Adding authentication to Kubernetes app using Keycloak and the new oauth2-proxy

As a follow-up post to my previous post about adding authentication transparently to an application

Configuring Keycloak

Go to the left-side menu item “Client Scopes” and click “Create”:

Create a new client scope called “api” with default settings, then click the “Mappers” tab to add the field mappings to this scope.

In this tab, create a new mapper called “groups” with the following settings:

Save this mapper and then click the “Add Builtin”, adding the existing mappers “username”, “email” and “profile”.

Finally, add this scope to the client at “Clients” > [your created client] > “Client Scopes”. Select the newly created scope “api” at the left box and click “Add Selected” on “Default Client Scopes”.

Now Keycloak is ready to send the correct tokens to Oauth2-proxy sidecar container.

Deploying the application


It’s currently not possible to have multiple groups attached to the application. I've sent a PR adding this functionality that might be available soon.

Also since it’s not yet possible to configure the user claim, users in Keycloak should have an email (cannot be blank).

Writing everything cloud and all the tech behind it. If you like my projects and would like to support me, check my Patreon on