---
services:
  app:
    environment:
      AUTH_PROVIDERS: "sso"
      AUTH_DISABLE_DEFAULT: "${AUTH_DISABLE_DEFAULT:-false}"
      AUTH_SSO_DRIVER: "openid"
      AUTH_SSO_CLIENT_ID: ${AUTH_SSO_CLIENT_ID}
      AUTH_SSO_CLIENT_SECRET_FILE: /run/secrets/oidc_secret
      AUTH_SSO_ISSUER_URL: ${AUTH_SSO_ISSUER_URL}
      AUTH_SSO_SCOPE: ${AUTH_SSO_SCOPE:-"openid profile email"}
      AUTH_SSO_IDENTIFIER_KEY: ${AUTH_SSO_IDENTIFIER_KEY}
      AUTH_SSO_ALLOW_PUBLIC_REGISTRATION: ${AUTH_SSO_ALLOW_PUBLIC_REGISTRATION:-false}
      AUTH_SSO_REQUIRE_VERIFIED_EMAIL: ${AUTH_SSO_REQUIRE_VERIFIED_EMAIL:-false}
      AUTH_SSO_DEFAULT_ROLE_ID: ${AUTH_SSO_DEFAULT_ROLE_ID}
      AUTH_SSO_SYNC_USER_INFO: ${AUTH_SSO_SYNC_USER_INFO:-true}
      AUTH_SSO_ROLE_MAPPING: ${AUTH_SSO_ROLE_MAPPING}
      AUTH_SSO_GROUP_CLAIM_NAME: ${AUTH_SSO_GROUP_CLAIM_NAME:-groups}
      AUTH_SSO_ICON: ${AUTH_SSO_ICON:-account_circle}
      AUTH_SSO_LABEL: ${AUTH_SSO_LABEL:-"Single Sign On"}
      AUTH_SSO_PARAMS: ${AUTH_SSO_PARAMS:-{}}
      AUTH_SSO_REDIRECT_ALLOW_LIST: ${AUTH_SSO_REDIRECT_ALLOW_LIST}

    secrets:
      - oidc_secret
      
secrets:
  oidc_secret:
    name: ${STACK_NAME}_oidc_secret_${SECRET_OIDC_SECRET_VERSION}
    external: true