{ lib }:

{
  openresty_oidc_block =
    { access_role ? "" }: ''
      access_by_lua_block {
        local opts = {
          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
          client_id = "nginx",
          client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
          logout_path = "/logout",
          redirect_after_logout_uri = "/",
          redirect_uri = "/redirect_uri",
          keepalive = "yes",
          accept_none_alg = true
      }

      -- call introspect for OAuth 2.0 Bearer Access Token validation
      local res, err = require("resty.openidc").authenticate(opts)

      if err then
        ngx.status = 403
        ngx.say(err)
        ngx.exit(ngx.HTTP_FORBIDDEN)
      end

      ${lib.optionalString (access_role != "") ''
        if not check_role(res, "${access_role}") then
          ngx.status = 401
          ngx.header.content_type = 'text/html';
          ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
          ngx.exit(ngx.HTTP_UNAUTHORIZED)
        end
      ''}
      }
    '';
}