Keycloak http relative path is hard-coded to /auth [#3530867]

Problem/Motivation

Keycloak dropped the /auth prefix when they switched from WildFly to Quarkus. Newer deployments default to no path prefix.

Regrettably, the /auth prefix is hard-coded in KeycloakService. The simplest fix would be to remove that prefix and document in the README, that url settings must include a path prefix. If that is too disruptive for existing deployments, then we'd probably have to introduce another key in the keycloak_user_sync.connection setting (e.g., path_prefix) which defaults to /auth. Users who need a different prefix (or none) would have to explicitly set that key.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork keycloak_user_sync-3530867

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3530867-keycloak-http-relative changes, plain diff MR !4
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

18 June 2025 at 18:32

znerol created an issue. See original summary.

Comment #2

18 June 2025 at 18:47

znerol opened merge request !4

Comment #3

znerol commented 18 June 2025 at 18:47

Status:

Active

» Needs review

Comment #4

roromedia commented 23 June 2025 at 09:51

Hi, the link mentioned that from v17 Keycloak removes /auth but our default Keycloak server setup (v26) still included /auth out of the box, and it also didn't come with a default redirect to /auth if it’s missing.
Therefore I suggest we still make /auth the default prefix, but keep it configurable – just as you proposed in the issue.

Comment #5

znerol commented 23 June 2025 at 15:40

With MR !4 existing deployments will need to change their config and append /auth to the configured url. Is that acceptable?

Regarding the standard. There are probably a gazillion of ways on how keycloak can be deployed. The official keycloak container (docs) defaults to no path prefix at all. This is actually how I found the issue (over in #3530874: Add integration tests). Maybe if you run keycloak using a preexisting helm chart or ansible playbook, things might be different.

Comment #6

24 June 2025 at 11:44

roromedia committed d2691558 on 1.0.x authored by znerol

Issue #3530867 by znerol: Keycloak http relative path is hard-coded to /...

Comment #7

roromedia commented 24 June 2025 at 11:44

I think it is acceptable to have non-standard paths configured via settings.php, issue merged.

Comment #8

roromedia commented 27 June 2025 at 10:52

Just stumbled across the Keycloak URL setting in the OpenID Connect module: /admin/config/people/openid-connect/keycloak/edit

So I would suggest we take the value from there and avoid a separate config item.

Keycloak http relative path is hard-coded to /auth