Authorization and user management

Eclipse Che uses Keycloak to create, import, manage, delete, and authenticate users. Keycloak uses built-in authentication mechanisms and user storage. It can use third-party identity management systems to create and authenticate users. Eclipse Che requires a Keycloak token when you request access to Che resources.

Local users and imported federation users must have an email address in their profile.

The default Keycloak credentials are admin:admin. You can use the admin:admin credentials when logging into Eclipse Che for the first time. It has system privileges.


To find your Keycloak URL:

If Che is running on Kubernetes:

  • Go to $CHE_HOST:5050/auth.

If Che is deployed on OpenShift:

  • Go to the OpenShift web console and navigate to the Keycloak namespace.

Configuring Che to work with Keycloak

The deployment script configures Keycloak. It creates a che-public client with the following fields:

  • Valid Redirect URIs: Use this URL to access Che.

  • Web Origins

The following are common errors when configuring Che to work with Keycloak:

Invalid redirectURI error: occurs when you access Che at myhost, which is an alias, and your original CHE_HOST is If this error occurs, go to the Keycloak administration console and ensure that the valid redirect URIs are configured.

CORS error: occurs when you have an invalid web origin

Configuring Keycloak tokens

A user token expires after 30 minutes by default.

You can change the following Keycloak token settings:

keycloak realm

Setting up user federation

Keycloak federates external user databases and supports LDAP and Active Directory. You can test the connection and authenticate users before choosing a storage provider.

See the User storage federation page in Keycloak documentation to learn how to add a provider.

See the LDAP and Active Directory page in Keycloak documentation to specify multiple LDAP servers.

Enabling authentication with social accounts and brokering

Keycloak provides built-in support for GitHub, OpenShift, and most common social networks such as Facebook and Twitter. See Instructions to enable Login with GitHub.

You can also enable the SSH key and upload it to the Che users’ GitHub accounts.

To enable this feature when you register a GitHub identity provider:

  1. Set scope to repo,user,write:public_key.

  2. Set store tokens and stored tokens readable to ON.

    kc provider
  3. Add a default read-token role.

    kc roles

This is the default delegated OAuth service mode for multi-user Che. You can configure the OAuth service mode with the property che.oauth.service_mode.

Using protocol-based providers

Keycloak supports SAML v2.0 and OpenID Connect v1.0 protocols. You can connect your identity provider systems if they support these protocols.

Managing users using Keycloak

You can add, delete, and edit users in the user interface. See: Keycloak User Management for more information.

Configuring SMTP and email notifications

Eclipse Che does not provide any pre-configured MTP servers.

To enable SMTP servers in Keycloak:

  1. Go to che realm settings > Email.

  2. Specify the host, port, username, and password.

Eclipse Che uses the default theme for email templates for registration, email confirmation, password recovery, and failed login.

Tags: ldap keycloak