<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style=""><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><font color="#000000">Hi,</font></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><font color="#000000"><br></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><font color="#000000" style="font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px">According to Openshift Doc (</font><font color="#000000" face="Liberation Sans, Open Sans, sans-serif"><span style="line-height:22.4px"><a href="https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#OpenID" target="_blank">https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#OpenID</a></span></font><span style="font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px;color:rgb(0,0,0)">) and this blog article (</span><font color="#000000" face="Liberation Sans, Open Sans, sans-serif"><span style="line-height:22.4px"><a href="http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html" target="_blank">http://blog.keycloak.org/2015/06/openshift-ui-console-authentication.html</a>)</span></font><span style="color:rgb(0,0,0);font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px">, we can integrate Keycloak as IdentiyProvider with Openshift. </span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><span style="color:rgb(0,0,0);font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px"><br></span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><span style="color:rgb(0,0,0);font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px">So, I have configured the master-config.yaml to use Keycloak 1.9.4.Final as Identity Provider. See hereafter the config</span></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><font color="#000000"><br></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex;line-height:22.4px"><font color="#000000" face="Liberation Sans, Open Sans, sans-serif"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">oauthConfig:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> alwaysShowProviderSelection: false</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> assetPublicURL: <a href="https://192.168.99.100:8443/console/" target="_blank">https://192.168.99.100:8443/console/</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> grantConfig:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> method: auto</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> identityProviders:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> - challenge: true</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> login: true</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> name: keycloak</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> provider:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> apiVersion: v1</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> kind: OpenIDIdentityProvider</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> ca: keycloak-ca.cert</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> clientID: openshift</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> clientSecret: fbde8b27-3342-4494-b3a3-7db645e9dfe5</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> claims:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> id:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> - sub</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> preferredUsername:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> - preferred_username</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> name:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> - name</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> email:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> - email</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> urls:</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> authorize: <a href="https://192.168.1.80:8443/auth/realms/openshift/tokens/login" target="_blank">https://192.168.1.80:8443/auth/realms/openshift/tokens/login</a></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> token: <a href="https://192.168.1.80:8443/auth/realms/openshift/tokens/access/codes" target="_blank">https://192.168.1.80:8443/auth/realms/openshift/tokens/access/codes</a></blockquote></font></blockquote></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><font color="#000000"><br></font></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><font color="#000000">But, when I try to log on to the Openshift console, I'm redirected to Keycloak Server which returns this Error 404 </font></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><font color="#000000"><font face="Liberation Sans, Open Sans, sans-serif"><span style="line-height:22.4px">--> </span></font></font><font color="#000000" face="Liberation Sans, Open Sans, sans-serif"><span style="line-height:22.4px">GET <a href="https://192.168.1.80:8443/auth/realms/openshift/tokens/login?client_id=open" target="_blank">https://192.168.1.80:8443/auth/realms/openshift/tokens/login?client_id=open</a>…YlMjUyRjE5Mi4xNjguOTkuMTAwJTI1M0E4NDQzJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%3D%3D 404 (Not Found)</span></font></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-weight:normal;line-height:22.4px;font-size:12.8px"><font color="#000000"><br></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><font color="#000000" style="font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px">According to this thread (</font><font color="#000000" face="Liberation Sans, Open Sans, sans-serif"><span style="line-height:22.4px"><a href="http://stackoverflow.com/questions/28658735/what-are-keycloaks-oauth2-openid-connect-endpoints" target="_blank">http://stackoverflow.com/questions/28658735/what-are-keycloaks-oauth2-openid-connect-endpoints</a>)</span></font><span style="font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px;color:rgb(0,0,0)">, the urls to be used are these</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-weight:normal;line-height:normal;font-size:12.8px"><span style="font-family:'Liberation Sans','Open Sans',sans-serif;line-height:22.4px;color:rgb(0,0,0)"><br></span></div><div style=""><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-size:12.8px;font-weight:normal;line-height:22.4px"><font color="#000000"> authorize: <a href="https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth" target="_blank">https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth</a></font></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-size:12.8px;font-weight:normal;line-height:22.4px"><font color="#000000"> token: <a href="https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token" target="_blank">https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token</a></font></div><div style="color:rgb(34,34,34);font-family:'Liberation Sans','Open Sans',sans-serif;font-size:12.8px;font-weight:normal;line-height:22.4px"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px">FYI, I can get a token --></span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px"><br></span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">curl -k -s -X POST <a href="https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token" target="_blank">https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token</a> -H "Content-Type: application/x-www-form-urlencoded" -d 'username=test-user' -d 'password=password' -d 'grant_type=password' -d 'client_id=openshift' -d 'client_secret=fbde8b27-3342-4494-b3a3-7db645e9dfe5' | jq -r '.access_token'<br>eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1ODExNGExZi1mMTQwLTQwYTctODAwOS1hNGU2</blockquote><div> </div></span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px">Can you confirm that the correct urls to be used are ?</span></font></div><div style=""><font color="#000000" face="Liberation Sans, Open Sans, sans-serif"><span style="font-size:12.8px;line-height:22.4px"><div style=""><br></div><div style=""> authorize: <a href="https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth">https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/auth</a></div><div style=""> token: <a href="https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token">https://192.168.1.80:8443/auth/realms/openshift/protocol/openid-connect/token</a></div></span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px"><br></span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px">Regards,</span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font color="#4a4a4a" face="Liberation Sans, Open Sans, sans-serif"><span style="line-height:22.4px"><b><br></b></span></font></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-weight:normal;line-height:normal"><font face="Liberation Sans, Open Sans, sans-serif" color="#000000"><span style="line-height:22.4px">Charles</span></font></div></div><font color="#4a4a4a" face="Liberation Sans, Open Sans, sans-serif"><b><span style="line-height:22.4px"></span></b></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>