#data "authentik_flow" "default-provider-authorization-implicit-consent" {
#  slug = "default-provider-authorization-implicit-consent"
#}
#
#data "authentik_property_mapping_provider_scope" "scope-email" {
#  name = "authentik default OAuth Mapping: OpenID 'email'"
#}
#
#data "authentik_property_mapping_provider_scope" "scope-profile" {
#  name = "authentik default OAuth Mapping: OpenID 'profile'"
#}
#
#data "authentik_property_mapping_provider_scope" "scope-openid" {
#  name = "authentik default OAuth Mapping: OpenID 'openid'"
#}
#
resource "random_id" "immich_client_id" {
  byte_length = 16
}

resource "authentik_provider_oauth2" "immich" {
  name = "Immich"
  #  Required. You can use the output of:
  #     $ openssl rand -hex 16
  client_id = random_id.immich_client_id.id

  # Optional: will be generated if not provided
  # client_secret = "my_client_secret"

  authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
  invalidation_flow  = data.authentik_flow.default-invalidation-flow.id

  allowed_redirect_uris = [
    {
      matched_mode = "strict"
      url          = "app.immich:///oauth-callback",
    },
    {
      matched_mode = "strict"
      url          = "https://photos.lab.cowley.tech/auth/login",
    },
    {
      matched_mode = "strict"
      url          = "https://photos.lab.cowley.tech/user-settings",
    }
  ]
  property_mappings = [
    data.authentik_property_mapping_provider_scope.scope-email.id,
    data.authentik_property_mapping_provider_scope.scope-profile.id,
    data.authentik_property_mapping_provider_scope.scope-openid.id,
  ]
  lifecycle {
    ignore_changes = [
      signing_key,
      authentication_flow,
    ]
  }
}

resource "authentik_application" "immich" {
  name              = "Immich"
  slug              = "immich"
  protocol_provider = authentik_provider_oauth2.immich.id
}

resource "local_file" "foo" {
  content  = authentik_provider_oauth2.immich.client_secret
  filename = "${path.module}/foo.bar"
}