{
  	# Port to listen on
	http_port 80

  	# Configure caddy-security.
	order authenticate before respond
	security {
		oauth identity provider generic {
			delay_start 3
			realm generic
			driver generic
			client_id {env.OAUTH_CLIENT_ID} # Replace with your own client ID
			client_secret {env.OAUTH_CLIENT_SECRET} # Replace with your own client secret
			scopes openid email profile
			base_auth_url http://pocket-id
			metadata_url http://pocket-id/.well-known/openid-configuration
		}

		authentication portal myportal {
			crypto default token lifetime 3600 # Seconds until you have to re-authenticate
			enable identity provider generic
			cookie insecure off # Set to "on" if you're not using HTTPS

			transform user {
				match realm generic
				action add role user
			}
		}

		authorization policy mypolicy {
			set auth url /caddy-security/oauth2/generic
			allow roles user
			inject headers with claims
		}
	}
}

http://localhost {
	@auth {
		path /caddy-security/*
  }

	route @auth {
		authenticate with myportal
	}

	route /* {
		authorize with mypolicy
    root * /app
    file_server
	}
}