terraform {
  required_providers {
    zitadel = {
      source  = "zitadel/zitadel"
      version = "2.0.2"
    }
  }
}

resource "zitadel_application_oidc" "default" {
  depends_on = [var.wait_on]

  org_id = var.org_id

  grant_types = ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"]
  name       = var.name
  project_id = var.project_id

  redirect_uris = var.redirect_uris
  response_types = ["OIDC_RESPONSE_TYPE_CODE"]

  # // If selected, the requested roles of the authenticated user are added to the access token.
  #access_token_type = "OIDC_TOKEN_TYPE_JWT"
  #access_token_role_assertion = true

  # BEARER uses an Opaque token, which needs the introspection endpoint and `urn:zitadel:iam:org:project:id:<API_PROJECT_ID>:aud` scope
  access_token_type = "OIDC_TOKEN_TYPE_BEARER"

  # // If you want to add additional Origins to your app which is not used as a redirect you can do that here.
  #additional_origins = []

  app_type         = "OIDC_APP_TYPE_USER_AGENT"
  auth_method_type = "OIDC_AUTH_METHOD_TYPE_NONE"

  # // Redirect URIs must begin with https:// unless dev_mode is true
  #dev_mode = false

  # // If selected, the requested roles of the authenticated user are added to the ID token.
  #id_token_role_assertion = false
  # // Enables clients to retrieve profile, email, phone and address claims from ID token.
  #id_token_userinfo_assertion = false

  post_logout_redirect_uris = var.post_logout_redirect_uris
}

output "installed" {
  value = true
  depends_on = [zitadel_application_oidc.default]
}

output "application_id" {
  value = zitadel_application_oidc.default.id
}

output "client_id" {
  value     = zitadel_application_oidc.default.client_id
  sensitive = true
}

output "client_secret" {
  value     = zitadel_application_oidc.default.client_secret
  sensitive = true
}