fix: group matching in oauthproxy with keycloak

roles/usermanagement/tasks/keycloak.yaml

@@ -69,6 +69,28 @@
     web_origins: '{{ keycloak_clients[item]["redirect_uris"] }}'
     frontchannel_logout: False
     protocol: openid-connect
+    protocol_mappers:
+      - config:
+            accesss.token.claim: true
+            claim.name: "groups"
+            id.token.claim: true
+            userinfo.token.claim: true
+            full.path: false
+        id: "{{ keycloak_clients[item]['keycloak_id'] | regex_replace('^(?P<X>.{2})(.)', '\\g<X>' ~ '1') }}"
+        consentRequired: false
+        protocol: "openid-connect"
+        protocolMapper: "oidc-group-membership-mapper"
+        name: "client-group-mapper"
+      - config:
+            included.client.audience: '{{ keycloak_clients[item]["client_id"] }}'
+            id.token.claim: false
+            access.token.claim: true
+        id: "{{ keycloak_clients[item]['keycloak_id'] | regex_replace('^(?P<X>.{2})(.)', '\\g<X>' ~ '2') }}"
+        # ist das regex zu stark bist du zu schwach
+        consentRequired: false
+        protocol: "openid-connect"
+        protocolMapper: "oidc-audience-mapper"
+        name: "aud-mapper-client"
   with_items: "{{ keycloak_clients.keys() | list }}"
 
 - name: Update master realm settings