IAM Keycloak

Integrating Keycloak and Harbor Registry with OpenID Connect

The documentation for setting up an OpenIDC identity provider / authentication method for Harbor Registry can be found in the harbor docs.

Harbor has supported OIDC since version 1.8.


You can change the authentication mode from database to OIDC only if no local users have been added to the database. If there is at least one user other than admin in the Harbor database, you cannot change the authentication mode.

So if you have existing local users, you will need to remove them – unfortunately doing this from the admin frontend does not actually delete them. you have to enter the postgres db and delete associated projects and then the users.

Information for setting up the client on keycloak side can be found on the red hat docs page

Getting Started

Having said all that…

  1. As Admin, go to Administration -> Configuration -> Authentication

  2. Select Auth mode as OIDC

  3. Fill in the required information as per the below screenshot:

  4. Click Test Configuration

OIDC Endpoint

For keycloak you can get your realm’s OIDC details by going to:


But for the OIDC configuration you remove everthing up to /.well-known... including the back slash.
So the OIDC endpoint should be:


Deleting Existing Harbor Users

If you are using harbor on kubernetes – you can enter the postgres pod and execute in the shell:

docker exec -it harbor-db bash
psql -U postgres
\c registry
select * from harbor_user
delete from harbor_user where user_id > 2