location /_verify_auth {
    proxy_connect_timeout 1s;
    proxy_pass https://127.0.0.1:8443/api/v2/session/verify;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
    # pass original method to allow verify to skip the csrf/double-cookie
    # session is still verified, this is required to allow pantheon to server
    # static values to the browser <img> tag
    proxy_set_header X-Original-Method $request_method;
}

location ~ ^/auth/api/v\d+ {
    include /ingress/cors.conf;

    # verify request against idp
    include /ingress/auth_verify.conf;

    rewrite  ^/auth/(.*) /$1 break;

    proxy_connect_timeout 1s;
    proxy_pass https://127.0.0.1:8443;
}

location ~ ^/auth/(login|logout|init|reset-password|request-password-reset|oauth|invite) {
    rewrite  ^/auth/(.*) /$1 break;

    proxy_cookie_path / /;
    proxy_connect_timeout 1s;
    proxy_pass https://127.0.0.1:8443;
}