Is it possible to use OpenID roles/attributes?

[bbigras]

I'm using keycloak for OpenID. I can create groups/roles and set attributes to users.

Is there any way to use those with the ACLs or maybe pass them to my application server with proxy pass?

[Luzifer]

This sounds like a specific implementation regarding to KeyCloak. The way to do this would be to implement a provider for KeyCloak and then using that. That provider could pass groups to the ACLs which are read from the server.

So: Generally speaking it's possible, right now - without the provider - it is not.

[mxey]

Groups or roles are provided as claims in the OIDC tokens (when asking the issuer for the appropiate scope). nginx-sso supports OIDC, but it does not provide the claims as groups for authorization. This is not specific to Keycloak as the issuer.