Unable to read /.well-known/openid-configuration from Keycloak realm #31655
Description
Describe the bug
Hello!
I'm trying to use the endpoint read provider opened configuration with a keycloak realm locally (docker). However, Vault doesn't authorize me to put the URL: http://keycloak:8080/realms/vault when I try to create the Provider
To Reproduce
- Try to create a new provider 'keycloak' with the creation endpoint with the issuer value:
http://keycloak:8080/realms/vault
You will have the error:
invalid issuer, which must include only a scheme, host, and optional port (e.g. https://example.com:8200)
To go far
2. Use this docker-compose.yml file:
services:
vault:
image: hashicorp/vault:1.21.0
container_name: vault
ports:
- "8200:8200"
environment:
- VAULT_LOG_LEVEL=debug
- VAULT_DEV_ROOT_TOKEN_ID=root
- VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200
cap_add:
- IPC_LOCK
networks:
- keycloak
keycloak:
image: quay.io/keycloak/keycloak:26.4
container_name: keycloak
command: start-dev --import-realm --http-relative-path=/
ports:
- "8080:8080"
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KC_HEALTH_ENABLED: true
KC_METRICS_ENABLED: false
KC_LOG_LEVEL: info
healthcheck:
test: [ "CMD-SHELL", "exec 3<>/dev/tcp/localhost/8080 && echo -e 'GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\n\\r\\n' >&3 && cat <&3 | grep -q '200 OK'" ]
interval: 5s
timeout: 3s
retries: 20
start_period: 30s
volumes:
- ./realm.json:/opt/keycloak/data/import/realm.json
networks:
- keycloak
networks:
keycloak:
driver: bridgeWith this realm.json configuration file for Keycloak:
{
"realm": "vault",
"enabled": true,
"sslRequired": "none",
"registrationAllowed": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": true,
"accessTokenLifespan": 300,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"clients": [
{
"clientId": "vault",
"name": "HashiCorp Vault",
"description": "Vault OIDC Client",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "vault-client-secret",
"redirectUris": [
"http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback",
"http://vault:8200/ui/vault/auth/oidc/oidc/callback"
],
"webOrigins": [
"http://localhost:8200",
"http://vault:8200"
],
"protocol": "openid-connect",
"publicClient": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"attributes": {
"access.token.lifespan": "300"
},
"protocolMappers": [
{
"name": "groups",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "false",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "groups",
"userinfo.token.claim": "true"
}
}
]
}
],
"users": [
{
"username": "vault-user",
"enabled": true,
"email": "[email protected]",
"firstName": "Vault",
"lastName": "User",
"emailVerified": true,
"credentials": [
{
"type": "password",
"value": "password",
"temporary": false
}
],
"realmRoles": ["user"],
"groups": ["/vault-admins"]
}
],
"groups": [
{
"name": "vault-admins",
"path": "/vault-admins"
},
{
"name": "vault-users",
"path": "/vault-users"
}
],
"roles": {
"realm": [
{
"name": "user",
"description": "User role"
},
{
"name": "admin",
"description": "Administrator role"
}
]
}
}- Turn on with
docker compose up -d - Go to: http://localhost:8080/realms/vault/.well-known/openid-configuration
- You should receive the openid-configuration for the realm
Expected behavior
Vault must authorize paths in the issuer value and not "only a scheme, host, and optional port"
Environment:
- Vault Server Version (retrieve with
vault status): 1.21.0 - Vault CLI Version (retrieve with
vault version): Vault v1.21.1 (2453aac) - Server Operating System/Architecture: Linux
Vault server configuration file(s): (see docker-compose.yml file above)