Restrict different paths based on groups/roles

Is there a way to restrict different URL paths in an application with different permissions. I have keycloak and a JWT token sent from from the front end UI but would like to enforce permissions with oauth2 proxy. I’m a bit worried I need to re-architect authentication (replace oauth2 proxy entirely).

#Accept any authenticated user:
http://example.com/api/any-authenticated-user.

#only groups authorized.
http://example.com/api/sensitive

I have no concern with using an ingress controller to send these to different oauth2 proxies with different configuration (based on the path), but don’t know if it’s possible to use oauth2 proxy to restrict it to a specific group or role. I’ve read through the documentation and cannot find what I’m looking for. If it’s not possible, any recommendations would be welcome.

Currently I’m using the oidc provider as I failed to get the keycloak provider to work.