From 177150e069d48972e9b4fbb95d10c7716f277c9d Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Wed, 15 Apr 2026 13:27:14 +0200
Subject: [PATCH] gitea protocol mapper

---
 docs/REFERENCE.md                 |  2 +-
 infra/values/keycloak-values.yaml | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 222d042..715e554 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -813,7 +813,7 @@ postgresql:
   persistence: 8Gi (upcloud-block-storage-maxiops)
 ```
 
-**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`)
+**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
 
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
diff --git a/infra/values/keycloak-values.yaml b/infra/values/keycloak-values.yaml
index c3eaa8d..3f07394 100644
--- a/infra/values/keycloak-values.yaml
+++ b/infra/values/keycloak-values.yaml
@@ -78,7 +78,22 @@ keycloakConfigCli:
             "publicClient": false,
             "redirectUris": ["https://git.forteapps.net/*"],
             "webOrigins": ["https://git.forteapps.net"],
-            "defaultClientScopes": ["openid", "email", "profile"]
+            "defaultClientScopes": ["openid", "email", "profile"],
+            "protocolMappers": [
+              {
+                "name": "email_verified",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-hardcoded-claim-mapper",
+                "config": {
+                  "claim.name": "email_verified",
+                  "claim.value": "true",
+                  "jsonType.label": "boolean",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
           }
         ]
       }