# =============================================================================
# CLOUDFLARE : Integrations : Identity Providers
# =============================================================================

#
resource "cloudflare_zero_trust_access_identity_provider" "gmail" {
  account_id = local.cloudflare_account_id
  name       = "Gmail"
  type       = "google"
  zone_id    = local.cloudflare_zone_id

  config = {
    client_id        = "<google_client_id>"
    client_secret    = "<google_secret>"
    email_claim_name = "email"
  }
}

#
resource "cloudflare_zero_trust_access_identity_provider" "authentik_oidc" {
  account_id = local.cloudflare_account_id
  name       = "Authentik OIDC"
  type       = "oidc"
  zone_id    = local.cloudflare_zone_id

  config = {
    auth_url         = "https://authentik.${var.cloudflare_email_domain}/application/o/authorize/"
    certs_url        = "https://authentik.${var.cloudflare_email_domain}/application/o/cloudflare-access/jwks/"
    claims           = ["given_name", "preferred_username", "nickname", "groups", "role"]
    client_id        = local.authentik_oidc_client_id_cloudflare
    client_secret    = local.authentik_oidc_secret_cloudflare
    email_claim_name = "email"
    scopes           = ["openid", "email", "profile"]
    token_url        = "https://authentik.${var.cloudflare_email_domain}/application/o/token/"
  }
}