Uploaded image for project: 'Red Hat Developer Hub Bugs'
  1. Red Hat Developer Hub Bugs
  2. RHDHBUGS-2463

Documentation: keycloak baseUrl definition includes deprecated /auth context path

XMLWordPrintable

    • 2
    • False
    • Hide

      None

      Show
      None
    • False

      Description of problem:

       

      The documentation defines keycloak server's baseUrl as https://localhost:8443/auth, which only applies to older keycloak versions. Newer Keycloak versions omit the /auth context path, making this definition incorrect and causing 404 errors.

      Suggested Fix:

      baseUrl: Location of the Keycloak server (without realm or auth path)

      Option1:
      Add a note like we did back in 1.4 Documentation here

       Location of the Keycloak server, such as https://localhost:8443/auth. Note that the newer versions of Keycloak omit the /auth context path.

      Option 2: Remove the /auth part and add a note for older keycloak systems. 

       Location of the Keycloak server, such as https://localhost:8443. Note that the older Keycloak versions may require /auth context path.

       

       

      Build Details: 1.5, 1.6, 1.7, 1.8 

       

      Additionally, update: 
      Documentation: Incorrect Keycloak URL Configuration for metadataUrl and baseUrl

      Description of problem:

       

      The documentation currently configures metadataUrl and baseUrl to use the same Keycloak realm URL. This is incorrect and results in a 404 error, preventing user and group synchronization from Keycloak.

      The documentation defines the RHBK realm base URL as:

       

      <your_rhbk_URL>/realms/<your_realm>

      This value is assigned to the KEYCLOAK_BASE_URL environment variable and reused in both the auth and catalog provider configurations.

      Examples from documentation:

       

      auth:
  environment: production
  providers:
    oidc:
      production:
        metadataUrl: ${KEYCLOAK_BASE_URL} 
      catalog:
  providers:
    keycloakOrg:
      default:
        baseUrl: ${KEYCLOAK_BASE_URL}
  

      However, metadataUrl and baseUrl serve different purposes and must not point to the same URL.

       

       

      Root Cause

      • metadataUrl must point to the OIDC metadata endpoint for a specific realm
      • baseUrl must point to the Keycloak server base URL, not the realm

      Actual results:

       

      • When both metadataUrl and baseUrl are set to the realm URL:
        • The catalog Keycloak Org provider fails with a 404 error
        • Users and groups are not synced from Keycloak

      Expected results:

       

      • Authentication should succeed using the OIDC metadata endpoint
      • The catalog provider should successfully sync users and groups from Keycloak

      Build Details: 1.5, 1.6, 1.7, 1.8 

       

      Suggested Documentation changes:

       

      1. Clearly differentiate between metadataUrl and baseUrl
      2. Introduce separate environment variables (or explicitly document the difference)

      Recommended configuration:

      KEYCLOAK_BASE_URL=<rhbk-url>
      KEYCLOAK_METADATA_URL=<rhbk-url>/realms/<your-realm>

      auth:
  environment: production
  providers:
    oidc:
      production:
        metadataUrl: ${KEYCLOAK_METADATA_URL}
      catalog:
  providers:
    keycloakOrg:
      default:
        baseUrl: ${KEYCLOAK_BASE_URL}

              rhn-support-lhite Lindsay Hite
              karthik.jk Karthik Jeeyar
              RHDH Documentation
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: