(auth) {
	order authenticate before respond
	order authorize before reverse_proxy
	security {
		oauth identity provider generic {
			realm generic
			driver generic
			client_id {$OAUTH_CLIENT_ID}
			client_secret {$OAUTH_CLIENT_SECRET}
			scopes openid email profile

			delay_start 5
			retry_attempts 3
			retry_interval 10

			base_auth_url https://authentik.rik.veenboer.xyz
			metadata_url https://authentik.rik.veenboer.xyz/application/o/caddy/.well-known/openid-configuration
			# metadata_url http://192.168.2.200:15000/caddy/.well-known/openid-configuration
		}
		authentication portal myportal {
			enable identity provider generic
			cookie domain veenboer.xyz
			ui {
				links {
					"My Identity" "/whoami" icon "las la-user"
				}
			}

			transform user {
				match realm generic
				action add role authp/user
			}

			transform user {
				match realm generic

				# Give this account admin role in the auth portal
				match email rik.veenboer@gmail.com
				action add role authp/admin
			}
		}
		authorization policy mypolicy {
			set auth url https://auth.rik.veenboer.xyz/oauth2/generic
			allow roles authp/admin authp/user
			validate bearer header
			inject headers with claims
		}
	}
}