Changes in OIDC Token endpoints

I am referring to following documentation about securing apps with keycloak: Securing Applications and Services Guide in this post

In this documentation all the endpoints start with /realms/{realm}/... but older version use the /auth/ prefix, resulting in /auth/realms/{realm}. I haven’t found this change in any release notes. Am I missing something? From which version on is the change present and is there a way to determine this from outside in order to configure certain API-Call Urls.

Trying to access /auth/realms/{realm}... on the latest server version therefore results in a 404 Error

The default changed with the quarkus version. the /auth portion was removed. You can add it back with the --http-relative-path variable. Check the “new” configuration docs for more information: All configuration - Keycloak

You can find more information at this link: Migrating to Quarkus distribution - Keycloak

1 Like

Okay thanks, is this information exposed, so that outside applications know which relative path needs to be used?

If you are using a keycloak lib to do the auth, it already knows where to find the endpoints, but Keycloak is a openid connect provider and that protocol has an auto discovery mechanism.

So, if you use another oidc library, the base path (maybe called the issuer) is https://<full server dns name>/realms/<realm_name>

Also, if the lib asks for the auto configuration url, it is at https://<full server dns name>/realms/<realm_name>/.well-known/openid-configuration

That being said, you still need to tell the lib if keycloak is under /auth or /.

Okay, so this would mean that this relative path parameter (supposedly set to “/auth”) changes the auto configuration url to https://<full server dns name>/auth/realms/<realm_name>/.well-known/openid-configuration ?

1 Like

yes, you are correct.

Okay great, thanks for the explanations