# OAuth2-Proxy Configuration
# Authenticates users via Casdoor OIDC before proxying to upstream services
# Red Panda Approved

# Provider Configuration (Casdoor OIDC)
provider = "oidc"
provider_display_name = "Casdoor"
oidc_issuer_url = "{{ oauth2_proxy_oidc_issuer_url }}"
client_id = "{{ oauth2_proxy_client_id }}"
client_secret = "{{ oauth2_proxy_client_secret }}"

# Redirect URL after authentication
redirect_url = "{{ oauth2_proxy_redirect_url }}"

# Upstream service
upstreams = [
    "{{ oauth2_proxy_upstream_url }}"
]

# Session/Cookie Configuration
cookie_secret = "{{ oauth2_proxy_cookie_secret }}"
cookie_name = "{{ oauth2_proxy_cookie_name | default('_oauth2_proxy') }}"
cookie_secure = true
cookie_httponly = true
cookie_expire = "{{ oauth2_proxy_cookie_expire | default('168h') }}"
cookie_refresh = "{{ oauth2_proxy_cookie_refresh | default('1h') }}"
cookie_domains = ".{{ oauth2_proxy_cookie_domain }}"
session_store_type = "cookie"

# Authentication settings
email_domains = {{ oauth2_proxy_email_domains | to_json }}
oidc_email_claim = "email"
oidc_groups_claim = "groups"

# Allow specific groups (if configured in Casdoor)
{% if oauth2_proxy_allowed_groups is defined and oauth2_proxy_allowed_groups | length > 0 %}
allowed_groups = {{ oauth2_proxy_allowed_groups | to_json }}
{% endif %}

# Request settings
pass_access_token = false
pass_authorization_header = false
set_authorization_header = false
set_xauthrequest = true

# Logging
request_logging = true
auth_logging = true
standard_logging = true

# Network settings
http_address = "0.0.0.0:4180"
reverse_proxy = true
real_client_ip_header = "X-Forwarded-For"

# Skip authentication for health check endpoints
skip_auth_routes = [
    "^/healthz$",
    "^/ping$"
]

# OIDC specific settings
skip_provider_button = true
oidc_extra_audiences = []

# SSL verification
ssl_insecure_skip_verify = {{ oauth2_proxy_skip_ssl_verify | default(false) | lower }}