diff --git a/terraform/keycloak/main.tf b/terraform/keycloak/main.tf
index a25f499..b62ca15 100644
--- a/terraform/keycloak/main.tf
+++ b/terraform/keycloak/main.tf
@@ -92,48 +92,6 @@ resource "keycloak_openid_client_default_scopes" "rsauth2_proxy" {
   ]
 }
 
-# =============================================================================
-# rsauth2-proxy client (localhost testing)
-# =============================================================================
-
-resource "keycloak_openid_client" "rsauth2_proxy_dev" {
-  realm_id  = keycloak_realm.hexor.id
-  client_id = "rsauth2-proxy-dev"
-
-  name                         = "rsauth2-proxy (dev)"
-  enabled                      = true
-  access_type                  = "CONFIDENTIAL"
-  standard_flow_enabled        = true
-  direct_access_grants_enabled = false
-
-  valid_redirect_uris = [
-    "http://localhost:8080/callback",
-  ]
-
-  web_origins = [
-    "http://localhost:8080",
-  ]
-}
-
-resource "keycloak_openid_group_membership_protocol_mapper" "rsauth2_proxy_dev_groups" {
-  realm_id   = keycloak_realm.hexor.id
-  client_id  = keycloak_openid_client.rsauth2_proxy_dev.id
-  name       = "groups"
-  claim_name = "groups"
-  full_path  = false
-}
-
-resource "keycloak_openid_client_default_scopes" "rsauth2_proxy_dev" {
-  realm_id  = keycloak_realm.hexor.id
-  client_id = keycloak_openid_client.rsauth2_proxy_dev.id
-
-  default_scopes = [
-    "openid",
-    "profile",
-    "email",
-  ]
-}
-
 # =============================================================================
 # Proxy applications — auto-created groups + routes ConfigMap
 # =============================================================================
@@ -154,7 +112,74 @@ locals {
   }
 }
 
-resource "kubernetes_config_map" "auth_proxy_routes" {
+# =============================================================================
+# OAuth2 applications — full OIDC clients for apps that handle auth themselves
+# =============================================================================
+
+resource "keycloak_openid_client" "oauth2_app" {
+  for_each = var.oauth2_applications
+
+  realm_id  = keycloak_realm.hexor.id
+  client_id = each.key
+
+  name                         = each.key
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = false
+
+  valid_redirect_uris          = each.value.redirect_uris
+  valid_post_logout_redirect_uris = each.value.post_logout_redirect_uris
+  web_origins                  = each.value.web_origins
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "oauth2_app_groups" {
+  for_each = var.oauth2_applications
+
+  realm_id   = keycloak_realm.hexor.id
+  client_id  = keycloak_openid_client.oauth2_app[each.key].id
+  name       = "groups"
+  claim_name = "groups"
+  full_path  = false
+}
+
+resource "keycloak_openid_client_default_scopes" "oauth2_app" {
+  for_each = var.oauth2_applications
+
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.oauth2_app[each.key].id
+
+  default_scopes = concat(
+    ["openid", "profile", "email"],
+    each.value.extra_default_scopes
+  )
+}
+
+resource "keycloak_openid_client_optional_scopes" "oauth2_app" {
+  for_each = {
+    for k, v in var.oauth2_applications : k => v if length(v.extra_optional_scopes) > 0
+  }
+
+  realm_id  = keycloak_realm.hexor.id
+  client_id = keycloak_openid_client.oauth2_app[each.key].id
+
+  optional_scopes = each.value.extra_optional_scopes
+}
+
+resource "keycloak_group" "oauth2_app" {
+  for_each = {
+    for k, v in var.oauth2_applications : k => v if length(v.allowed_groups) > 0
+  }
+
+  realm_id = keycloak_realm.hexor.id
+  name     = "app-${each.key}"
+}
+
+# =============================================================================
+# Proxy applications — routes ConfigMap
+# =============================================================================
+
+resource "kubernetes_config_map_v1" "auth_proxy_routes" {
   metadata {
     name      = "auth-proxy-routes"
     namespace = "auth-proxy"
diff --git a/terraform/keycloak/outputs.tf b/terraform/keycloak/outputs.tf
index 5378e6d..239628b 100644
--- a/terraform/keycloak/outputs.tf
+++ b/terraform/keycloak/outputs.tf
@@ -15,15 +15,6 @@ output "rsauth2_proxy_client_secret" {
   sensitive = true
 }
 
-output "rsauth2_proxy_dev_client_id" {
-  value = keycloak_openid_client.rsauth2_proxy_dev.client_id
-}
-
-output "rsauth2_proxy_dev_client_secret" {
-  value     = keycloak_openid_client.rsauth2_proxy_dev.client_secret
-  sensitive = true
-}
-
 output "standalone_groups" {
   value = [for g in keycloak_group.standalone : g.name]
 }
@@ -35,3 +26,12 @@ output "app_groups" {
 output "app_allowed_groups" {
   value = local.app_allowed_groups
 }
+
+output "oauth2_app_client_ids" {
+  value = { for k, c in keycloak_openid_client.oauth2_app : k => c.client_id }
+}
+
+output "oauth2_app_client_secrets" {
+  value     = { for k, c in keycloak_openid_client.oauth2_app : k => c.client_secret }
+  sensitive = true
+}
diff --git a/terraform/keycloak/providers.tf b/terraform/keycloak/providers.tf
index aba70b7..3799cd2 100644
--- a/terraform/keycloak/providers.tf
+++ b/terraform/keycloak/providers.tf
@@ -19,5 +19,5 @@ provider "keycloak" {
 }
 
 provider "kubernetes" {
-  config_path = var.kubeconfig_path
+  config_path = "~/.kube/config"
 }
diff --git a/terraform/keycloak/terraform.tfvars b/terraform/keycloak/terraform.tfvars
new file mode 100644
index 0000000..eaa0f4f
--- /dev/null
+++ b/terraform/keycloak/terraform.tfvars
@@ -0,0 +1,32 @@
+groups = [
+  "hexor-admin",
+  "hexor-guest",
+  "game-servers-managers",
+  "argocd-admins",
+]
+
+proxy_applications = {
+  secret-reader = {
+    domain         = "secret-reader.hexor.cy"
+    allowed_groups = ["hexor-guest", "hexor-admin"]
+  }
+  pass = {
+    domain         = "pass.hexor.cy"
+    allowed_groups = ["hexor-guest", "hexor-admin"]
+  }
+}
+
+oauth2_applications = {
+  gitea = {
+    redirect_uris  = ["https://gt.hexor.cy/user/oauth2/Keycloak/callback"]
+    web_origins    = ["https://gt.hexor.cy"]
+    post_logout_redirect_uris = ["https://gt.hexor.cy/*"]
+  }
+  ArgoCD = {
+    redirect_uris             = ["https://ag.hexor.cy/auth/callback"]
+    web_origins               = ["https://ag.hexor.cy"]
+    post_logout_redirect_uris = ["https://ag.hexor.cy/*"]
+    extra_optional_scopes     = ["offline_access"]
+  }
+}
+
diff --git a/terraform/keycloak/variables.tf b/terraform/keycloak/variables.tf
index 9a0030d..7681e36 100644
--- a/terraform/keycloak/variables.tf
+++ b/terraform/keycloak/variables.tf
@@ -16,12 +16,6 @@ variable "keycloak_client_secret" {
   sensitive   = true
 }
 
-variable "kubeconfig_path" {
-  description = "Path to kubeconfig (set via TF_VAR_kubeconfig_path or KUBE_CONFIG_PATH)"
-  type        = string
-  default     = "~/.kube/config"
-}
-
 variable "google_client_id" {
   description = "Google OAuth client ID (set via TF_VAR_google_client_id)"
   type        = string
@@ -47,3 +41,16 @@ variable "proxy_applications" {
   }))
   default = {}
 }
+
+variable "oauth2_applications" {
+  description = "OAuth2/OIDC applications that handle authentication themselves"
+  type = map(object({
+    redirect_uris             = list(string)
+    post_logout_redirect_uris = optional(list(string), [])
+    web_origins               = optional(list(string), [])
+    extra_default_scopes      = optional(list(string), [])
+    extra_optional_scopes     = optional(list(string), [])
+    allowed_groups            = optional(list(string), [])
+  }))
+  default = {}
+}