{ lib }:

{
  openresty_oidc_block =
    { access_role ? "", whitelisted_ips ? [ ] }: ''
      access_by_lua_block {
        local opts = {
          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
          client_id = "nginx",
          client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
          logout_path = "/logout",
          redirect_after_logout_uri = "/",
          redirect_uri = "/redirect_uri",
          keepalive = "yes",
          accept_none_alg = true,
          revoke_tokens_on_logout = true,
          -- access token valid for a day
          access_token_expires_in = 86400
        }

        ${lib.optionalString (whitelisted_ips != []) ''
          local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
                      
          if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
            return
          end
        ''}
       
        -- call introspect for OAuth 2.0 Bearer Access Token validation
        local res, err = require("resty.openidc").authenticate(opts)

        if err then
          ngx.status = 403
          ngx.say(err)
          ngx.exit(ngx.HTTP_FORBIDDEN)
        end

        ${lib.optionalString (access_role != "") ''
          if not check_role(res, "${access_role}") then
            ngx.status = 401
            ngx.header.content_type = 'text/html';
            ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
            ngx.exit(ngx.HTTP_UNAUTHORIZED)
          end
        ''}
      }
    '';
}