Keycloak on ondemand having issue

Hi All,

I have set up ondemand 3 + keycloak 9 using the ondemand website, on the same host.

The key cloak is up now, I have to set it running on a different https port, like 8899, to avoid conflicts with the ondemand 443 port. The keycloak web GUI works fine, and I have condiguerd the ldap , theme, etc. Then I updated the ood_portal.yml and auth_openidc.conf, restartd the httpd.

Now the ood website directs me to: https://my server /auth/

with 404 error:“The requested URL was not found on this server.” There is no useful info from httpd log file.

I am using Rocky Linux, JDK 17.

I am not sure why?

So you have both running on the same machine?

When you configured Keycloak - you accessed it directly through the host:8899?

Off the top it seems like you need to make a vhost for keycloak such that request to /auth get proxied to localhost:8899.

Thanks, Jeff!

Yes, both running on the same machine.

I added a new vhost, in a separate file (/etc/httpd/conf.d/keycloak.conf):

Listen 8989 https
<VirtualHost *:8989>
ServerName myserver:8989

ErrorLog “logs/error_ssl_8989.log”
CustomLog “logs/access_ssl_8989.log” combined

SSLEngine On
SSLCertificateFile “/etc/pki/tls/certs/oodweb.cert”
SSLCertificateKeyFile “/etc/pki/tls/private/oodweb.key”

ProxyRequests Off
ProxyPreserveHost On
ProxyAddHeaders On

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “8989”

This file let me be able to manage the keycloak using a web browser


for OOD:
I found a error in my auth_openidc.conf , on “OIDCProviderMetadataURL”, I changed it to "htts://myserver:8899/auth/realms/ondemand/.well-known/openid-configuration

It then give me a simple login page, after login, it reports error:


We are sorry…

Unexpected error when handling authentication request to identity provider.

« Back to Application

Also, in the system log file, found this error:

[[0m^[[33m18:54:50,114 WARN [] (default task-8) type=LOGIN_ERROR, realmId=ondemand, clientId=myserver, userId=null, ipAddress=xxx, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://myserver/oidc, code_id=985ea1a0-7d01-4658-b358-4856f5ccbe89, username=xxx, authSessionParentId=985ea1a0-7d01-4658-b358-4856f5ccbe89, authSessionTabId=hyTB4-WVgHU



Also, I I tried to setup the keycloak at the beginning, at step 1.6(1. Install Keycloak — Open OnDemand 3.0.3 documentation), I got the following output.

What does it mean? is it safe to assume it is fine?

./bin/ --file=config.cli

{“outcome” => “success”}
“outcome” => “failed”,
“failure-description” => “WFLYCTL0369: Required capabilities are not available:; Possible registration points for this capability:
“rolled-back” => true

Since I am using JDK 17, will it also be an issue?



Also mode warning/error from the system log:

Oct 25 18:54:50 fj-dtn[3750744]: Caused by: org.keycloak.models.ModelException: Querying of LDAP failed

Oct 25 18:54:50 fj-dtn[3750744]: at org.keycloak.keycloak-ldap-federation@9.0.0//

Oct 25 18:54:50 fj-dtn[3750744]: at org.keycloak.keycloak-ldap-federation@9.0.0//

Oct 25 18:54:50 fj-dtn[3750744]: … 86 more

Oct 25 18:54:50 fj-dtn[3750744]: Caused by: javax.naming.NamingException: WFLYNAM0027: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module “deployment.keycloak-server.war” from Service Module Loader [Root exception is java.lang.IllegalAccessException: class cannot access class com.sun.jndi.ldap.LdapCtxFactory (in module java.naming) because module java.naming does not export com.sun.jndi.ldap to unnamed module @13acbc0e]

OK, I downgraded to JDK 1.8. The error changed, Which says “Invalid username or password.”

Looks closer. Sounds like ldap thing…

error message:

… WARN [] (default task-1) type=LOGIN_ERROR, realmId=ondemand, clientId=xxx, userId=null, ipAddress=yyy ,error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https:/xxx/oidc, code_id=43ce1dc3-dc1c-400c-8b4b-21968f75fe93, username=xxx, authSessionParentId=43ce1dc3-dc1c-400c-8b4b-21968f75fe93, authSessionTabId=3odn-4IjEWg

Hi all,

Still get the error message when login in system log:

Oct 26 13:01:58 fj-dtn[3759176]: ^[[0m^[[33m13:01:58,566 WARN [] (default task-55) type=LOGIN_ERROR, realmId=ondemand, clientId=account, userId=null, ipAddress=xxx, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://xxxxxxyyy:8899/auth/realms/ondemand/account/login-redirect?path=applications, code_id=13fa8c8e-5351-4fa4-b30d-602a11452779, username=fenzhang, authSessionParentId=13fa8c8e-5351-4fa4-b30d-602a11452779, authSessionTabId=DNWdoSGl_10

Any hints on what may be the cause? For the LDAP, I can do “Test Connection” and “Test authentication”, which means the LDAP basic setting is fine?

I set up a local use on the Keycloak admin web portal in the same realm. I can use that to login, but gives me the Keycloak webpage for account mgmt(/xxxx:8899auth/realms/ondemand/account/applications) , not the OOD webpage. Anything I did wrong?

Thanks in advance for your help.

It’s able to connect correct I think is all this gets you. My guess, you need to fix the base LDAP query you issue for the correct cn=... dn=...

@tdockendorf may be able to provide some guidance that I’m unaware of.

Keycloak 9 is several years out-of-date. The docs for OnDemand don’t get updated as quickly as Keycloak comes out with new releases. I’d strongly recommend trying with something like Keycloak 22. The setup is entirely different and in many cases it’s much simpler. OpenJDK - Keycloak.

The Test authentication and Test Connection only stress that Keycloak can connect to LDAP, it doesn’t stress that you configured the correct attribute mappings and DNs for where users are stored. I’d have to see a LDIF dump of a user from your LDAP to be able to advise what attributes to set. How data is stored in LDAP tends to be very site specific. I can show you what OSC has but our’s is far from standard so may not be useful:

  "id" : "1596bc37-6ced-5ff5-8fc2-280746004334",
  "name" : "OSC-LDAP",
  "providerId" : "ldap",
  "providerType" : "",
  "parentId" : "osc",
  "config" : {
    "fullSyncPeriod" : [ "-1" ],
    "useTruststoreSpi" : [ "never" ],
    "usersDn" : [ "ou=People,dc=osc,dc=edu" ],
    "cachePolicy" : [ "DEFAULT" ],
    "priority" : [ "0" ],
    "trustEmail" : [ "false" ],
    "importEnabled" : [ "false" ],
    "enabled" : [ "true" ],
    "userObjectClasses" : [ "posixAccount" ],
    "bindCredential" : [ "**********" ],
    "usernameLDAPAttribute" : [ "uid" ],
    "changedSyncPeriod" : [ "-1" ],
    "bindDn" : [ "cn=read,ou=Admin,dc=osc,dc=edu" ],
    "rdnLDAPAttribute" : [ "cn" ],
    "vendor" : [ "other" ],
    "editMode" : [ "READ_ONLY" ],
    "uuidLDAPAttribute" : [ "entryUUID" ],
    "connectionUrl" : [ "ldaps://ldap1.OMIT:636 ldaps://ldap2.OMIT:636 ldaps://ldap3.OMIT:636" ],
    "syncRegistrations" : [ "false" ],
    "authType" : [ "simple" ],
    "batchSizeForSync" : [ "1000" ]

This is just the LDAP provider, you also have to setup mappers, like this one:

  "id" : "67e276d3-4e1b-4d6a-a3f2-6a7ef11a8080",
  "name" : "username",
  "providerId" : "user-attribute-ldap-mapper",
  "providerType" : "",
  "parentId" : "1596bc37-6ced-5ff5-8fc2-280746004334",
  "config" : {
    "ldap.attribute" : [ "uid" ],
    "" : [ "true" ],
    "read.only" : [ "true" ],
    "" : [ "false" ],
    "user.model.attribute" : [ "username" ]

I believe Keycloak comes with some built-in mappers but they will only work if your LDAP schema uses the attributes they are setup for. You may have to create your own mappers.

Once you have the correct LDAP provider and mappers you should be able to navigate to the Users section of Keycloak and search for LDAP users and see them with their data populated based on the mappers you setup.

Thanks, @tdockendorf !

I am trying now to set up the Keycloak 22. I have been abled to finish the settings shown in the webpage you shared(OpenJDK - Keycloak).

I found there seems no credential for a client I created just like keycloak 9, which is need by auth_opidc.conf? Or is there any changes for OOD to use key cloak 22?

For the mapper, in the admin gui, the “user federation”, after setup a ldap, I has a “mapper” tab, I found there are some mappers, some of them I had to change according to our LDAP.

Thanks very much!


A Client in Keycloak needs to have “Client authentication” set to “On” which I think enables the “Credentials” tab and in the “Credentials” tab it should be “Client Id and Secret” and there you can generate the Client Secret which you pass into the OpenID configs in Apache.

Thanks again, @tdockendorf !

I have got the credential successfully.

Now I have set up the Keycloak 22 running on port 8443.(running on the same host of the OOD).

The other settings are updated accordingly. Now when I try to open

https://myserver/,it directs me to https://myserver/pun/sys/dashboard, and reports " Internal Server Error" on the web page.

Did anything I missed?


What’s the error in /var/log/httpd?

The error says:

[Fri Oct 27 14:37:10.935880 2023] [auth_openidc:error] [pid 3825677:tid 140736662443776] [client xxx:54391] oidc_util_json_string_print: oidc_util_check_json_error: response contained an “error” entry with value: ““RESTEASY003210: Could not find resource for full path: https://xxx:8443/auth/realms/ondemand/.well-known/openid-configuration””

[Fri Oct 27 14:37:10.935897 2023] [auth_openidc:error] [pid 3825677:tid 140736662443776] [client xxx:54391] oidc_metadata_provider_retrieve: JSON parsing of retrieved Discovery document failed

[Fri Oct 27 14:37:10.935901 2023] [auth_openidc:error] [pid 3825677:tid 140736662443776] [client xxxx:54391] oidc_provider_static_config: could not retrieve metadata from url: https://xxxx:8443/auth/realms/ondemand/.well-known/openid-configuration

Our oidc_provider_metadata_url configuration path doesn’t start with /auth - it starts with /realms.


Thanks, Jeff.

I changed it by removing the /auth, not it directs me to the " Welcome to Keycloak account management".
Is it right? Not the simple login webpage I had when using keycloak9.

Oh, it’s my fault, I did not set the client right. Fell getting closer.

Now I an open the login page. I have set up a use on the Keycloak web portal, I want to check to see if can login(without LDAP things). It gives me error:

Error – can’t find user for testkeycloak
Run ‘nginx_stage --help’ to see a full list of available command line options.

HTTP log:

**apache : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/opt/ood/nginx_stage/sbin/nginx_stage pun -u testkeycloak -a https://xxx:443/nginx_init_redir

I set up the Valid redirect URIs according to the OOD web site.

I am running the key cloak as root?

We are running Rocky Linux 8. So no sudoers are set. Do I need to set up sudo user do so?


Still can’t let it work.(Rocky Linux 8, JDK 17, ondemand-3.0.3-1.el8.x86_64, key cloak 22.0.5, http 2.4.37.)

When tried to login as a “local” user(created on Keycloak web GUI), get Error – can’t find user for testkeycloak.

When tried to login as a LDAP user, not work either:
2023-10-27 16:25:08,205 WARN [] (executor-thread-84) type=LOGIN_ERROR, realmId=fff93fdc-e378-4dae-ab3f-fbc985020056, clientId=ondemand, userId=null, ipAddress=xxx, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://xxx/oidc/, code_id=cdea991f-dd69-441c-9af0-1ed6924fd308, username=

It is almost the same as what I got when using Keycloak 9+Java1.8.

Any help will be greatly appreciated!