#############################################
### Identity and Access Management (IAM)  ###
#############################################

#############################################
### OIDC                                  ###
#############################################
# @see https://en.wikipedia.org/wiki/OpenID_Connect

## Helper Variables:
_oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
_oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"

defaults_oidc:
  client:
    id:                   "{{primary_domain}}"                                              # Client identifier, typically matching your primary domain
#   secret:                                                                                 # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
    realm:                "{{_oidc_client_realm}}"                                          # The realm to which the client belongs in the OIDC provider
    issuer_url:           "{{_oidc_client_issuer_url}}"                                     # Base URL of the OIDC provider (issuer)
    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"    # URL for fetching the provider's configuration details
    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"        # Endpoint to start the authorization process
    toke_url:             "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"       # Endpoint to exchange authorization codes for tokens (note: 'toke_url' may be a typo for 'token_url')
    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"    # Endpoint to retrieve user information
    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials

#############################################
### LDAP                                  ###
#############################################

# Helper Variables:
_ldap_dn_base: "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"

ldap:
  # Enables LDAP for all roles in play if true
  enabled:  true
  # Distinguished Names (DN)
  dn:
    # Defines the base Distinguished Name (DN) for the LDAP directory, constructed from the second-level domain (SLD) and top-level domain (TLD).
    root:   "{{_ldap_dn_base}}"
    # Specifies the Distinguished Name (DN) of the LDAP administrator, combining the admin's username with the LDAP root domain.
    bind:   "cn={{applications.ldap.administrator_username}},{{_ldap_dn_base}}"
    # Dn from which the users should be read
    users:          "ou=users,{{_ldap_dn_base}}"
  # Password to access dn.bind
  bind_credential:  "{{applications.ldap.administrator_database_password}}"
  server:
    domain: "{{applications.ldap.openldap.hostname if applications.ldap.openldap.network.local | bool else domains.ldap}}" # Mapping for public or locale access
    uri:    "{% if applications.ldap.openldap.network.local | bool %}ldap://{{ applications.ldap.openldap.hostname }}:{{ ports.localhost.ldap.openldap }}{% else %}ldaps://{{ domains.ldap }}:{{ ports.public.ldaps.openldap }}{% endif %}"
  network:
    local:  "{{applications.ldap.openldap.network.local}}" # Uses the application configuration to define if local network should be available or not