From c8998d1a8fde17e81d2c9c4ee3c08acf9100ee30 Mon Sep 17 00:00:00 2001
From: Timshel <timshel@users.noreply.github.com>
Date: Wed, 2 Apr 2025 17:33:47 +0200
Subject: [PATCH] Rauthy configuration hints

---
 SSO.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/SSO.md b/SSO.md
index 5b3590a6..0fe57fab 100644
--- a/SSO.md
+++ b/SSO.md
@@ -220,6 +220,19 @@ Your configuration should look like this:
 * `SSO_CLIENT_ID=${Application (client) ID}`
 * `SSO_CLIENT_SECRET=${Secret Value}`
 
+## Rauthy
+
+To use a provider controlled session you will need to run Rauthy with `DISABLE_REFRESH_TOKEN_NBF=true` otherwise the server will fail when trying to read a not yet valid `refresh_token` (`Bitwarden` clients will trigger a refresh even if the `access_token` is still valid. Details on rauthy [side](https://github.com/sebadob/rauthy/issues/651)). Alternative is to use the default session handling with `SSO_AUTH_ONLY_NOT_SESSION=true`.
+
+No specific config needed when creating the Client.
+
+Your configuration should look like this:
+
+* `SSO_AUTHORITY=http://${provider_host}/auth/v1`
+* `SSO_CLIENT_ID=${Client ID}`
+* `SSO_CLIENT_SECRET=${Client Secret}`
+* `SSO_AUTH_ONLY_NOT_SESSION=true` Only needed if not running `Rauthy` with `DISABLE_REFRESH_TOKEN_NBF=true`
+
 ## Slack
 
 You will need to create an app in https://api.slack.com/apps/.