Skip to content

Fix Azure DevOps Keycloak PKCE config#676

Merged
ak684 merged 6 commits into
mainfrom
alona/fix-azure-keycloak-pkce
May 29, 2026
Merged

Fix Azure DevOps Keycloak PKCE config#676
ak684 merged 6 commits into
mainfrom
alona/fix-azure-keycloak-pkce

Conversation

@ak684
Copy link
Copy Markdown
Contributor

@ak684 ak684 commented May 28, 2026
edited
Loading

Summary

  • add pkceMethod: S256 to the Azure DevOps Keycloak identity provider config
  • make keycloak_api_call fail on Keycloak Admin API errorMessage responses, not only error
  • bump the OpenHands chart to 0.7.36

Root Cause

The Azure DevOps IdP was added with pkceEnabled: "true" but no pkceMethod. Keycloak rejects that with PKCE Method not supported: null.

On fresh installs, the full realm import fails loudly. On upgrades, the per-resource identity provider create call returns an errorMessage response, but the script only checked .error, so it logged a false-positive create and then skipped Azure mappers after a 404.

Validation

  • jq empty charts/openhands/files/allhands-realm-github-provider.json.tmpl
  • verified no IdP has pkceEnabled == "true" without pkceMethod
  • verified the updated jq error guard extracts object and array errorMessage values
  • helm template openhands charts/openhands --set enabled=true --set keycloak.enabled=true
  • helm lint charts/openhands
  • make manifests
  • make charts
  • make lint passed after one retry; first attempt failed on a transient Docker Hub OCI connection reset

Live replicated-02 validation:

  • before patch: rendered realm template had no Azure pkceMethod; Keycloak returned 404 for azure_devops; init log showed false-positive Created identity provider: azure_devops followed by mapper 404
  • after patching the live ConfigMaps and restarting the OpenHands pod: keycloak-config exited 0, created azure_devops, created both Azure mappers, and Keycloak returned pkceMethod: S256 for the Azure IdP

Note: the replicated-02 live ConfigMap patch was only for validation; the durable fix is this chart change.

@ak684 ak684 marked this pull request as ready for review May 28, 2026 17:48
@ak684 ak684 requested a review from all-hands-bot May 29, 2026 16:21
@all-hands-bot OpenHands AI
Copy link
Copy Markdown
Contributor

all-hands-bot commented May 29, 2026
edited
Loading

Review complete.

This review was performed through OpenHands Cloud Automation. You can log in and view the conversation here.

all-hands-bot
all-hands-bot approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@all-hands-bot all-hands-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Fix Azure DevOps Keycloak PKCE config

Clean, well-scoped fix. The root cause analysis in the PR description is clear, and all three changes (realm template, error-guard script, and version bump) are minimal and correct. The new test suite adds solid regression coverage for both the PKCE invariant and the error-message detection logic.

Two minor inline observations below (neither is a blocker).

This review was generated by an AI agent (OpenHands) on behalf of the user through OpenHands Automation. View conversation

Comment thread charts/openhands/templates/keycloak-config-script.yaml
Comment thread scripts/test_keycloak_realm_template.py Outdated
@ak684 ak684 merged commit b4a2456 into main May 29, 2026
25 checks passed
@ak684 ak684 deleted the alona/fix-azure-keycloak-pkce branch May 29, 2026 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@all-hands-bot all-hands-bot all-hands-bot approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ak684 @all-hands-bot