Configuration
=============

Handler options
---------------

``KeycloakOIDCDeviceFlowHandler`` accepts:

- ``realm_url``: Keycloak realm URL, for example ``https://auth.example.edu.au/realms/MyRealm``.
- ``client_id``: OAuth client ID.
- ``client_secret``: Optional. Set for confidential clients to use HTTP Basic.
- ``scopes``: Space-separated scopes. Default is ``openid profile email offline_access``.
- ``verify_tls``: Whether to verify TLS. Leave enabled for production.
- ``timeout``: Request timeout in seconds.

Token cache options
-------------------

Token caches implement ``TokenCache``:

- :py:class:`MemoryTokenCache <acmadauth.tokencaches.MemoryTokenCache>` stores tokens in memory for the current process.
- :py:class:`KeyringTokenCache <acmadauth.tokencaches.KeyringTokenCache>` stores tokens in the system keyring.
- :py:class:`JsonFileTokenCache <acmadauth.tokencaches.JsonFileTokenCache>` stores tokens in a local JSON file. It is intended
  for testing only.

The cache is responsible for persisting tokens between runs. The httpx auth
class will refresh tokens automatically when possible.