application-oauth2.properties

spring.security.oauth2.client.registration.keycloak.client-id=${keycloak.client.id}
spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email,offline_access
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.keycloak.issuer-uri=${keycloak.url}/realms/${keycloak.realm:galapagos}
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username

spring.security.oauth2.resourceserver.jwt.issuer-uri=${spring.security.oauth2.client.provider.keycloak.issuer-uri}
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${spring.security.oauth2.resourceserver.jwt.issuer-uri}/protocol/openid-connect/certs

# This is the claim in the JWT Access Token to use as username.
galapagos.security.jwt-user-name-claim=preferred_username

# This JWT claim is used as the "display name" (usually the full name) of a user.
galapagos.security.jwt-display-name-claim=name

# This JWT claim is used as the e-mail address of the user.
galapagos.security.jwt-email-claim=email

# This is the claim in the JWT Access Token to use as roles (e.g. user and admin). Must be either space-separated single
# value, or an array of strings. Can be "sub" for Spring standard behaviour, or a custom claim. In Keycloak, you usually
# configure a role mapper for a client to include client roles in the token.
# See docs/Migration Guide 2.8.md on how to achieve this!
# Roles must include USER and ADMIN, the latter for Galapagos administrators being able e.g. to approve
# application owner requests.
galapagos.security.jwt-role-claim=client_roles