{{- $clientID := get . "clientID" }}
{{- $clientSecret := get . "clientSecret" }}
{{- with get . "root" }}

{{- range .Values.blueprint.provider.oidc.scopes }}
{{- if .expression }}
- model: authentik_providers_oauth2.ScopeMapping
  identifiers:
    name: {{ .name | quote }}
  state: present
  attrs:
    name: {{ .name | quote }}
    scope_name: {{ .scope_name }}
    expression: {{ .expression | quote }}
{{- end }}
{{- end }}

- model: authentik_providers_oauth2.OAuth2Provider
  id: provider
  identifiers:
    name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
  state: present
  attrs:
    authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
    {{- with .Values.blueprint.provider.oidc }}
    client_type: {{ .clientType | quote }}
    client_id: {{ $clientID | quote }}
    client_secret: {{ $clientSecret | quote }}
    redirect_uris: {{ .redirectURL }}
    {{- with .tokenDuration }}
    access_token_validity: {{ . | quote }}
    {{- end }} 
    {{- with .signingKey }}
    signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
    {{- end }}
    {{- with .scopes }}
    property_mappings:
      {{- range . }}
      - !Find [authentik_providers_oauth2.ScopeMapping, [name, {{ .name | quote }}]]
      {{- end }}
    {{- end }}
    {{- end }}
{{- end }}{{/* end with of get-root */}}