diff --git a/roles/usermanagement/tasks/keycloak.yaml b/roles/usermanagement/tasks/keycloak.yaml
index f20ec27..40cf604 100644
--- a/roles/usermanagement/tasks/keycloak.yaml
+++ b/roles/usermanagement/tasks/keycloak.yaml
@@ -69,6 +69,28 @@
     web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}'
     frontchannel_logout: False
     protocol: openid-connect
+    protocol_mappers:
+      - config:
+            accesss.token.claim: true
+            claim.name: "groups"
+            id.token.claim: true
+            userinfo.token.claim: true
+            full.path: false
+        id: "{{ keycloak_clients[item]['keycloak_id'] | regex_replace('^(?P<X>.{2})(.)', '\\g<X>' ~ '1') }}"
+        consentRequired: false
+        protocol: "openid-connect"
+        protocolMapper: "oidc-group-membership-mapper"
+        name: "client-group-mapper"
+      - config:
+            included.client.audience: '{{ keycloak_clients[item]["client_id"] }}'
+            id.token.claim: false
+            access.token.claim: true
+        id: "{{ keycloak_clients[item]['keycloak_id'] | regex_replace('^(?P<X>.{2})(.)', '\\g<X>' ~ '2') }}"
+        # ist das regex zu stark bist du zu schwach
+        consentRequired: false
+        protocol: "openid-connect"
+        protocolMapper: "oidc-audience-mapper"
+        name: "aud-mapper-client"
   with_items: "{{ keycloak_clients.keys() | list }}"
 
 - name: Update master realm settings
diff --git a/templates/oauth-standalone-docker-compose.yaml b/templates/oauth-standalone-docker-compose.yaml
index 79aa311..9b6e783 100644
--- a/templates/oauth-standalone-docker-compose.yaml
+++ b/templates/oauth-standalone-docker-compose.yaml
@@ -19,15 +19,16 @@ services:
     ports:
       - {{ services[item].port }}:{{ services[item].port }}
     environment:
+      OAUTH2_PROXY_SCOPE: openid email profile
       OAUTH2_PROXY_UPSTREAMS: http://{{ ansible_default_ipv4.address }}:{{ services[item].port + 1000 }}/
       OAUTH2_PROXY_EMAIL_DOMAINS: '*'
-      OAUTH2_PROXY_PROVIDER: oidc
+      OAUTH2_PROXY_PROVIDER: keycloak-oidc
       OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: "AtlantisHQ Accounts"
       OAUTH2_PROXY_REDIRECT_URL: "{{ keycloak_clients[item].master_address }}/oauth2/callback"
       OAUTH2_PROXY_OIDC_ISSUER_URL: "https://{{ keycloak_address }}/realms/master"
       OAUTH2_PROXY_CLIENT_ID: "{{ keycloak_clients[item].client_id }}"
       OAUTH2_PROXY_CLIENT_SECRET: "{{ keycloak_clients[item].client_secret }}"
-      OAUTH2_PROXY_ALLOWED_ROLES: "{{ keycloak_clients[item].groups }}"
+      OAUTH2_PROXY_ALLOWED_GROUPS: {{ keycloak_clients[item].groups }}
 
       OAUTH2_PROXY_OIDC_EMAIL_CLAIM: sub