local openidc = require("resty.openidc")

-- Determine the correct redirect URI
local scheme = ngx.var.scheme
local host = ngx.var.http_host
local request_uri = ngx.var.request_uri
local redirect_uri = scheme .. "://" .. host .. request_uri

local opts = {
  redirect_uri = redirect_uri,  -- ✅ use full URI dynamically
  discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
  client_id = "demo-sso",
  client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
  scope = "openid email profile",
  ssl_verify = "no"
}

local res, err = openidc.authenticate(opts)

if err then
  ngx.status = 403
  ngx.say("Authentication failed: " .. err)
  ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- Optional: Forward useful info to upstream
ngx.req.set_header("X-User", res.user.preferred_username or "")
ngx.req.set_header("X-Email", res.user.email or "")