{ lib }:

{
  openresty_oidc_block =
    { access_role ? "", whitelisted_ips ? [ ] }: ''
      
    '';
    #   access_by_lua_block {
    #     local opts = {
    #       discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
    #       client_id = "nginx",
    #       client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
    #       logout_path = "/logout",
    #       redirect_after_logout_uri = "/",
    #       redirect_uri = "/redirect_uri",
    #       keepalive = "yes",
    #       accept_none_alg = true,
    #       revoke_tokens_on_logout = true,
    #       -- access token valid for a day
    #       access_token_expires_in = 86400
    #     }

    #     ${lib.optionalString (whitelisted_ips != []) ''
    #       local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
                      
    #       if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
    #         return
    #       end
    #     ''}
       
    #     -- call introspect for OAuth 2.0 Bearer Access Token validation
    #     local res, err = require("resty.openidc").authenticate(opts)

    #     if err then
    #       ngx.status = 403
    #       ngx.say(err)
    #       ngx.exit(ngx.HTTP_FORBIDDEN)
    #     end

    #     ${lib.optionalString (access_role != "") ''
    #       if not check_role(res, "${access_role}") then
    #         ngx.status = 401
    #         ngx.header.content_type = 'text/html';
    #         ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
    #         ngx.exit(ngx.HTTP_UNAUTHORIZED)
    #       end
    #     ''}
    #   }
    # '';
}