Keycloack and Rancher OIDC configuration

Hello there people

I am currently in the process of setting up Keycloack (OIDC) with our Rancher enviorment.

I’m using the Ranchers this guide, but I’m having some trouble defining the parameters in Keycloack.

When I try to connect Rancher it seems like there is a problem hitting our Realm. I am pasting in the name of the realm, but it does not seem to be hitting it through the authentication process.

And I assume that it is the setup in Keycloak that is causing the issue.

As you may know, Keycloak is just an OIDC server, so nothing special about that.

But, as the Rancher form specifies “Keycloak URL” instead of the more generic “authorization endpoint” or something like “openid-connect autodiscovery url”, makes me think they may have hardcoded keycloak behaviour in there.

So, suppose your keycloak admin console url is “https://mykeycloak.com/admin/master/console”, your “Keycloak URL” for that form will be “https://mykeycloak.com/” and the realm is the realm name.

If your keycloak version is <17, that would be https://mykeycloak.com/auth, newer versions dropped the /auth path.

Hope that helps.

One hint: If using keycloak >=17 without the legacy /auth in the path, then the rancher generate code does not generate correct URLs, so use the ‘specify’ option.

Hint: rancher current does a template based url generation, but should ideally read the .well-knwon/openid-connect information from the oauth server [1].

[1] [RFE] Improve oidc URL generation · Issue #38480 · rancher/rancher · GitHub

Thank you guys for the replies :blush:

I’m a novice at these program, so I’m trying to learn. I apologize for the perhaps very basic questions.

I’m pretty confident that I got all the right information into the Rancher form now, and it gives me this error now “Invalid parameter: redirect_uri” in Keycloak, which I am currently researching.

I did make a temporary fix using this “guide” (I know it’s a temporary fix since it leaves a major security flaw.

Now it just gives “[generic oidc]: server error while authenticating: Get “Auth Endpoint URL/.well-known/openid-configuration”: dial tcp server IP and port number: i/o timeout”

The redirect URI is part of the openid connect protocol.

Per rancher documentation, that should be something like: https://yourRancherHostURL/verify-auth

In your keycloak installation, you may have created a client for rancher, there is an option to register the redirect URI.

I found thid guide to be very helpful to understant OpenID Connect concepts. It’s very quick and informative. OpenID Connect Authorization Code Flow - OAuth 2.0 Playground