This message was deleted.

Keycloak is SUPER finnciky with rancher.

what does it mean? 🙂 that it’s not possible or that need to fine tune something?

No, basically i don't know why, but to validate the OIDC you need to link an user to rancher which is stupid, as when the token of that user expires the sync breaks and you have to relogin on that user

hm, ok - but tbh this is solvable for me — once the user is in rancher and has a group - I can manage that via rancher APIs my concern is about creating groups in the first place

If your client has the right roles everything should sync magically

ok, so basically it should be possible with user access token to see from keycloak the groups of the user? I am going through the code of rancher atm, it feels that something like that is happening

If you follow the docs it should "just work"

well, for starters, docs seem to be written against a pretty old version of keycloak, but I’ve tried with 22 and 25 versions. But I think I’ve reproduced what was intended, in several different ways. I keep getting that 401. I do understand that it basically should be trying to get the user’s access token to retrieve data about the user’s groups — but tbh it doesn’t feel correct in terms of logic. Unless I am mistaking something. Perhaps it might also not be a correct idea at all - what I want to achieve is to enable externally assigning user permissions before they log into Rancher - so once they login they have everything in place. Groups seemed like a group options. I am also trying to figure out if it’s possible to pre-provision local user and map to keycloak later on somehow.