From f94dee6f0dd1cf74d3da5fa35687a18dc37c7f7b Mon Sep 17 00:00:00 2001
From: sushiMix <53741704+sushiMix@users.noreply.github.com>
Date: Fri, 10 Jan 2020 10:41:08 +0100
Subject: [PATCH] Update keycloak provider configuration doc (#347)

* update keycloak provider configuration doc

* Add changelog entry
---
 CHANGELOG.md   |  1 +
 docs/2_auth.md | 12 ++++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 90b7ccf5..783335dd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ## Breaking Changes
 
 ## Changes since v4.1.0
+- [#347](https://github.com/pusher/oauth2_proxy/pull/347) Update keycloak provider configuration documentation
 - [#325](https://github.com/pusher/oauth2_proxy/pull/325) dist.sh: use sha256sum (@syscll)
 - [#179](https://github.com/pusher/oauth2_proxy/pull/179) Add Nextcloud provider (@Ramblurr)
 
diff --git a/docs/2_auth.md b/docs/2_auth.md
index b3d96559..e1440075 100644
--- a/docs/2_auth.md
+++ b/docs/2_auth.md
@@ -107,8 +107,9 @@ If you are using GitHub enterprise, make sure you set the following to the appro
 
 ### Keycloak Auth Provider
 
-1.  Create new client in your Keycloak with **Access Type** 'confidental'.
-2.  Create a mapper with **Mapper Type** 'Group Membership'.
+1.  Create new client in your Keycloak with **Access Type** 'confidental' and **Valid Redirect URIs** 'https://internal.yourcompany.com/oauth2/callback'
+2.  Take note of the Secret in the credential tab of the client
+3.  Create a mapper with **Mapper Type** 'Group Membership' and **Token Claim Name** 'groups'.
 
 Make sure you set the following to the appropriate url:
 
@@ -116,8 +117,11 @@ Make sure you set the following to the appropriate url:
     -client-id=<client you have created>
     -client-secret=<your client's secret>
     -login-url="http(s)://<keycloak host>/realms/<your realm>/protocol/openid-connect/auth"
-    -redeem-url="http(s)://<keycloak host>/realms/master/<your realm>/openid-connect/auth/token"
-    -validate-url="http(s)://<keycloak host>/realms/master/<your realm>/openid-connect/userinfo"
+    -redeem-url="http(s)://<keycloak host>/realms/<your realm>/protocol/openid-connect/token"
+    -validate-url="http(s)://<keycloak host>/realms/<your realm>/protocol/openid-connect/userinfo"
+    -keycloak-group=<user_group>
+
+The group management in keycloak is using a tree. If you create a group named admin in keycloak you should define the 'keycloak-group' value to /admin.
 
 ### GitLab Auth Provider