentity.md

@@ -111,6 +111,7 @@ local-identity init                      # derive primary user, generate test us
 local-identity list                      # list all users in the store
 local-identity show <username>           # display user file
 local-identity export <username>         # emit Keycloak-compatible JSON
+local-identity bootstrap-oidc            # print local OIDC client settings
 local-identity serve [--port P] [--ttl T]  # start minimal OIDC server
 local-identity security-check           # validate filesystem permissions
 local-identity revoke-token <jti|jwt>   # add a token JTI to the revocation list
@@ -130,6 +131,33 @@ server starts on localhost. It supports:
 This allows dev/test applications to use standard OIDC libraries against
 Local Identity without any Keycloak dependency.
 
+To bootstrap a local app against the provider, initialise the store and emit
+client settings:
+
+```bash
+local-identity init --email bernd@example.com
+local-identity bootstrap-oidc \
+  --client-id local-dev \
+  --redirect-uri http://127.0.0.1:3000/callback
+local-identity serve
+```
+
+`bootstrap-oidc` persists the client settings under `oidc_clients` in
+`~/.local-identity/config.yaml` and prints environment variables:
+
+```bash
+OIDC_ISSUER=https://127.0.0.1:8443
+OIDC_DISCOVERY_URL=https://127.0.0.1:8443/.well-known/openid-configuration
+OIDC_CLIENT_ID=local-dev
+OIDC_REDIRECT_URI=http://127.0.0.1:3000/callback
+OIDC_SCOPE='openid profile email'
+OIDC_TOKEN_ENDPOINT_AUTH_METHOD=none
+```
+
+Redirect URIs must be loopback URLs (`127.0.0.1`, `localhost`, or `::1`).
+The server intentionally trusts local clients and does not require a client
+secret.
+
 **Security note:** the OIDC server binds to `127.0.0.1` only. Never expose
 it on a public interface.