package handlers

import (
	"net/http"

	"github.com/ory/fosite"

	"github.com/authelia/authelia/internal/middlewares"
)

func oidcToken(ctx *middlewares.AutheliaCtx, rw http.ResponseWriter, req *http.Request) {
	oidcSession, err := newDefaultOIDCSession(ctx)
	if err != nil {
		ctx.Logger.Errorf("Error occurred in NewDefaultOIDCSession: %+v", err)
		ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, nil, err)

		return
	}

	accessRequest, accessReqErr := ctx.Providers.OpenIDConnect.Fosite.NewAccessRequest(ctx, req, oidcSession)
	if accessReqErr != nil {
		ctx.Logger.Errorf("Error occurred in NewAccessRequest: %+v", accessRequest)
		ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, accessRequest, accessReqErr)

		return
	}

	// If this is a client_credentials grant, grant all scopes the client is allowed to perform.
	if accessRequest.GetGrantTypes().ExactOne("client_credentials") {
		for _, scope := range accessRequest.GetRequestedScopes() {
			if fosite.HierarchicScopeStrategy(accessRequest.GetClient().GetScopes(), scope) {
				accessRequest.GrantScope(scope)
			}
		}
	}

	response, err := ctx.Providers.OpenIDConnect.Fosite.NewAccessResponse(ctx, accessRequest)
	if err != nil {
		ctx.Logger.Errorf("Error occurred in NewAccessResponse: %+v", err)
		ctx.Providers.OpenIDConnect.Fosite.WriteAccessError(rw, accessRequest, err)

		return
	}

	ctx.Providers.OpenIDConnect.Fosite.WriteAccessResponse(rw, accessRequest, response)
}