injectRequestHeaders:
- name: X-Forwarded-User
  values:
  - claim: user
- name: X-Forwarded-Email
  values:
  - claim: email
- name: X-Forwarded-Preferred-Username
  values:
  - claim: preferred_username
- name: X-Forwarded-Groups
  values:
  - claim: groups
- name: Authorization
  values:
  - claim: id_token
    prefix: 'Bearer '
- name: "X-Forwarded-{{ oauth_proxy_super_secret_header }}"
  values:
  - value: "{{ oauth_proxy_super_secret_header | b64encode }}"
injectResponseHeaders:
- name: X-Auth-Request-User
  values:
  - claim: user
- name: X-Auth-Request-Email
  values:
  - claim: email
- name: X-Auth-Request-Preferred-Username
  values:
  - claim: preferred_username
- name: X-Auth-Request-Groups
  values:
  - claim: groups
- name: "X-Auth-Request-{{ oauth_proxy_super_secret_header }}"
  values:
  - value: "{{ oauth_proxy_super_secret_header | b64encode }}"
- name: Authorization
  values:
  - claim: id_token
    prefix: 'Bearer '
metricsServer:
  BindAddress: 0.0.0.0:5577
  SecureBindAddress: ""
  TLS: null
providers:
- id: kanidm
  name: "{{ domain }} <3"
  provider: oidc
  clientID: "{{ oauth_proxy_client_id }}"
  clientSecret: "{{ oauth_proxy_client_secret }}"
  allowedGroups:
  - "{{ oauth_proxy_group }}"
  code_challenge_method: "S256"
  scope: "openid profile groups email"
  oidcConfig:
    issuerURL: "https://{{ idm_domain }}/oauth2/openid/{{ oauth_proxy_client_id }}"
    insecureSkipNonce: false
    insecureAllowUnverifiedEmail: false
    extraAudiences:
      - "{{ oauth_proxy_client_id }}"
    audienceClaims:
      - aud
    userIDClaim: sub
    emailClaim: email
    groupsClaim: groups
server:
  BindAddress: 0.0.0.0:4180
  SecureBindAddress: ""
  TLS: null
upstreamConfig:
  upstreams:
  - id: "traefik"
    static: true
    path: "/"
    staticCode: 202