Updated Extended CE: OIDC Authentication (markdown)

Extended-CE:-OIDC-Authentication.md

@@ -77,11 +77,16 @@ The values of the following two required variables will be provided by the admin
 - `OVERLEAF_OIDC_USER_ID_FIELD`
     * The value of this attribute will be used by Overleaf as the external user ID, defaults to `id`.
       Other possible reasonable values are `email` and `username` (corresponding to `preferred_username` OIDC claim).
+- `OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS`
+    * Restricts Just-in-Time (JIT) account creation for users authenticating via OIDC. If set to a comma-separated list of domain names, a new account
+      will be created only if the domain of the user's email address matches one in the listed domains. If the domain does not match, an admin must
+      manually create the user account using the OIDC user’s email address, with either a strong random password or, preferably, without the `hashedPassword` field at all.
+      Domain names may include a leading `*.` wildcard to match subdomains.
 
-- `OVERLEAF_OIDC_DISABLE_JIT_ACCOUNT_CREATION`
-    * If set to `true`, disables Just-in-Time (JIT) account creation for OIDC users. Only users with pre-existing accounts can log in.
-      An admin must manually create the user account using the OIDC user's email address, with either a strong random password or, preferably,
-      without the `hashedPassword` field at all. The OIDC user will be able to log in only after that. Default: `false`.
+      - Example: To allow JIT account creation for users with email address like `name@example.com` and `name@math.example.com`:  
+        `OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS=example.com, *.example.com`
+      - Example: To completely disable JIT account creation:  
+        `OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS=`
 
 - `OVERLEAF_OIDC_UPDATE_USER_DETAILS_ON_LOGIN`
     * If set to `true`, updates the user `first_name` and `last_name` field on login,