Rails.application.config.middleware.use OmniAuth::Builder do
  # Only configure OIDC if environment variables are present
  if ENV['OIDC_DISCOVERY_URL'].present? && ENV['OIDC_CLIENT_ID'].present? && ENV['OIDC_CLIENT_SECRET'].present?
    provider :openid_connect, {
      name: :oidc,
      scope: [:openid, :email, :groups],
      response_type: :code,
      client_options: {
        identifier: ENV['OIDC_CLIENT_ID'],
        secret: ENV['OIDC_CLIENT_SECRET'],
        redirect_uri: ENV['OIDC_REDIRECT_URI'],
        discovery: true,
        authorization_endpoint: nil,
        token_endpoint: nil,
        userinfo_endpoint: nil,
        jwks_uri: nil
      },
      discovery_document: {
        issuer: ENV['OIDC_ISSUER'] # Optional, defaults to discovery URL issuer
      }
    }
  end
end

# Disable OmniAuth logging in production
OmniAuth.config.logger = Rails.logger if Rails.env.production?

# Set OmniAuth failure mode
OmniAuth.config.failure_raise_out_environments = %w[development test]