From 03fffaaf5fc2c9949fa0fd6ea86d1f3bb61c5fe0 Mon Sep 17 00:00:00 2001
From: pamenon <pamenon@redhat.com>
Date: Thu, 23 Apr 2026 12:25:03 +0100
Subject: [PATCH] Fix keycloak_context default from /auth to empty string

The /auth context path was used by legacy WildFly-based Keycloak but
is no longer needed for Quarkus-based Keycloak (17+) or RHBK. The
current default of /auth forces users to explicitly pass an empty
keycloak_context to avoid broken API URLs.

This changes the default to an empty string, updates argument_specs
and README documentation, and removes the now-unnecessary
keycloak_context: '' overrides from all molecule converge files.

Users on legacy WildFly-based Keycloak can still set
keycloak_context: /auth explicitly.

Made-with: Cursor
---
 molecule/debian/converge.yml                 | 1 -
 molecule/default/converge.yml                | 1 -
 molecule/quarkus/converge.yml                | 1 -
 molecule/quarkus_devmode/converge.yml        | 1 -
 roles/keycloak_realm/README.md               | 2 +-
 roles/keycloak_realm/defaults/main.yml       | 2 +-
 roles/keycloak_realm/meta/argument_specs.yml | 4 ++--
 7 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/molecule/debian/converge.yml b/molecule/debian/converge.yml
index e853b38..88cb98d 100644
--- a/molecule/debian/converge.yml
+++ b/molecule/debian/converge.yml
@@ -13,7 +13,6 @@
     - role: keycloak_quarkus
     - role: keycloak_realm
       keycloak_url: "{{ keycloak_quarkus_hostname }}"
-      keycloak_context: ''
       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
       keycloak_client_users:
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index e617b59..2b899de 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -18,7 +18,6 @@
     - role: keycloak_quarkus
     - role: keycloak_realm
       keycloak_url: "{{ keycloak_quarkus_hostname }}"
-      keycloak_context: ''
       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
       keycloak_client_users:
diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml
index b281144..dbce67b 100644
--- a/molecule/quarkus/converge.yml
+++ b/molecule/quarkus/converge.yml
@@ -61,7 +61,6 @@
     - role: keycloak_quarkus
     - role: keycloak_realm
       keycloak_url: http://instance:8080
-      keycloak_context: ''
       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
       keycloak_client_default_roles:
diff --git a/molecule/quarkus_devmode/converge.yml b/molecule/quarkus_devmode/converge.yml
index a596478..a849ce3 100644
--- a/molecule/quarkus_devmode/converge.yml
+++ b/molecule/quarkus_devmode/converge.yml
@@ -17,7 +17,6 @@
     - role: keycloak_quarkus
     - role: keycloak_realm
       keycloak_url: "{{ keycloak_quarkus_hostname }}"
-      keycloak_context: ''
       keycloak_admin_user: "{{ keycloak_quarkus_bootstrap_admin_user }}"
       keycloak_admin_password: "{{ keycloak_quarkus_bootstrap_admin_password }}"
       keycloak_client_default_roles:
diff --git a/roles/keycloak_realm/README.md b/roles/keycloak_realm/README.md
index e01c72f..cc5fb64 100644
--- a/roles/keycloak_realm/README.md
+++ b/roles/keycloak_realm/README.md
@@ -12,7 +12,7 @@ Role Defaults
 |:---------|:------------|:--------|
 |`keycloak_admin_user`| Administration console user account | `admin` |
 |`keycloak_host`| hostname | `localhost` |
-|`keycloak_context`| Context path for rest calls | `/auth` |
+|`keycloak_context`| Context path for rest calls (set to `/auth` for legacy WildFly-based Keycloak) | `` |
 |`keycloak_http_port`| HTTP port | `8080` |
 |`keycloak_https_port`| TLS HTTP port | `8443` |
 |`keycloak_auth_realm`| Name of the main authentication realm | `master` |
diff --git a/roles/keycloak_realm/defaults/main.yml b/roles/keycloak_realm/defaults/main.yml
index a294cbe..4514867 100644
--- a/roles/keycloak_realm/defaults/main.yml
+++ b/roles/keycloak_realm/defaults/main.yml
@@ -9,7 +9,7 @@ keycloak_management_http_port: 9990
 keycloak_admin_user: admin
 keycloak_auth_realm: master
 keycloak_auth_client: admin-cli
-keycloak_context: /auth
+keycloak_context: ''
 
 # administrator console password, this is a required variable
 keycloak_admin_password: ''
diff --git a/roles/keycloak_realm/meta/argument_specs.yml b/roles/keycloak_realm/meta/argument_specs.yml
index 7c24a7c..4ceb8e6 100644
--- a/roles/keycloak_realm/meta/argument_specs.yml
+++ b/roles/keycloak_realm/meta/argument_specs.yml
@@ -8,8 +8,8 @@ argument_specs:
                 type: "str"
             keycloak_context:
                 # line 5 of keycloak_realm/defaults/main.yml
-                default: "/auth"
-                description: "Context path for rest calls"
+                default: ""
+                description: "Context path for rest calls (was /auth for legacy WildFly-based Keycloak, empty for Quarkus-based Keycloak/RHBK)"
                 type: "str"
             keycloak_http_port:
                 # line 4 of keycloak_realm/defaults/main.yml