http_address            =   "0.0.0.0:4180"
cookie_secret           =   "{{ applications[oauth2_proxy_application_id].credentials.oauth2_proxy_cookie_secret }}"
cookie_secure           =   "true"                                                                                                                                                  # True is necessary to force the cookie set via https
upstreams               =   "http://{{ applications[oauth2_proxy_application_id].oauth2_proxy.application }}:{{ applications[oauth2_proxy_application_id].oauth2_proxy.port }}"
cookie_domains          =   ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('keycloak') }}"]                                                   # Required so cookie can be read on all subdomains.
whitelist_domains       =   [".{{ primary_domain }}"]                                                                                                                               # Required to allow redirection back to original requested target.

# keycloak provider
client_secret           =   "{{ oidc.client.secret }}"
client_id               =   "{{ oidc.client.id }}"
redirect_url            =   "{{ web_protocol }}://{{ domains | get_domain(oauth2_proxy_application_id) }}/oauth2/callback"
oidc_issuer_url         =   "{{ oidc.client.issuer_url }}"
provider                =   "oidc"
provider_display_name   =   "Keycloak"

{% if applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups is defined %}
{# role based restrictions #}
scope                   =   "openid email profile groups"
oidc_groups_claim       =   "realm_access.roles"
allowed_groups          =   {{ applications[oauth2_proxy_application_id].oauth2_proxy.allowed_groups | tojson }}
{% else %}
email_domains           =   "{{ primary_domain }}"
{% endif %}