Ondemand + keycloak + RHEL8 issues

I’m trying to setup ondemand 2 with OIDC to keycloak on RHEL8 and I’m having some issues.

The error is
oidc_provider_static_config: could not retrieve metadata from url: http://<ondemand-server>:5556/.well-known/openid-configuration

We are on running keycloak (RHSSO actually) on a completely different server and I’ve mentioned that in several config files and I can’t get it to recognize that.

I had setup the ondemand server with dex to log in locally and have turned that service off. I’m trying to figure out where the OIDC settings are set. I set things in /etc/ood/config/ood_portal.yml and they don’t seem to have an effect. I also see /opt/rh/httpd24/root/etc/httpd/conf.d/auth_openidc.conf mentioned in the documentation, but it looks like we’re using httpd instead of httpd24. I see the actual portal conf file located in /etc/httpd/conf.d/ood-portal.conf so I tried auth_openidc.conf in that directory but that doesn’t seem to pick up the correct metadata url either. Where should I try setting the OIDC settings?

@jeff.ohrstrom can you help?

Yea you seem to have Dex configured and the system (OOD) is still using it. It’s checking for ondemand-dex the package being installed and making some default choices based on that - like your OIDCMetadataURL there pointing locally to dex.

Remove the ondemand-dex RPM and subsequent invocations of update_ood_portal and/or httpd restarts (the systemd unit file calls update_ood_portal on restarts) should clear all that dex stuff out and should start to use your OIDC settings you have in ood_portal.yml

That did the trick, thanks!

1 Like