From a0101bbc7bf3b822d5f5ed783e225fcd75458370 Mon Sep 17 00:00:00 2001
From: aaldebs99 <aaldebs99@gmail.com>
Date: Sun, 12 Oct 2025 02:40:06 +0000
Subject: [PATCH] chore(docs): bring docs up to speed with changes

---
 docs/oidc-setup.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/oidc-setup.md b/docs/oidc-setup.md
index 12e862b..4d8b5d3 100644
--- a/docs/oidc-setup.md
+++ b/docs/oidc-setup.md
@@ -56,7 +56,7 @@ Configure OIDC by setting these environment variables:
 | `OIDC_CLIENT_SECRET` | ✅ | OAuth2 client secret from your provider | `very-secret-key` |
 | `OIDC_ISSUER_URL` | ✅ | OIDC provider's issuer URL | `https://accounts.google.com` |
 | `OIDC_REDIRECT_URI` | ✅ | Callback URL for your Readur instance | `https://readur.company.com/api/auth/oidc/callback` |
-| `OIDC_AUTO_REGISTER` | ❌ | Allow new users to self-register (default: `true`) | `true` or `false` |
+| `OIDC_AUTO_REGISTER` | ❌ | Allow new users to self-register (default: `false`) | `true` or `false` |
 | `ALLOW_LOCAL_AUTH` | ❌ | Allow username/password authentication (default: `true`) | `true` or `false` |
 
 ### Example Configurations
@@ -476,19 +476,19 @@ Readur intelligently handles existing local users when they first log in via OID
 
 The `OIDC_AUTO_REGISTER` setting controls whether new users can self-register:
 
-**When `OIDC_AUTO_REGISTER=true` (default)**:
+**When `OIDC_AUTO_REGISTER=true`**:
 - New OIDC users are automatically created when they first log in
 - Perfect for open environments where any company employee should get access
 - Username is derived from OIDC claims (preferred_username or email)
 - Users get the default "user" role
 
-**When `OIDC_AUTO_REGISTER=false`**:
+**When `OIDC_AUTO_REGISTER=false` (default)**:
 - Only existing users (pre-created by admin or linked by email) can log in
 - OIDC login attempts by unregistered users are rejected with HTTP 403
 - Ideal for production environments requiring controlled access
 - Admin must pre-create users before they can use OIDC
 
-**Migration Strategy**: Set to `false` initially, have existing users log in to link accounts, then enable for new users.
+**Migration Strategy**: The default (`false`) is ideal for production. Have existing users log in to link accounts by email, then optionally enable `true` for new user auto-registration.
 
 ### Disabling Local Authentication