computer-playbook/roles/web-app-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

http_address            =   "0.0.0.0:4180"
cookie_secret           =   "{{ applications | get_app_conf(oauth2_proxy_application_id, 'credentials.oauth2_proxy_cookie_secret', True) }}"
cookie_secure           =   "true"                                                                                                                                                  # True is necessary to force the cookie set via https
upstreams               =   "http://{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.application', True) }}:{{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.port', True) }}"
cookie_domains          =   ["{{ domains | get_domain(oauth2_proxy_application_id) }}", "{{ domains | get_domain('web-app-keycloak') }}"]                                                   # Required so cookie can be read on all subdomains.
whitelist_domains       =   [".{{ PRIMARY_DOMAIN }}"]                                                                                                                               # Required to allow redirection back to original requested target.

# keycloak provider
client_secret           =   "{{ OIDC.CLIENT.SECRET }}"
client_id               =   "{{ OIDC.CLIENT.ID }}"
redirect_url            =   "{{ WEB_PROTOCOL }}://{{ domains | get_domain(oauth2_proxy_application_id) }}/oauth2/callback"
oidc_issuer_url         =   "{{ OIDC.CLIENT.ISSUER_URL }}"
provider                =   "oidc"
provider_display_name   =   "{{ OIDC.BUTTON_TEXT }}"

{% if applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', False) %}
{# role based restrictions #}
scope                   =   "openid email profile {{ RBAC.GROUP.CLAIM }}"
oidc_groups_claim       =   "{{ RBAC.GROUP.CLAIM }}"
allowed_groups          =   {{ applications | get_app_conf(oauth2_proxy_application_id, 'oauth2_proxy.allowed_groups', True) | to_json }}
email_domains           =   ["*"]
{% else %}
email_domains           =   "{{ PRIMARY_DOMAIN }}"
{% endif %}

session_store_type       = "redis"
redis_connection_url     = "redis://redis:6379"