-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
1.5.0, 1.6.0, 1.7.0, 1.8.0
-
False
-
-
False
-
-
Description of problem:
The documentation currently configures metadataUrl and baseUrl to use the same Keycloak realm URL. This is incorrect and results in a 404 error, preventing user and group synchronization from Keycloak.
The documentation defines the RHBK realm base URL as:
<your_rhbk_URL>/realms/<your_realm>
This value is assigned to the KEYCLOAK_BASE_URL environment variable and reused in both the auth and catalog provider configurations.
Examples from documentation:
auth:
environment: production
providers:
oidc:
production:
metadataUrl: ${KEYCLOAK_BASE_URL}
catalog:
providers:
keycloakOrg:
default:
baseUrl: ${KEYCLOAK_BASE_URL}
However, metadataUrl and baseUrl serve different purposes and must not point to the same URL.
Root Cause
- metadataUrl must point to the OIDC metadata endpoint for a specific realm
- baseUrl must point to the Keycloak server base URL, not the realm
Actual results:
- When both metadataUrl and baseUrl are set to the realm URL:
- The catalog Keycloak Org provider fails with a 404 error
- Users and groups are not synced from Keycloak
Expected results:
- Authentication should succeed using the OIDC metadata endpoint
- The catalog provider should successfully sync users and groups from Keycloak
Build Details: 1.5, 1.6, 1.7, 1.8
Suggested Documentation changes:
- Clearly differentiate between metadataUrl and baseUrl
- Introduce separate environment variables (or explicitly document the difference)
Recommended configuration:
KEYCLOAK_BASE_URL=<rhbk-url>
KEYCLOAK_METADATA_URL=<rhbk-url>/realms/<your-realm>
auth:
environment: production
providers:
oidc:
production:
metadataUrl: ${KEYCLOAK_METADATA_URL}
catalog:
providers:
keycloakOrg:
default:
baseUrl: ${KEYCLOAK_BASE_URL}
- is related to
-
-
- Backlog
-
