Add docs and record in CHANGELOG

CHANGELOG.md

@@ -31,6 +31,7 @@
 
 ## Changes since v3.2.0
 
+- [#226](https://github.com/pusher/oauth2_proxy/pull/227) Add Keycloak provider (@Ofinka)
 - [#178](https://github.com/pusher/outh2_proxy/pull/178) Add Silence Ping Logging and Exclude Logging Paths flags (@kskewes)
 - [#209](https://github.com/pusher/outh2_proxy/pull/209) Improve docker build caching of layers (@dekimsey)
 - [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent (@JoelSpeed)

docs/2_auth.md

@@ -15,6 +15,7 @@ Valid providers are :
 - [Azure](#azure-auth-provider)
 - [Facebook](#facebook-auth-provider)
 - [GitHub](#github-auth-provider)
+- [Keycloak](#keycloak-auth-provider)
 - [GitLab](#gitlab-auth-provider)
 - [LinkedIn](#linkedin-auth-provider)
 - [login.gov](#logingov-provider)
@@ -101,6 +102,20 @@ If you are using GitHub enterprise, make sure you set the following to the appro
     -redeem-url="http(s)://<enterprise github host>/login/oauth/access_token"
     -validate-url="http(s)://<enterprise github host>/api/v3"
 
+### Keycloak Auth Provider
+
+1.  Create new client in your Keycloak with **Access Type** 'confidental'.
+2.  Create a mapper with **Mapper Type** 'Group Membership'.
+
+Make sure you set the following to the appropriate url:
+
+    -provider=keycloak
+    -client-id=<client you have created>
+    -client-secret=<your client's secret>
+    -login-url="http(s)://<keycloak host>/realms/<your realm>/protocol/openid-connect/auth"
+    -redeem-url="http(s)://<keycloak host>/realms/master/<your realm>/openid-connect/auth/token"
+    -validate-url="http(s)://<keycloak host>/realms/master/<your realm>/openid-connect/userinfo"
+
 ### GitLab Auth Provider
 
 Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](http://doc.gitlab.com/ce/integration/oauth_provider.html)