variable "name" {
  description = "Name of the OAuth2 provider"
  type        = string
}

variable "app_name" {
  description = "Name of the application"
  type        = string
}

variable "app_slug" {
  description = "Slug of the application"
  type        = string
}

variable "app_group" {
  description = "Group for the application"
  type        = string
  default     = ""
}

variable "client_id" {
  description = "OAuth2 Client ID"
  type        = string
  default     = null
}

variable "client_secret" {
  description = "OAuth2 Client Secret"
  type        = string
  default     = null
  sensitive   = true
}

variable "client_type" {
  description = "OAuth2 Client type (confidential or public)"
  type        = string
  default     = "confidential"
  
  validation {
    condition     = contains(["confidential", "public"], var.client_type)
    error_message = "Client type must be either 'confidential' or 'public'."
  }
}

variable "authorization_flow" {
  description = "Authorization flow UUID"
  type        = string
}

variable "invalidation_flow" {
  description = "Invalidation flow UUID"
  type        = string
}

variable "redirect_uris" {
  description = "List of allowed redirect URIs"
  type        = list(string)
  default     = []
}

variable "access_code_validity" {
  description = "Access code validity duration"
  type        = string
  default     = "minutes=1"
}

variable "access_token_validity" {
  description = "Access token validity duration"
  type        = string
  default     = "minutes=5"
}

variable "refresh_token_validity" {
  description = "Refresh token validity duration"
  type        = string
  default     = "days=30"
}

variable "include_claims_in_id_token" {
  description = "Include claims in ID token"
  type        = bool
  default     = true
}

variable "signing_key" {
  description = "Signing key UUID"
  type        = string
  default     = null
}

variable "property_mappings" {
  description = "List of property mapping UUIDs"
  type        = list(string)
  default     = []
}

variable "policy_engine_mode" {
  description = "Policy engine mode"
  type        = string
  default     = "all"
  
  validation {
    condition     = contains(["all", "any"], var.policy_engine_mode)
    error_message = "Policy engine mode must be either 'all' or 'any'."
  }
}

variable "meta_description" {
  description = "Application meta description"
  type        = string
  default     = ""
}

variable "meta_launch_url" {
  description = "Application launch URL"
  type        = string
  default     = ""
}

variable "meta_icon" {
  description = "Application icon URL"
  type        = string
  default     = ""
}

variable "access_policies" {
  description = "Access policies for the application"
  type = map(object({
    policy_id      = string
    order          = number
    enabled        = optional(bool, true)
    timeout        = optional(number, 30)
    negate         = optional(bool, false)
    failure_result = optional(bool, true)
  }))
  default = {}
}

variable "access_groups" {
  description = "List of group IDs that have access to the application"
  type        = list(string)
  default     = []
}

variable "scope_mappings" {
  description = "List of scope mappings for the OAuth provider"
  type        = list(string)
  default     = ["openid", "profile", "email"]
}