The Private Automation Hub (PAH), that’s part of the Red Hat Ansible Automation Platform (AAP), allows to configure Keycloak for authenticating users using OIDC. The nice bit is, it also accounts for groups that are transmitted in the respective claim attribute. Hence, the groups the user belongs are read by PAH from the claim, and are added to PAH. At least in my homelab this makes RBAC fairly easy since I can provide certain permissions based on groups.

When I recently tried out the new version of the Keycloak operator (Keycloak version 21), I ran into an issue. Apparently PAH, at least the operator, assumes in the keycloak integration, that resources served by keycloak are available at /auth/<then realm and so on>. However, the newer versions of keycloak do not serve resources there anymore by default.

My approach: since I can’t change the private automation hub or at least I haven’t found how, I had a look whether I can change keycloak. Documentation is great, all potential knobs are here: https://www.keycloak.org/server/all-config

So, I found inevitably http-relative-path: “Set the path relative to / for serving resources.” Exactly what I need. I need resources to be served at /auth because this is where the PAH is expecting them.

Keycloak is deployed in my OpenShift cluster, so I adapted my custom resource to include the config:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-keycloak
spec:
  additionalOptions:
    - name: proxy
      value: edge
    - name: http-relative-path
      value: /auth
  hostname:
    hostname: keycloak-test.apps.ocp4.example.com
  http:
    httpEnabled: true
  ingress:
    enabled: true
  instances: 1
  truststores:
    trusted-cas-in-ocp:
      secret:
        name: trusted-cas

This is just a test instance, so it is far from enterprise-y or production-y. Good enough for my test though.

I won’t cover the concrete Keycloak client configuration or the config in PAH - that’s all documented in official sources. Especially when coming from an older keycloak version (or RHSSO for instance), you might run into the following log line when the login to PAH doesn’t work and you really can’t seem to figure out why, because the mapper for the audience is there:

jwt.exceptions.InvalidAudienceError: Invalid audience

The hard-coded audience claim seems somewhat broken, another thing on my todo list to check for existing issues or my config mistake due to a newer keycloak version. As a workaround, I created an audience mapper that leaves “Included Client Audience” empty (yes, it’s marked as required, but, uhm, it somhow isn’t), because that field contained only the UUID of the client in the access token, not the client name (which we need, if we follow the docs), and instead just set the value hard coded in the “Included Custom Audience” field.