# OAuth2-Proxy Configuration for JupyterLab
# Authenticates users via Casdoor OIDC before proxying to JupyterLab
# Red Panda Approved

# Provider Configuration (Casdoor OIDC)
provider = "oidc"
provider_display_name = "Casdoor"
oidc_issuer_url = "{{ jupyterlab_oauth2_oidc_issuer_url }}"
client_id = "{{ jupyterlab_oauth_client_id }}"
client_secret = "{{ jupyterlab_oauth_client_secret }}"

# Redirect URL after authentication
redirect_url = "{{ jupyterlab_oauth2_redirect_url }}"

# Upstream service (JupyterLab on localhost)
upstreams = [
    "http://127.0.0.1:{{ jupyterlab_port }}"
]

# Session/Cookie Configuration
cookie_secret = "{{ jupyterlab_oauth2_cookie_secret }}"
cookie_name = "_oauth2_proxy_jupyter"
cookie_secure = true
cookie_httponly = true
cookie_samesite = "lax"
cookie_domains = [
    ".{{ jupyterlab_domain }}"
]

# Authentication settings
email_domains = ["*"]
oidc_email_claim = "email"
oidc_groups_claim = "groups"

# Session settings
session_store_type = "cookie"
cookie_expire = "168h"
cookie_refresh = "1h"

# Request settings - pass user info to JupyterLab
pass_access_token = false
pass_authorization_header = false
set_authorization_header = false
set_xauthrequest = true

# Logging
request_logging = true
auth_logging = true
standard_logging = true

# Network settings
http_address = "0.0.0.0:{{ jupyterlab_proxy_port }}"
reverse_proxy = true
real_client_ip_header = "X-Forwarded-For"

# Skip authentication for health check endpoints
skip_auth_routes = [
    "^/api/status$",
    "^/healthz$"
]

# OIDC specific settings
skip_provider_button = true
oidc_extra_audiences = []
insecure_oidc_allow_unverified_email = true

# SSL verification (internal Casdoor uses valid certs)
ssl_insecure_skip_verify = false