config

type Config struct {
	GRPCAddress string `mapstructure:"grpc_address"`
	HttpAddress string `mapstructure:"http_address"`

	BaseUrl url.URL `mapstructure:"base_url"`

	OAuth OAuthServerConfig `mapstructure:"oauth"`

	OAuthClient OAuthClientConfig `mapstructure:"oauth_client"`

	ServiceToken     string `mapstructure:"service_token"`
	NextServiceToken string `mapstructure:"next_service_token"`
}

type OAuthClientConfig struct {
	GitlabURL string                               `mapstructure:"gitlab_url"`
	Providers map[string]OAuthClientProviderConfig `mapstructure:"providers"`
}

type OAuthClientProviderConfig struct {
	// OIDC Discovery - if provided, auth_url, token_url, and user_info_url are fetched automatically
	Issuer string `mapstructure:"issuer"`

	// Manual OAuth configuration - required if issuer is not provided
	AuthURL     string `mapstructure:"auth_url"`
	TokenURL    string `mapstructure:"token_url"`
	UserInfoURL string `mapstructure:"user_info_url"`

	// Required for all providers
	ClientID     string   `mapstructure:"client_id"`
	ClientSecret string   `mapstructure:"client_secret"`
	Scopes       []string `mapstructure:"scopes"`
}

type OAuthServerConfig struct {
	Issuer     string `mapstructure:"issuer"`
	ConsentURL string `mapstructure:"consent_url"`
	LoginURL   string `mapstructure:"login_url"`
	HMACSecret string `mapstructure:"hmac_secret"`

	// AccessTokenAudience identifies the resource server that consumes
	// IAM-issued JWT access tokens; set as the `aud` claim per RFC 9068 §2.2.
	AccessTokenAudience string `mapstructure:"access_token_audience" default:"gitlab-rails"`

	JwksCacheDuration time.Duration `mapstructure:"jwks_cache_duration" default:"3600s"`
}