packages/oauth2-proxy: patch keycloak token bug

packages/patched-derivations.nix

@@ -28,4 +28,6 @@ super: rec {
       ];
     };
   in jre // { meta = jre.meta // { inherit (super.jdk17_headless.meta) platforms; }; };
+
+  oauth2-proxy = patch super.oauth2-proxy "patches/base/oauth2-proxy";
 }

patches/base/oauth2-proxy/GHPR_1502-Unbreak-oauth2-proxy-for-keycloak-provider-after-2c668a.patch

@@ -0,0 +1,36 @@
+From 0c932b61febe8a458d4bf4ff075feeffb02efc02 Mon Sep 17 00:00:00 2001
+From: Cullen Walsh <ckwalsh@cullenwalsh.com>
+Date: Mon, 3 Jan 2022 17:32:33 -0800
+Subject: [PATCH 1/2] Unbreak oauth2-proxy for keycloak provider after 2c668a
+
+With 2c668a, oauth2-proxy fails a request if the token validation fails.
+Token validation always fails with the keycloak provider, due to the
+valudation request passing the token via the URL, and keycloak not
+parsing the url for tokens.
+
+This is fixed by forcing the validation request to pass the token via a
+header.
+
+This code taken from the DigitalOcean provider, which presumably forcing
+the token to be passed via header for the same reason.
+
+Test plan: I was unable to build a docker image to test the fix, but I
+believe it is relatively simple, and it passes the "looks good to me"
+test plan.
+---
+ providers/keycloak.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/providers/keycloak.go b/providers/keycloak.go
+index c1a873529..4a8af231a 100644
+--- a/providers/keycloak.go
++++ b/providers/keycloak.go
+@@ -100,3 +100,8 @@ func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.Sessio
+ 
+ 	return nil
+ }
++
++// ValidateSession validates the AccessToken
++func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
++	return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))
++}