dex:
    image:
        repository: dexidp/dex
    ingress:
        host: auth.${DOMAIN}
        path: /
    connectors:
        - type: oidc
          id: switch-edu-id
          name: Switch edu-ID
          config:
            issuer: https://login.eduid.ch/
            # https://rr.aai.switch.ch/view_resource.php?resource=<YOUR-RESOURCE-ID>
            clientID: "${EDUID_CLIENT_ID}"
            clientSecret: "${EDUID_CLIENT_SECRET}"
            redirectURI: https://auth.${DOMAIN}/callback
            scopes:
                - openid # needed for "sub" claim
                - profile # needed for "name" claim
                - email # needed for "email" and "email_verified" claims
                - https://login.eduid.ch/authz/User.Read # needed for "eduPersonEntitlement" claim
                - offline_access # needed for the refresh token
            getUserInfo: true
            insecureEnableGroups: true
            claimMapping:
                groups: eduPersonEntitlement
    expiry:
        refreshTokens:
            validIfNotUsedFor: 720h
            absoluteLifetime: 720h
    clients:
        ##############
        # Your applications goes here:
        - id: applicationId
          name: applicationName
          secret: "${APPLICATION_CLIENT_SECRET}"
          RedirectURIs:
            - https://${APPLICATION}.${DOMAIN}/oauth/callback
            - https://${APPLICATION}.${DOMAIN}/oauth/callback