refac: sso

tjbck · tjbck · commit ca9ab27cbdff · 2025-09-01T02:47:44.000+04:00
diff --git a/docs/features/sso/index.mdx b/docs/features/sso/index.mdx
@@ -28,17 +28,17 @@ You cannot have Microsoft **and** Google as providers simultaneously.
 
 :::
 
-## OAuth
-
-There are several global configuration options for OAuth in general:
-
-1. `ENABLE_OAUTH_SIGNUP` - if `true`, allows accounts to be created when logging in with OAuth. Distinct from `ENABLE_SIGNUP`.
-1. `OAUTH_MERGE_ACCOUNTS_BY_EMAIL` - allows logging into an account that matches the email address provided by the OAuth provider.
-    - This is considered insecure as not all OAuth providers verify email addresses, and may allow accounts to be hijacked.
-1. `OAUTH_UPDATE_PICTURE_ON_LOGIN` - if `true`, users will have OAuth-provided profile pictures updated on login.
-    - If the OAuth picture claim is disabled by setting `OAUTH_PICTURE_CLAIM` to the empty string, this configuration will be ignored.
-1. `OAUTH_PICTURE_CLAIM` - can be used to customize or disable profile picture storage. The default, `picture`, will work for most providers; if set to the empty string, all users will receive the default person profile picture.
-1. `WEBUI_AUTH_SIGNOUT_REDIRECT_URI` - can be set to optionally forward the user to a specific URI after logging out.
+## OAuth Configuration Overview
+
+| Environment Variable                  | Default   | Description                                                                                                                             |
+|---------------------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------------------|
+| `WEBUI_URL`                          | —         | **Required.** Your public WebUI address, e.g., `http://localhost:8080`.                                                                |
+| `ENABLE_OAUTH_PERSISTENT_CONFIG`      | `true`    | Persist OAuth config to the database; set to `false` for stateless/containerized environments.                                          |
+| `ENABLE_OAUTH_SIGNUP`                 | `false`   | Allows account creation upon OAuth login (separate from `ENABLE_SIGNUP`).                                                               |
+| `OAUTH_MERGE_ACCOUNTS_BY_EMAIL`       | `false`   | Merge OAuth logins based on matching email (⚠️ caution: can be insecure if provider doesn't verify emails).                             |
+| `OAUTH_UPDATE_PICTURE_ON_LOGIN`       | `true`    | Update user profile pictures from OAuth provider with each login.                                                                       |
+| `OAUTH_PICTURE_CLAIM`                 | `picture` | Field in the claim containing the profile picture. Set to empty string to disable picture updates (users receive default icon).         |
+| `WEBUI_AUTH_SIGNOUT_REDIRECT_URI`     | *empty*   | Redirect users to this URL after signout. E.g., `https://your-company.com/logout-success`                                               |
 
 ### Google
 
