Contrib.social

Keycloak http relative path is hard-coded to /auth

Open on Drupal.org β†’
Created on 18 June 2025, 15 days ago

Problem/Motivation

Keycloak dropped the /auth prefix when they switched from WildFly to Quarkus. Newer deployments default to no path prefix.

Regrettably, the /auth prefix is hard-coded in KeycloakService. The simplest fix would be to remove that prefix and document in the README, that url settings must include a path prefix. If that is too disruptive for existing deployments, then we'd probably have to introduce another key in the keycloak_user_sync.connection setting (e.g., path_prefix) which defaults to /auth. Users who need a different prefix (or none) would have to explicitly set that key.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡¨πŸ‡­Switzerland znerol

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @znerol
  • Merge request !4Issue #3530867: Remove hard coded /auth prefix β†’ (Merged) created by znerol
  • Comment 15 days ago β†’
    πŸ‡¨πŸ‡­Switzerland znerol
  • Pipeline finished with Success
    15 days ago
    Total: 194s
    #525549
  • Comment 11 days ago β†’
    πŸ‡¦πŸ‡ΉAustria roromedia Linz

    Hi, the link mentioned that from v17 Keycloak removes /auth but our default Keycloak server setup (v26) still included /auth out of the box, and it also didn't come with a default redirect to /auth if it’s missing.
    Therefore I suggest we still make /auth the default prefix, but keep it configurable – just as you proposed in the issue.

  • Comment 10 days ago β†’
    πŸ‡¨πŸ‡­Switzerland znerol

    With !4 existing deployments will need to change their config and append /auth to the configured url. Is that acceptable?

    Regarding the standard. There are probably a gazillion of ways on how keycloak can be deployed. The official keycloak container (docs) defaults to no path prefix at all. This is actually how I found the issue (over in πŸ“Œ Add integration tests Active ). Maybe if you run keycloak using a preexisting helm chart or ansible playbook, things might be different.

  • Pipeline finished with Skipped
    10 days ago
    #530133
  • Comment 10 days ago β†’
    System Message
  • Comment 10 days ago β†’
    πŸ‡¦πŸ‡ΉAustria roromedia Linz

    I think it is acceptable to have non-standard paths configured via settings.php, issue merged.

  • Comment 7 days ago β†’
    πŸ‡¦πŸ‡ΉAustria roromedia Linz

    Just stumbled across the Keycloak URL setting in the OpenID Connect module: /admin/config/people/openid-connect/keycloak/edit

    So I would suggest we take the value from there and avoid a separate config item.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024