local openidc = require("resty.openidc")

local opts = {
  redirect_uri_path = "/redirect_uri",
  discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
  client_id = "demo-sso",
  client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
  redirect_uri_scheme = "https",
  scope = "openid email profile"
}

local res, err = openidc.authenticate(opts)

if err then
  ngx.status = 403
  ngx.say("Authentication failed: " .. err)
  ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- Optional: Forward useful info to upstream
ngx.req.set_header("X-User", res.user.preferred_username or "")
ngx.req.set_header("X-Email", res.user.email or "")