We should have a section in the docs that describe how to configure Quay with Keycloak (or any OIDC compliant product).

Dixit provided the following steps via Slack in response to a query from QE:

------------------------------------------------------------------------------------------------------------

1) Select "Enable Emails" and configure SMTP from Quay UI
2) Select "Enable Open User Creation" from Quay UI
3) Configure OIDC server,most importantly following config
OIDC server : https://node-0.keycloak.lab.pnq2.cee.redhat.com:8443/auth/realms/quayrealm/
Login Scopes: openid
NOTE: The OIDC server URL should end with a slash "/"
4) Test and save the config and restart Quay
On OIDC server side :
1) Screenshot of OIDC server config for clients attached
2) Screenshot of new user config attached
NOTE: Verify email ID is required
3) Ensure you are able to login with the credentials of user and email is verified by the user
Now try logging into Quay with KeyCloak and payload should look like as below in the logs
✻ Payload
{
"jti": "ac57bb07-e7d2-4c08-9e5a-f187c266fe93",
"exp": 1553060712,
"nbf": 0,
"iat": 1553060412,
"iss": "https://node-0.keycloak.lab.pnq2.cee.redhat.com:8443/auth/realms/quayrealm",
"aud": "quaycluster",
"sub": "41b2efe5-cc74-4485-a3c8-801e69dfd3da",
"typ": "ID",
"azp": "quaycluster",
"auth_time": 1553060411,
"session_state": "0cb424b4-41f5-4bff-8df6-7a5314f4f7f1",
"acr": "1",
"email_verified": true,
"name": "chandrakanth pai",
"preferred_username": "chpai",
"given_name": "chandrakanth",
"family_name": "pai",
"email": "chpai@redhat.com"
}
iat: 1553060412 3/20/2019, 3:40:12 PM
nbf: 0 1/1/1970, 10:00:00 AM
exp: 1553060712 3/20/2019, 3:45:12 PM
4) You will be prompted to create a new user once you login to Quay

-------------------------------------------------------------

We should redact some of the details from above & get a new synthetic example working for proper screenshots, etc..