infra/stacks/oauth2-proxy/compose.yml

# oauth2-proxy — Keycloak SSO gate for apps without native OIDC.
# One container per protected vhost; each presents itself on the `app` network
# so nginx-proxy can hit it via auth_request.

x-oauth2-proxy-common: &oauth2-proxy-common
  image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
  restart: unless-stopped
  networks: [app]
  environment: &oauth2-proxy-env
    OAUTH2_PROXY_PROVIDER: keycloak-oidc
    OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.wbd-rd.nl/realms/wbd
    OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
    OAUTH2_PROXY_REVERSE_PROXY: "true"
    OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true"
    OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: "true"
    OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
    OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true"
    OAUTH2_PROXY_EMAIL_DOMAINS: "*"
    OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
    OAUTH2_PROXY_UPSTREAM: static://202
    OAUTH2_PROXY_COOKIE_SECURE: "true"
    OAUTH2_PROXY_COOKIE_SAMESITE: lax
    OAUTH2_PROXY_WHITELIST_DOMAINS: ".wbd-rd.nl"
    TZ: ${TZ:-Europe/Amsterdam}

services:
  oauth2-proxy-mlflow:
    <<: *oauth2-proxy-common
    environment:
      <<: *oauth2-proxy-env
      OAUTH2_PROXY_CLIENT_ID: ${MLFLOW_OAUTH_CLIENT_ID:-mlflow}
      OAUTH2_PROXY_CLIENT_SECRET: ${MLFLOW_OAUTH_CLIENT_SECRET}
      OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_MLFLOW}
      OAUTH2_PROXY_REDIRECT_URL: https://ml.wbd-rd.nl/oauth2/callback
      OAUTH2_PROXY_COOKIE_NAME: _oauth2_mlflow

  oauth2-proxy-portainer:
    <<: *oauth2-proxy-common
    environment:
      <<: *oauth2-proxy-env
      OAUTH2_PROXY_CLIENT_ID: ${PORTAINER_OAUTH_CLIENT_ID:-portainer-ce}
      OAUTH2_PROXY_CLIENT_SECRET: ${PORTAINER_OAUTH_CLIENT_SECRET}
      OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_PORTAINER}
      OAUTH2_PROXY_REDIRECT_URL: https://ops.wbd-rd.nl/oauth2/callback
      OAUTH2_PROXY_COOKIE_NAME: _oauth2_portainer

  oauth2-proxy-rabbitmq:
    <<: *oauth2-proxy-common
    environment:
      <<: *oauth2-proxy-env
      OAUTH2_PROXY_CLIENT_ID: ${RABBITMQ_OAUTH_CLIENT_ID:-rabbitmq}
      OAUTH2_PROXY_CLIENT_SECRET: ${RABBITMQ_OAUTH_CLIENT_SECRET}
      OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_RABBITMQ}
      OAUTH2_PROXY_REDIRECT_URL: https://mq.wbd-rd.nl/oauth2/callback
      OAUTH2_PROXY_COOKIE_NAME: _oauth2_rabbitmq

networks:
  app: