The documentation for setting up an OpenIDC identity provider / authentication method for Harbor Registry can be found in the harbor docs.
Harbor has supported OIDC since version 1.8.
You can change the authentication mode from database to OIDC only if no local users have been added to the database. If there is at least one user other than admin in the Harbor database, you cannot change the authentication mode.
So if you have existing local users, you will need to remove them – unfortunately doing this from the admin frontend does not actually delete them. you have to enter the postgres db and delete associated projects and then the users.
Information for setting up the client on keycloak side can be found on the red hat docs page
Having said all that…
As Admin, go to
Administration -> Configuration -> Authentication
Select Auth mode as
Click Test Configuration
For keycloak you can get your realm’s OIDC details by going to:
But for the OIDC configuration you remove everthing up to
/.well-known... including the back slash.
So the OIDC endpoint should be:
Deleting Existing Harbor Users
If you are using harbor on kubernetes – you can enter the postgres pod and execute in the shell:
docker exec -it harbor-db bash psql -U postgres \c registry select * from harbor_user delete from harbor_user where user_id > 2
- Keycloak OIDC Endpoint github issue, thanks to Daniel Jiang for the fix.