Skip to content

Instantly share code, notes, and snippets.

@steffenba

steffenba/aap2_5_keycloak_auth.md

Last active October 15, 2025 17:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save steffenba/2ef1ceea32ef2bed692758e077587378 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save steffenba/2ef1ceea32ef2bed692758e077587378 to your computer and use it in GitHub Desktop.
Download ZIP
Ansible Automation Platform 2.5 Keycloak Authentication
Raw
aap2_5_keycloak_auth.md

Preface

Authenticating to the AAP2 Web-Gui using an OIDC-Based SSO like Keycloak is a requirement for many organizations.

This is why I wanted to try this out. Sadly the Red Hat Documentation is very thin on details on how to configure Keycloak itself to ensure a seamless integration.

Through some trial and error, I have found a solution that works. If there are any issues with this, please let me know!

Keycloak side

I assume you already have a functioning realm.

  • Add a client for AAP2 (in the following referred to by AAP2)
    • For "Access settings" basically all URLs should be your AAP2 urls, depending on your setup
    • Client authentication ON
    • Standard flow ON
    • Direct access grants ON
  • Credentials
    • Client Id and Secret (note the secret)

Client scopes

Within the client scopes comes the important part. By default Keycloak 26 will not provide the required scopes to a Client necessary to authenticate an AAP2 login. Specifically, AAP2 requires username and aud added to the Lightweight Access token.

To do this (and with this I'm unsure if this is the best way to to about this): Within AAP2-dedicated add two Mappers:

  • By configuration: Audience -> Ensure "Add to lightweight access token" is ON
  • From predefined mappers: username -> Ensure "Add to lightweight access token" is ON
    • User Attribute: username
    • Token claim name: preferred_username
    • Claim JSON Type: String
    • Add to Access Token: On
    • Add to lightweight access token: On
    • Add to userinfo: On
    • Add to token introspection: On

AAP2 side

Keycloak has a predefined Authentication Method, use that.

  • Name: Whatever you like
  • Type: Keycloak
  • Keycloak Access Token URL: https://<your-keycloak-host>/realms/<your-realm>/protocol/openid-connect/token
  • Keycloak Provider URL: https://<your-keycloak-host>/realms/<your-realm>/protocol/openid-connect/auth
  • Keycloak OIDC Secret: The secret you noted earlier
  • Keycloak OIDC Key: <Name of your Client in KC e.g. AAP2>
  • Keycloak Public Key: You can find this in Your Realm Settings -> Keys -> RS256 -> Public Key
  • Enabled: On
  • Create Objects: On

This configuration should then allow you to log in. Ensure that a connection between your AAP2 Host and the Keycloak instance can be established on Port 443 (or whatever port you reach KC on).

No Mappers have been configured, you should probably map your OIDC Roles to Roles in AAP2. You can also just delegate Rights/Roles to your User in AAP2 directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment