feat/login crud in users sync with sso

.env.example

@@ -32,3 +32,23 @@ CORS_MAX_AGE=600
 # Redis
 REDIS_URL=redis://redis:6379/0
 REDIS_PORT_HOST=6381
+
+# SSO Integration
+SSO_ISSUER=http://localhost:8080/api
+SSO_JWKS_URL=http://localhost:8080/api/.well-known/jwks.json
+SSO_ALLOWED_AUDIENCES=client:lti-api
+SSO_AUTHORIZE_URL=http://localhost:8080/sso/authorize
+SSO_TOKEN_URL=http://localhost:8080/sso/token
+SSO_GETME_URL=http://localhost:8080/api/auth/get-me
+SSO_ACCESS_COOKIE_NAME=sso_access
+SSO_REFRESH_COOKIE_NAME=sso_refresh
+SSO_COOKIE_DOMAIN=
+SSO_COOKIE_SECURE=false
+SSO_COOKIE_SAMESITE=Lax
+SSO_PKCE_TTL_SECONDS=300
+# Security window and payload limits for SSO user sync webhook
+SSO_USER_SYNC_SIGNATURE_DRIFT_SECONDS=120
+SSO_USER_SYNC_NONCE_TTL_SECONDS=600
+SSO_USER_SYNC_MAX_BODY_BYTES=32768
+# Example JSON (single-line) of client configs (each client requires a unique sync_secret)
+SSO_CLIENTS={"lti":{"public_id":"client:lti","redirect_uri":"http://localhost:8081/api/sso/callback","scope":"openid profile","default_return_uri":"http://localhost:3000","allowed_return_origins":["http://localhost:3000"],"sync_secret":"changeme"}}