# Bulwark webmail OIDC client — authenticates directly with Hydra.
# Hydra Maester creates K8s Secret "oidc-bulwark" with CLIENT_ID/CLIENT_SECRET.
# DOMAIN_SUFFIX is replaced by sed at deploy time.
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: bulwark
  namespace: stalwart
spec:
  clientName: Webmail
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile offline_access
  redirectUris:
    - https://mail.DOMAIN_SUFFIX/en/auth/callback
    - https://mail.DOMAIN_SUFFIX/auth/callback
    - https://mail.DOMAIN_SUFFIX/api/auth/callback
  postLogoutRedirectUris:
    - https://mail.DOMAIN_SUFFIX
  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-bulwark
  skipConsent: true
  tokenLifespans:
    authorization_code_grant_access_token_lifespan: 24h
    authorization_code_grant_refresh_token_lifespan: 720h
    refresh_token_grant_access_token_lifespan: 24h
    refresh_token_grant_refresh_token_lifespan: 720h