"""
Azure AD + PingID Authentication — Future implementation.

When ready, replace demo_auth.py's get_current_user with this module.
Uses MSAL (Microsoft Authentication Library) for Python.

Flow:
  1. Frontend redirects to Azure AD login
  2. Azure AD returns auth code to callback URL
  3. Backend exchanges code for tokens via MSAL
  4. Extract user info (name, email, groups) from ID token
  5. Auto-provision user if not exists, map AD groups to departments

Requirements:
  pip install msal
  Environment: AZURE_AD_TENANT_ID, AZURE_AD_CLIENT_ID, AZURE_AD_CLIENT_SECRET
"""

# TODO: Implement when Azure AD integration is ready
# from msal import ConfidentialClientApplication
# from app.config import get_settings