eclipse-che · tolusha · Apr 15, 2026 · Apr 2, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -21,14 +21,11 @@ Install {prod-short} on an OpenShift cluster that uses {keycloak} as an external
 +
 [source,shell,subs="+quotes,+attributes"]
 ----
-# The {keycloak} namespace:
-KEYCLOAK_NAMESPACE=__<KEYCLOAK_NAMESPACE>__
-
 # The {keycloak} realm used for OpenShift authentication:
-OPENSHIFT_REALM=<REALM>
+OPENSHIFT_REALM=__<REALM>__
 
-# The {keycloak} URL
-KEYCLOAK_URL=https://$({orch-cli} get route keycloak -n $KEYCLOAK_NAMESPACE --template='{{ .spec.host }}')
+# The {keycloak} URL:
+KEYCLOAK_URL=__<KEYCLOAK_URL>__
 ----
 
 . Create a `{prod-id}` client in the {keycloak} Admin Console:
@@ -71,7 +68,7 @@ If you have multiple OIDC providers configured, adjust the array index in the pa
 (currently 0) to match your {keycloak} provider's position in the configuration.
 ====
 
-. Wait for the `kube-apiserver` cluster operator to roll out the configuration changes:
+. Wait for the `kube-apiserver` cluster Operator to roll out the configuration changes:
 +
 [source,shell,subs="+quotes,+attributes"]
 ----
@@ -159,7 +156,7 @@ EOF
 <1> The claim to use for extracting user groups.
 <2> The prefix to add to group names. Empty string means no prefix.
 <3> The claim to use for extracting the username.
-<4> The prefix to add to usernames from the external authentication system.
+<4> The prefix to add to usernames. Empty string means no prefix.
 +
 [NOTE]
 ====
@@ -180,42 +177,21 @@ These values must match the corresponding claim and prefix settings configured i
   --che-operator-cr-patch-yaml che-patch.yaml
 ----
 
-. Update a `{prod-id}` client to set {prod-short} callback URL:
+. Update the `{prod-id}` client to set the {prod-short} redirect URI and web origin:
 +
---
-.. Open the {keycloak} Admin Console.
-.. Within the realm used for OpenShift authentication, click the `{prod-id}` client.
-... In the *Valid redirect URIs* field, enter the redirect URI for your {prod-short} installation. To obtain the redirect URI, run the following command:
+Obtain the {prod} URL with the following command:
 +
 [source,shell,subs="+quotes,+attributes"]
 ----
-echo "$({orch-cli} get checluster {prod-checluster} -n {prod-namespace} -o jsonpath='{.status.cheURL}')/oauth/callback"
+echo "$({orch-cli} get checluster {prod-checluster} -n {prod-namespace} -o jsonpath='{.status.cheURL}')"
 ----
++
+--
+... In the *Valid redirect URIs* field, entry the URL above with `/oauth/callback` appended
+... In the *Web origins* field, entry the URL above.
 ... Click *Save*.
 --
 
-. Create a `ClusterRoleBinding` to grant users access to {prod-short}:
-+
-[source,shell,subs="+quotes,+attributes"]
-----
-{orch-cli} apply -f - <<EOF
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-developers
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: self-provisioner <1>
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: __<GROUP_NAME>__ <2>
-EOF
-----
-<1> Users must have at least the `self-provisioner` role to access {prod-short}.
-<2> The name of the user group from {keycloak} that should be granted access to {prod-short}.
-
 .Verification
 
 . Verify the {prod-short} instance status: