chore: add to oauth docs

versioned_docs/version-2.0/self_hosting/configuration/sso.mdx

@@ -4,19 +4,24 @@ import {
   HelmBlock,
 } from "../../../../src/components/InstructionsWithCode";
 
-# SSO
+# SSO with OAuth2.0 and OIDC
 
-## OAuth2.0 and OIDC (PKCE)
+LangSmith Self-Hosted provides SSO via OAuth2.0 and OIDC. This will delegate authentication to your Identity Provider (IdP) to manage access to LangSmith.
 
-LangSmith Self-Hosted provides SSO via OAuth2.0 and OIDC. Once configured, this will delegate authentication to your Identity Provider(IdP) to manage access to LangSmith.
+Our implementation supports almost anything that is OIDC compliant, with a few exceptions.  
+Once configured, you will see a login screen like this:
+
+![LangSmith UI with OAuth SSO](../static/langsmith_ui_sso.png)
+
+## Without Client Secret (PKCE) {#without-secret}
 
-Our implementation supports almost anything that is OIDC compliant, with a few exceptions.
+This flow does _not_ require a `Client Secret` - see the flow [below](#with-secret) for the alternative that does.
 
 ### Requirements
 
 There are a couple of requirements for using OAuth SSO with LangSmith:
 
-- Your IdP must support the `Authorization Code with PKCE` [flow](https://www.oauth.com/oauth2-servers/pkce) (Google does not support this flow for example, but see [below](#using-oauth10-and-oidc) for an alternative configuration that Google supports). This is often displayed in your OAuth Provider as configuring a "Single Page Application (SPA)"
+- Your IdP must support the `Authorization Code with PKCE` [flow](https://www.oauth.com/oauth2-servers/pkce) (Google does not support this flow for example, but see [below](#with-secret) for an alternative configuration that Google supports). This is often displayed in your OAuth Provider as configuring a "Single Page Application (SPA)"
 - Your IdP must support using an external discovery/issuer URL. We will use this to fetch the necessary routes and keys for your IdP.
 - You must provide the `OIDC`, `email`, and `profile` scopes to LangSmith. We use these to fetch the necessary user information and email for your users.
 - You will need to set the callback URL in your IdP to `http://<host>/oauth-callback`, where host is the domain or IP you have provisioned for your LangSmith instance. This is where your IdP will redirect the user after they have authenticated.
@@ -39,13 +44,10 @@ OAUTH_ISSUER_URL=https://your-issuer-url
   ]}
 />
 
-Once configured, you will see a login screen like this:
-
-![LangSmith UI with OAuth SSO](../static/langsmith_ui_sso.png)
-
-## OAuth2.0 and OIDC (without PKCE)
+## With Client Secret {#with-secret}
 
-For providers that do _not_ support `Authorization Code with PKCE`, LangSmith Self-Hosted supports the `Autorization Code` flow with a `Client Secret`.
+For providers that do _not_ support `Authorization Code with PKCE`, LangSmith Self-Hosted supports the `Autorization Code` flow with `Client Secret`.
+In this version of the flow, your client secret is stored security in the LangSmith platform (not on the frontend) and used for authentication and establishing auth sessions.
 
 ### Requirements