hearth/kubernetes/forgejo/oauth-provider-configmap.yaml

# Forgejo OAuth2 Provider Configuration
# RFC 0040: Self-Hosted Core Services
#
# This ConfigMap contains the Keycloak OAuth2 provider configuration
# Applied via Forgejo's app.ini or admin UI
apiVersion: v1
kind: ConfigMap
metadata:
  name: forgejo-oauth-provider
  namespace: forgejo
  labels:
    app.kubernetes.io/name: forgejo
    app.kubernetes.io/part-of: core-services
data:
  # Instructions for configuring Keycloak SSO in Forgejo
  # This can be done via:
  # 1. Admin UI: Site Administration -> Authentication Sources -> Add New Source
  # 2. API: POST /api/v1/admin/auths
  # 3. Database seed script
  oauth-provider.md: |
    # Keycloak SSO Configuration for Forgejo

    ## Via Admin UI

    1. Navigate to Site Administration -> Authentication Sources
    2. Click "Add Authentication Source"
    3. Select "OAuth2" as the type
    4. Fill in the following:
       - Authentication Name: keycloak
       - OAuth2 Provider: OpenID Connect
       - Client ID: forgejo
       - Client Secret: (from Keycloak)
       - OpenID Connect Auto Discovery URL: https://auth.beyondtheuniverse.superviber.com/realms/alignment/.well-known/openid-configuration
       - Additional Scopes: groups
       - Required Claim Name: (leave empty or set to "groups")
       - Required Claim Value: (leave empty)
       - Group Claim Name: groups
       - Admin Group: /admins
       - Restricted Group: (leave empty)

    ## Via API

    ```bash
    curl -X POST "https://git.beyondtheuniverse.superviber.com/api/v1/admin/auths" \
      -H "Authorization: token ${ADMIN_TOKEN}" \
      -H "Content-Type: application/json" \
      -d '{
        "type": 6,
        "name": "keycloak",
        "is_active": true,
        "is_sync_enabled": true,
        "cfg": {
          "Provider": "openidConnect",
          "ClientID": "forgejo",
          "ClientSecret": "${KEYCLOAK_CLIENT_SECRET}",
          "OpenIDConnectAutoDiscoveryURL": "https://auth.beyondtheuniverse.superviber.com/realms/alignment/.well-known/openid-configuration",
          "Scopes": "openid profile email groups",
          "GroupClaimName": "groups",
          "AdminGroup": "/admins"
        }
      }'
    ```    

  # OAuth2 provider configuration (for reference/automation)
  oauth-config.json: |
    {
      "name": "keycloak",
      "provider": "openidConnect",
      "clientId": "forgejo",
      "openIdConnectAutoDiscoveryUrl": "https://auth.beyondtheuniverse.superviber.com/realms/alignment/.well-known/openid-configuration",
      "scopes": ["openid", "profile", "email", "groups"],
      "groupClaimName": "groups",
      "adminGroup": "/admins",
      "restrictedGroup": "",
      "skipLocalTwoFA": false,
      "iconUrl": "https://auth.beyondtheuniverse.superviber.com/resources/logo.png"
    }