local openidc = require("resty.openidc")

local client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")

local opts = {
  redirect_uri_path = "/redirect_uri",
  discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
  client_id = "demo-sso",
  client_secret = client_secret,
  scope = "openid email profile",
  redirect_uri_scheme = "https",
  ssl_verify = "no"
}

local res, err = openidc.authenticate(opts)

if err then
  ngx.status = 403
  ngx.say("Authentication failed: " .. err)
  ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- Check if token has expired
if res.id_token and res.id_token.exp then
  local now = ngx.time()
  if res.id_token.exp < now then
    ngx.log(ngx.ERR, "Token expired")
    ngx.exit(ngx.HTTP_UNAUTHORIZED)
  end
end

ngx.req.set_header("X-User", res.user.preferred_username or "")
ngx.req.set_header("X-Email", res.user.email or "")
ngx.status = 204