order authenticate before respond
order authorize before reverse_proxy
security {
	local identity store localdb {
		realm local
		path /data/caddy/users.json
	}
	oauth identity provider generic {
		realm remote
		driver generic
		client_id {$OAUTH_CLIENT_ID}
		client_secret {$OAUTH_CLIENT_SECRET}
		scopes openid email profile seafile joh

		enable logout
		# extract all from userinfo
		extract seafile_email from userinfo

		delay_start 5
		retry_attempts 3
		retry_interval 10

		base_auth_url https://authentik.{$DOMAIN}
		metadata_url https://authentik.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
	}
	authentication portal myportal {
		enable identity store localdb
		enable identity provider generic
		cookie domain {$DOMAIN}
		ui {
			links {
				"My Identity" "/whoami" icon "las la-user"
			}
		}
		transform user {
			match realm remote
			action add role authp/user
		}
		transform user {
			match origin local
			action add role authp/user
		}
	}
	authorization policy mypolicy {
		set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
		allow roles authp/admin authp/user
		validate bearer header

		set user identity seafile_id

		inject headers with claims
		inject header "X-Seafile-Email" from "userinfo|seafile_email"
	}
}