{% if openidc_enabled == 1 or openidc_enabled == true -%}
    access_by_lua_block {
	    local openidc = require("resty.openidc")
        local opts = {
            redirect_uri = "{{- openidc_redirect_uri -}}",
            discovery = "{{- openidc_discovery -}}",
            token_endpoint_auth_method = "{{- openidc_auth_method -}}",
            client_id = "{{- openidc_client_id -}}",
            client_secret = "{{- openidc_client_secret -}}",
            scope = "openid email profile"
        }

        local res, err = openidc.authenticate(opts)

        if err then
            ngx.status = 500
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end

        {% if openidc_restrict_users_enabled == 1 or openidc_restrict_users_enabled == true -%}
        local function contains(table, val)
            for i=1,#table do
                if table[i] == val then 
                    return true
                end
            end
            return false
        end

        local allowed_users = {
            {% for user in openidc_allowed_users %}
                "{{ user }}",
            {% endfor %}
        }

        if not contains(allowed_users, res.id_token.email) then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        {% endif -%}
        

        ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
        ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
        ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
    }
{% endif %}