auth_request /sso-auth;
error_page 401 = @error401;

location /sso-auth {
    internal;

    proxy_pass {{ item.value.auth_url | default(item.value.base_url + '/auth') }};
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Origin-URI $request_uri;
    proxy_set_header X-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

location /sso-logout {
    return 302 {{ item.value.base_url }}/logout?go=$scheme://$http_host/;
}

location @error401 {
    return 302 {{ item.value.base_url }}/login?go=$scheme://$http_host$request_uri;
}