# OIDC authentication backend for Kanidm integration
# Web UI only - CLI localhost redirects not supported with confidential clients
resource "vault_jwt_auth_backend" "oidc" {
  path               = "oidc"
  type               = "oidc"
  oidc_discovery_url = "https://auth.home.2rjus.net/oauth2/openid/openbao"
  oidc_client_id     = "openbao"
  oidc_client_secret = random_password.auto_secrets["services/openbao/oauth2-client-secret"].result
  default_role       = "default"

  tune {
    listing_visibility = "unauth"
    default_lease_ttl  = "1h"
    max_lease_ttl      = "24h"
    token_type         = "default-service"
  }
}

# Admin role - maps Kanidm admins group to admin policy
resource "vault_jwt_auth_backend_role" "admin" {
  backend        = vault_jwt_auth_backend.oidc.path
  role_name      = "admin"
  token_policies = ["oidc-admin"]

  user_claim   = "preferred_username"
  groups_claim = "groups"
  bound_claims = { groups = "admins" }
  role_type    = "oidc"
  oidc_scopes  = ["openid", "profile", "email", "groups"]

  allowed_redirect_uris = [
    "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
  ]
}

# Default role - any authenticated user (limited access)
resource "vault_jwt_auth_backend_role" "default" {
  backend        = vault_jwt_auth_backend.oidc.path
  role_name      = "default"
  token_policies = ["oidc-default"]

  user_claim   = "preferred_username"
  groups_claim = "groups"
  role_type    = "oidc"
  oidc_scopes  = ["openid", "profile", "email", "groups"]

  allowed_redirect_uris = [
    "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback",
  ]
}