data "aws_cognito_user_pools" "thomasklein_infra" {
  name = "thomasklein-infra"
}

resource "aws_cognito_user_pool_client" "this" {
  name = "chronograf"

  user_pool_id = data.aws_cognito_user_pools.thomasklein_infra.ids[0]

  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows                  = ["code"]
  allowed_oauth_scopes                 = ["profile", "email", "openid"]

  supported_identity_providers = ["COGNITO"]

  generate_secret = true
  callback_urls   = [
    "https://${local.chronograf_domain}/oauth/cognito/callback",
    "https://${local.chronograf_domain}/oauth/Cognito/callback"
  ]
}

locals {
  # these should be available as an attribute
  cognito_base_url = "https://${data.aws_cognito_user_pools.thomasklein_infra.name}.auth.${data.aws_region.current.name}.amazoncognito.com"

  cognito_authz_url    = "${local.cognito_base_url}/oauth2/authorize"
  cognito_token_url    = "${local.cognito_base_url}/oauth2/token"
  cognito_userinfo_url = "${local.cognito_base_url}/oauth2/userInfo"

  jwks_url = "https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${aws_cognito_user_pool_client.this.user_pool_id}/.well-known/jwks.json"
}
# https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json