# Labeled config Secret read by the Keycloak Client Registrar. The registrar will
# create the OIDC client in the forte realm and write the resulting credentials
# back into forte-drop-oidc-credentials Secret in this namespace within ~2 min.
# That client-secret then gets manually copied into the auth-oidc SealedSecret
# (one-time per cluster; see PR description).
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-client-forte-drop
  namespace: forte-drop
  labels:
    keycloak.forteapps.net/client-config: "true"
stringData:
  client.json: |
    {
      "clientId": "forte-drop",
      "name": "Forte Drop (web)",
      "enabled": true,
      "protocol": "openid-connect",
      "clientAuthenticatorType": "client-secret",
      "standardFlowEnabled": true,
      "directAccessGrantsEnabled": false,
      "serviceAccountsEnabled": false,
      "publicClient": false,
      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
      "defaultClientScopes": ["openid","email","profile"]
    }