LoadModule ssl_module modules/mod_ssl.so
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so

LogLevel debug

Listen 443
# Redirect HTTP to HTTPS for auth.local
<VirtualHost *:80>
    ServerName auth.local
    Redirect permanent / https://auth.local/
</VirtualHost>

# Redirect HTTP to HTTPS for api.local
<VirtualHost *:80>
    ServerName api.local
    Redirect permanent / https://api.local/
</VirtualHost>

# Keycloak on auth.local
<VirtualHost *:443>
    ServerName auth.local
    ErrorLog ${APACHE_LOG_DIR}/auth_error.log
    CustomLog ${APACHE_LOG_DIR}/auth_access.log combined
    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/server.crt
    SSLCertificateKeyFile /usr/local/apache2/conf/server.key

    # Proxy all traffic to Keycloak
    ProxyPass / http://keycloak:8080/
    ProxyPassReverse / http://keycloak:8080/
    ProxyPreserveHost On
    
    
    <Proxy *>
        Require all granted
    </Proxy>

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Host "auth.local"


</VirtualHost>

# APIs on api.local
<VirtualHost *:443>
    ServerName api.local
    ErrorLog ${APACHE_LOG_DIR}/api_error.log
    CustomLog ${APACHE_LOG_DIR}/api_access.log combined

    SSLEngine on
    SSLCertificateFile /usr/local/apache2/conf/server.crt
    SSLCertificateKeyFile /usr/local/apache2/conf/server.key

    # OIDC config - point to Keycloak via auth.local
    OIDCProviderMetadataURL https://auth.local/realms/master/.well-known/openid-configuration
    OIDCClientID soa
    OIDCRedirectURI https://api.local/api/private/redirect
    OIDCClientSecret mysecret
    OIDCCryptoPassphrase fdfd8280-13b5-11f0-a320-080027e6dc53
    OIDCPassClaimsAs headers
    OIDCClaimPrefix OIDC-
    OIDCPassUserInfoAs claims
    OIDCRemoteUserClaim email
    OIDCScope "openid email profile"
    OIDCSessionInactivityTimeout 86400
    OIDCSSLValidateServer Off

    # Configure OAuth2 Bearer token validation
    OIDCOAuth2IntrospectionEndpoint https://auth.local/realms/master/protocol/openid-connect/token/introspect
    OIDCOAuth2IntrospectionEndpointAuth client_secret_basic
    OIDCOAuth2IntrospectionClientID soa
    OIDCOAuth2IntrospectionClientSecret mysecret

    # Proxy public API (no auth)
    ProxyPass /api/public http://public_api:5001/
    ProxyPassReverse /api/public http://public_api:5001/

    # Proxy private API (supports both OIDC and Bearer tokens)
    ProxyPass /api/private http://private_api:5002/api/private
    ProxyPassReverse /api/private http://private_api:5002/api/private

    <Location /api/private>
        # Accept both OIDC sessions and OAuth2 Bearer tokens
        AuthType auth-openidc
        Require valid-user

        # Allow both authentication methods
        OIDCUnAuthAction auth
        OIDCUnAutzAction 401

        # Pass user info as headers for both auth types
        RequestHeader set X-User-Email "%{HTTP_OIDC_EMAIL}i"
        RequestHeader set X-User-Name "%{HTTP_OIDC_PREFERRED_USERNAME}i"

        # Also pass OAuth2 token info
        RequestHeader set X-OAuth2-Email "%{HTTP_OAUTH2_EMAIL}i"
        RequestHeader set X-OAuth2-Username "%{HTTP_OAUTH2_PREFERRED_USERNAME}i"
    </Location>
</VirtualHost>