order authenticate before respond
order authorize before reverse_proxy
security {
	oauth identity provider generic {
		realm mine
		driver generic
		client_id {$OAUTH_CLIENT_ID}
		client_secret {$OAUTH_CLIENT_SECRET}
		scopes openid email profile

		delay_start 5
		retry_attempts 3
		retry_interval 10

		base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}
		metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
	}
	authentication portal myportal {
		enable identity provider generic
		cookie domain {$DOMAIN}
		ui {
			links {
				"My Identity" "/whoami" icon "las la-user"
				"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
			}
		}

		transform user {
			match realm mine
			action add role authp/user
		}

		transform user {
			match realm mine

			# Give this account admin role in the auth portal
			match email rik.veenboer@gmail.com
			action add role authp/admin
		}
	}
	authorization policy mypolicy {
		set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
		allow roles authp/admin authp/user
		validate bearer header
		inject headers with claims
	}
}