{# -*- mode: apache -*- #}
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"

{% if options.oidc_provider_metadata_url -%}
OIDCProviderMetadataURL {{ options.oidc_provider_metadata_url }}
{% endif -%}
{% if options.oidc_provider_issuer -%}
OIDCProviderIssuer {{ options.oidc_provider_issuer }}
{% endif -%}
{% if options.oidc_provider_auth_endpoint -%}
OIDCProviderAuthorizationEndpoint {{ options.oidc_provider_auth_endpoint }}
{% endif -%}
{% if options.oidc_provider_token_endpoint -%}
OIDCProviderTokenEndpoint {{ options.oidc_provider_token_endpoint }}
{% endif -%}
{% if options.oidc_provider_token_endpoint_auth -%}
OIDCProviderTokenEndpointAuth {{ options.oidc_provider_token_endpoint_auth }}
{% endif -%}
{% if options.oidc_provider_user_info_endpoint -%}
OIDCProviderUserInfoEndpoint {{ options.oidc_provider_user_info_endpoint }}
{% endif -%}
{% if options.oidc_provider_jwks_uri -%}
OIDCProviderJwksUri {{ options.oidc_provider_jwks_uri }}
{% endif -%}

OIDCClientID {{ options.oidc_client_id }}
{% if options.oidc_client_secret -%}
OIDCClientSecret {{ options.oidc_client_secret }}
{% endif -%}
OIDCCryptoPassphrase {{ options.oidc_crypto_passphrase }}
OIDCRedirectURI {{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth

{% if options.oidc_remote_user_claim -%}
OIDCRemoteUserClaim {{ options.oidc_remote_user_claim }}
{% endif -%}

{%- if options.enable_oauth %}
{%- if options.oidc_oauth_verify_jwks_uri %}
OIDCOAuthVerifyJwksUri {{ options.oidc_oauth_verify_jwks_uri }}
{%- else %}
OIDCOAuthIntrospectionEndpoint {{ options.oidc_oauth_introspection_endpoint|default(options.provider_metadata.introspection_endpoint) }}
OIDCOAuthIntrospectionEndpointParams token_type_hint=access_token
OIDCOAuthClientID {{ options.oidc_client_id }}
{%- if options.oidc_client_secret %}
OIDCOAuthClientSecret {{ options.oidc_client_secret }}
{%- endif %}
{%- endif %}
{%- endif %}

<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/auth>
  AuthType {{ options.auth_type }}
  Require valid-user
{%- if options.debug %}
  LogLevel debug
{%- endif %}
</LocationMatch>

# Support for websso from Horizon
OIDCRedirectURI "{{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/auth/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/websso"
OIDCRedirectURI "{{ options.scheme }}://{{ options.hostname }}:{{ options.port }}/v3/auth/OS-FEDERATION/websso/{{ options.protocol_id }}"

<Location /v3/auth/OS-FEDERATION/websso/{{ options.protocol_id }}>
  Require valid-user
  AuthType openid-connect
{%- if options.debug %}
  LogLevel debug
{%- endif %}
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/{{ options.idp_id }}/protocols/{{ options.protocol_id }}/websso>
  Require valid-user
  AuthType openid-connect
{%- if options.debug %}
  LogLevel debug
{%- endif %}
</Location>