LoadModule ssl_module modules/mod_ssl.so
LoadModule auth_openidc_module modules/mod_auth_openidc.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so

LogLevel debug

Listen 443
# Redirect HTTP to HTTPS for auth.local
<VirtualHost *:80>
    ServerName auth.local
    Redirect permanent / https://auth.local/
</VirtualHost>

# Redirect HTTP to HTTPS for api.local
<VirtualHost *:80>
    ServerName api.local
    Redirect permanent / https://api.local/
</VirtualHost>

# Keycloak on auth.local
<VirtualHost *:443>
    ServerName auth.local
    ErrorLog ${APACHE_LOG_DIR}/auth_error.log
    CustomLog ${APACHE_LOG_DIR}/auth_access.log combined
    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/server.crt
    SSLCertificateKeyFile /usr/local/apache2/conf/server.key

    # Proxy all traffic to Keycloak
    ProxyPass / http://keycloak:8080/
    ProxyPassReverse / http://keycloak:8080/
    ProxyPreserveHost On
    
    
    <Proxy *>
        Require all granted
    </Proxy>

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Host "auth.local"


</VirtualHost>

# APIs on api.local
<VirtualHost *:443>
    ServerName api.local
    ErrorLog ${APACHE_LOG_DIR}/api_error.log
    CustomLog ${APACHE_LOG_DIR}/api_access.log combined

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/server.crt
    SSLCertificateKeyFile /usr/local/apache2/conf/server.key

    # OIDC config - point to Keycloak via auth.local
    # Global OIDC configuration
    OIDCProviderMetadataURL https://auth.local/realms/master/.well-known/openid-configuration
    OIDCClientID soa
    OIDCRedirectURI https://api.local/api/private/redirect
    OIDCClientSecret mysecret
    OIDCCryptoPassphrase fdfd8280-13b5-11f0-a320-080027e6dc53
    OIDCPassClaimsAs headers
    OIDCClaimPrefix OIDC-
    OIDCPassUserInfoAs claims
    OIDCRemoteUserClaim email
    OIDCScope "openid email profile"
    OIDCSessionInactivityTimeout 86400
    OIDCSSLValidateServer Off

    # Configure OAuth2 Bearer token validation (commented out - not available in this version)
    # OIDCOAuth2IntrospectionEndpoint https://auth.local/realms/master/protocol/openid-connect/token/introspect
    # OIDCOAuth2IntrospectionEndpointAuth client_secret_basic
    # OIDCOAuth2IntrospectionClientID soa
    # OIDCOAuth2IntrospectionClientSecret mysecret

    # Proxy public API (no auth)
    ProxyPass /api/public http://public_api:5001/api/public
    ProxyPassReverse /api/public http://public_api:5001/api/public

    # Proxy private API (supports both OIDC and Bearer tokens)
    ProxyPass /api/private http://private_api:5002/api/private
    ProxyPassReverse /api/private http://private_api:5002/api/private

    <Location /api/private>
        # Let Flask handle all authentication - pass through all requests
        # Apache will only inject OIDC headers if user is already authenticated via OIDC
        AuthType auth-openidc
        OIDCUnAuthAction pass
        Require all granted
        
        # Don't modify the Authorization header - let it pass through naturally
    </Location>
</VirtualHost>