Description of problem: Since Keycloak switched to Quarkus, they also deprecated the /auth endpoint, used by khci. See more at: https://www.keycloak.org/migration/migrating-to-quarkus Version-Release number of selected component (if applicable): the latest we have in RHEL-8 How reproducible: not sure yet Steps to Reproduce: 1. enroll a httpd server with mod_auth_openidc (git grep shows that the /auth endpoint is only used for OIDC) 2. 3. Actual results: probably doesn't work Expected results: should work Additional info:
I think we should use --http-relative-path to match the new option in Keycloak. In Keycloak this option allows you to add /auth back to the path to help with Migrating from older versions of keycloak that needed it. I opened a ticket with Keycloak asking how to use that option in production mode. I was informed that you either have to use it with build stage first or add the --auto-build option to the start stage. This also applies with starting the Keycloak container in production mode. The solution I took with my tests was to just add --auto-build and --http-relative-path to the contain run start command like this: podman run --name keycloak -d \ -p 8080:8080 \ -p 8443:8443 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=MyPassword123 \ -e KC_LOG_LEVEL=debug \ -e KC_HOSTNAME=$(hostname):8443 \ -e KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt \ -e KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key \ -e KC_HTTPS_TRUST_STORE_FILE=/etc/x509/https/truststore.keystore \ -e KC_HTTPS_TRUST_STORE_PASSWORD=MyPassword123 \ -e KC_HTTP_RELATIVE_PATH=/auth \ -v /tmp/https:/etc/x509/https:Z \ quay.io/keycloak/keycloak:latest start --auto-build You'll note I used the KC_HTTP_RELATIVE_PATH environmental variable instead of the cli arg. For reference, this is the ticket I opened upstream asking about using that option in production mode: https://github.com/keycloak/keycloak/issues/10699