resource "random_id" "books_client_id" {

  byte_length = 16
}

resource "authentik_provider_oauth2" "books" {
  name = "AudioBookShelf"
  #  Required. You can use the output of:
  #     $ openssl rand -hex 16
  client_id           = random_id.books_client_id.id
  authentication_flow = data.authentik_flow.default-authentication-flow.id
  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
  invalidation_flow   = data.authentik_flow.default-invalidation-flow.id

  client_type = "public"

  allowed_redirect_uris = [
    {
      url          = "https://books.lab.cowley.tech/",
      matched_mode = "strict"
    },
    {
      matched_mode = "regex",
      url          = ".*"
    }
  ]

  sub_mode = "user_email"

  property_mappings = [
    data.authentik_property_mapping_provider_scope.scope-email.id,
    data.authentik_property_mapping_provider_scope.scope-profile.id,
    data.authentik_property_mapping_provider_scope.scope-openid.id,
  ]
  lifecycle {
    ignore_changes = [
      signing_key,
      authentication_flow,
    ]
  }
}

resource "authentik_application" "books" {
  name              = "AudioBookShelf"
  slug              = "audiobookshelf"
  protocol_provider = authentik_provider_oauth2.books.id
  open_in_new_tab   = true
}