I’m scripting a procedure for automating installation. Basically, I start with a ‘vanilla’ Keycloak install, for domain example.com, and a default admin password and client secret. Keycloak is behind an Apache reverse proxy/gateway. This is a working install; I can access the Keycloak admin page from outside the gateway, and log in.
The install script then:
-
Runs kcadm.sh to change the admin password (this works; kcadm can authenticate with the new credentials, so the new password is recognised)
-
Runs kcadm.sh to set a new client secret
-
Edits the database (MariaDB) to change all instances of example.com to the new domain. I’ve only found two: REDIRECT_URIS to set the callback, and WEB_ORIGINS
-
Fix up keycloak.conf with the new domain name
-
Fix up the Apache config (auth_openidc.conf) with the new client secret and the domain name
After these changes, I can’t log in to the Keycloak admin page with the password; I just get an invalid username/password message. I’ve set ‘–log-level=TRACE’ on startup, but this isn’t really helping. The syslog does show DEBUG and TRACE messages, but I can’t see anything useful.
For the login, the WARN message shows ‘error=user_not_found, auth_method=openid-connect,username=admin’, among other things. After this, I can still authenticate on kcadm.sh, so the problem is presumably in the Apache/Keycloak communication. I’ve also tried clearing cookies and using a different browser.
Any ideas? I’m thinking I may have missed something else in the database that has to be changed?