docs: add OIDC server setup guide and configuration reference

src/content/docs/docs/guides/oidc.mdx

@@ -35,17 +35,35 @@ Supported scopes:
 - `openid`
 - `profile`
 - `email`
+- `phone` - Returns phone_number and phone_number_verified claims
+- `address` - Returns address claim (formatted, street_address, locality, region, postal_code, country)
 - `groups`
 
 Supported claims:
 
 - `sub`
 - `name`
+- `given_name` - Given (first) name of the user
+- `family_name` - Family (last) name of the user
+- `middle_name` - Middle name of the user
+- `nickname` - Nickname of the user
+- `profile` - URL of the user's profile page
+- `picture` - URL of the user's profile picture
+- `website` - URL of the user's website
+- `gender` - Gender of the user
+- `birthdate` - Birthdate of the user (YYYY-MM-DD format)
+- `zoneinfo` - Time zone of the user (e.g. Europe/Athens)
+- `locale` - Locale of the user (e.g. en-US)
 - `email`
 - `preferred_username`
+- `email_verified`
+- `phone_number` - Phone number of the user
+- `phone_number_verified` - Whether the phone number has been verified (boolean)
+- `address` - Address object with fields: formatted, street_address, locality, region, postal_code, country
 - `groups`
 - `updated_at`
-- `email_verified`
+
+These claims align with the OpenID Connect Core 1.0 specification's standard claims.
 
 Supported token endpoint authentication methods:
 

src/content/docs/docs/reference/configuration.mdx

@@ -51,6 +51,7 @@ Tinyauth can be configured using environment variables or CLI flags. The table b
 | `TINYAUTH_AUTH_IP_ALLOW` | `--auth.ip.allow` | List of allowed IPs or CIDR ranges. | `` |
 | `TINYAUTH_AUTH_IP_BLOCK` | `--auth.ip.block` | List of blocked IPs or CIDR ranges. | `` |
 | `TINYAUTH_AUTH_USERS` | `--auth.users` | Comma-separated list of users (username:hashed_password). | `` |
+| `TINYAUTH_AUTH_USERATTRIBUTES` | `--auth.userattributes` | Map of per-user OIDC attributes (username -> attributes). | `` |
 | `TINYAUTH_AUTH_USERSFILE` | `--auth.usersfile` | Path to the users file. | `` |
 | `TINYAUTH_AUTH_SECURECOOKIE` | `--auth.securecookie` | Enable secure cookies. | `false` |
 | `TINYAUTH_AUTH_SESSIONEXPIRY` | `--auth.sessionexpiry` | Session expiry time in seconds. | `86400` |
@@ -59,6 +60,27 @@ Tinyauth can be configured using environment variables or CLI flags. The table b
 | `TINYAUTH_AUTH_LOGINMAXRETRIES` | `--auth.loginmaxretries` | Maximum login retries. | `3` |
 | `TINYAUTH_AUTH_TRUSTEDPROXIES` | `--auth.trustedproxies` | Comma-separated list of trusted proxy addresses. | `` |
 
+The `userAttributes` map allows setting per-user OIDC profile information. The key is the username, and the value is an object containing optional OIDC attributes:
+
+- `name` - Full name of the user
+- `givenName` - Given (first) name
+- `familyName` - Family (last) name
+- `middleName` - Middle name
+- `nickname` - Nickname
+- `profile` - URL of the user's profile page
+- `picture` - URL of the user's profile picture
+- `website` - URL of the user's website
+- `email` - Email address
+- `gender` - Gender
+- `birthdate` - Birthdate (YYYY-MM-DD format)
+- `zoneinfo` - Time zone (e.g. Europe/Athens)
+- `locale` - Locale (e.g. en-US)
+- `phoneNumber` - Phone number
+- `phoneNumberVerified` - Whether phone number is verified (boolean)
+- `address` - Address object with fields: `formatted`, `streetAddress`, `locality`, `region`, `postalCode`, `country`
+
+These attributes are returned via the OIDC userinfo endpoint when the appropriate scopes (`profile`, `email`, `phone`, `address`) are requested.
+
 ## ACLs Configuration
 
 | Environment | Flag | Description | Default |