Documentations (#185)

- expanding the docs on match-claims

README.md

@@ -362,7 +362,7 @@ just drop the client secret and use the client id and discovery-url.
 
 #### **Claim Matching**
 
-The proxy supports adding a variable list of claim matches against the presented tokens for additional access control. So for example you can match the 'iss' or 'aud' to the token or custom attributes; note each of the matches are regex's. Examples,  --match-claims 'aud=sso.*' --claim iss=https://.*' or via the configuration file. Note, each of matches are regex's
+The proxy supports adding a variable list of claim matches against the presented tokens for additional access control. So for example you can match the 'iss' or 'aud' to the token or custom attributes; note each of the matches are regex's. Examples,  --match-claims 'aud=sso.*' --claim iss=https://.*' or via the configuration file. Note, each of matches are regex's.
 
 ```YAML
 match-claims:
@@ -377,6 +377,14 @@ or via the CLI
 --match-claims=iss=http://keycloak.example.com/realms/commons
 ```
 
+Another example would be limiting the email domain permitted; say you have some  google apps domain with username@example.com and want to limit only to those users.
+
+
+```YAML
+match-claims:
+  email: ^.*@example.com$
+```
+
 #### **Custom Pages**
 
 By default the proxy will immediately redirect you for authentication and hand back 403 for access denied. Most users will probably want to present the user with a more friendly sign-in and access denied page. You can pass the command line options (or via config file) paths to the files i.e. --signin-page=PATH. The sign-in page will have a 'redirect' variable passed into the scope and holding the oauth redirection url. If you wish pass additional variables into the templates, perhaps title, sitename etc, you can use the --tags key=pair i.e. --tags title="This is my site"; the variable would be accessible from {{ .title }}