#!/usr/bin/with-contenv bash
# shellcheck shell=bash

/oauth2-proxy \
    --api-route '^/api/v2' \
    --client-id "$OAUTH2_CLIENT_ID" \
    --client-secret "NO_SECRET_NEEDED" \
    --code-challenge-method 'S256' \
    --cookie-secret "$(python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())')" \
    --cookie-secure "true" \
    --email-domain '*' \
    --http-address "0.0.0.0:$OAUTH2_PROXY_PORT" \
    --oidc-issuer-url "$OAUTH2_ISSUER_URL" \
    --provider "oidc" \
    --provider-display-name "OpenID Connect" \
    --redirect-url "$OAUTH2_PUBLIC_URL/oauth2/callback" \
    --scope "openid email profile" \
    --upstream "http://127.0.0.1:$WEBUI_PORT" \
    --custom-templates-dir /etc/oauth2-proxy/templates > /dev/null