Fix Keycloak urls in example to work with recent versions of Keycloak (…

…#250)

Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>

README.md

@@ -295,8 +295,8 @@ If your authorization server generates JWT tokens, and exposes the JWKS Endpoint
 since it does not require contacting the authorization server whenever a new Kafka client connects to the Kafka Broker.
 
 Specify the following `oauth.*` properties:
-- `oauth.jwks.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/certs")
-- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/auth/realms/demo" - only access tokens issued by this issuer will be accepted)
+- `oauth.jwks.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/certs")
+- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/realms/demo" - only access tokens issued by this issuer will be accepted)
 
 Some authorization servers don't provide the `iss` claim. In that case you would not set `oauth.valid.issuer.uri`, and you would explicitly turn off issuer checking by setting the following option to `false`:
 - `oauth.check.issuer` (e.g. "false")
@@ -373,8 +373,8 @@ When your authorization server is configured to use opaque tokens (not JWT) or i
 This will result in Kafka Broker making a request to authorization server every time a new Kafka client connection is established.
 
 Specify the following `oauth.*` properties:
-- `oauth.introspection.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token/introspect")
-- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/auth/realms/demo" - only access tokens issued by this issuer will be accepted)
+- `oauth.introspection.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token/introspect")
+- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/realms/demo" - only access tokens issued by this issuer will be accepted)
 - `oauth.client.id` (e.g.: "kafka" - this is the OAuth2 client configuration id for the Kafka broker)
 - `oauth.client.secret` (e.g.: "kafka-secret")
 
@@ -427,7 +427,7 @@ Otherwise, if the response contains `"client_id": "my-producer"` then the princi
 Sometimes the Introspection Endpoint does not provide any useful identifying information that we can use for the user id.
 In that case you can configure User Info Endpoint:
 
-- `oauth.userinfo.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/userinfo")
+- `oauth.userinfo.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/userinfo")
 
 If the user id could not be extracted from Introspection Endpoint response, then the same rules (`oauth.username.claim`, `oauth.fallback.username.claim`, `oauth.fallback.username.prefix`) will be used to try extract the user id from User Info Endpoint response.
 
@@ -529,7 +529,7 @@ When configuring the listener for `SASL/PLAIN` using `org.apache.kafka.common.se
 
 There is an additional `oauth.*` option you can specify (it's optional):
 
-- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token")
+- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token")
 
 If this option is not specified the listener treats the `username` parameter of the SASL/PLAIN authentication as the account name, and the `password` parameter as the raw access token which is passed to the validation as if SASL/OAUTHBEARER was used.
 
@@ -558,7 +558,7 @@ All the Kafka brokers in the cluster should be configured with the same client I
 When you configure your listener to support OAuth, you can configure it to support OAUTHBEARER, but you can also configure it to support the OAuth over PLAIN as explained previously. PLAIN does not make much sense on the broker for inter-broker communication since OAUTHBEARER is supported. Therefore, it is best to only use OAUTHBEARER mechanism for inter-broker communication.
 
 Specify the following `oauth.*` properties in `sasl.jaas.config` configuration:
-- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token")
+- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token")
 - `oauth.client.id` (e.g.: "kafka" - this is the client configuration id for Kafka Broker)
 - `oauth.client.secret` (e.g.: "kafka-secret")
 - `oauth.username.claim` (e.g.: "preferred_username")
@@ -583,9 +583,9 @@ inter.broker.listener.name=REPLICATION
 listener.name.replication.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
 oauth.client.id="kafka" \
 oauth.client.secret="kafka-secret" \
-oauth.token.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/token" \
-oauth.valid.issuer.uri="http://sso:8080/auth/realms/demo" \
-oauth.jwks.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/certs" \
+oauth.token.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/token" \
+oauth.valid.issuer.uri="http://sso:8080/realms/demo" \
+oauth.jwks.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/certs" \
 oauth.username.claim="preferred_username" ;
 
 # Server-side-authentication handler
@@ -598,8 +598,8 @@ listener.name.replication.oauthbearer.sasl.login.callback.handler.class=io.strim
 # The EXTERNAL listener only needs server-side-authentication support because we don't use it for inter-broker communication:
 
 listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
-oauth.valid.issuer.uri="http://sso:8080/auth/realms/demo" \
-oauth.jwks.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/certs" \
+oauth.valid.issuer.uri="http://sso:8080/realms/demo" \
+oauth.jwks.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/certs" \
 oauth.username.claim="preferred_username" \
 unsecuredLoginStringClaim_sub="unused" ;
 
@@ -611,9 +611,9 @@ listener.name.external.oauthbearer.sasl.server.callback.handler.class=io.strimzi
 
 # On EXTERNAL listener we may also want to support OAuth over PLAIN
 listener.name.external.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
-oauth.token.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/token" \
-oauth.valid.issuer.uri="http://sso:8080/auth/realms/demo" \
-oauth.jwks.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/certs" \
+oauth.token.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/token" \
+oauth.valid.issuer.uri="http://sso:8080/realms/demo" \
+oauth.jwks.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/certs" \
 oauth.username.claim="preferred_username" \
 unsecuredLoginStringClaim_sub="unused" ;
 
@@ -707,7 +707,7 @@ You also need a properly configured OAuth authentication support, as described i
 All the configuration properties for KeycloakAuthorizer begin with a `strimzi.authorization.` prefix.
 
 The token endpoint used by KeycloakAuthorizer has to be the same as the one used for OAuth authentication:
-- `strimzi.authorization.token.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token" - the endpoint used to exchange the access token for a list of grants)
+- `strimzi.authorization.token.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token" - the endpoint used to exchange the access token for a list of grants)
 - `strimzi.authorization.client.id` (e.g.: "kafka" - the client representing a Kafka Broker which has Authorization Services enabled)
 
 The authorizer will regularly reload the list of grants for active sessions. By default, it will do this once every minute.
@@ -1104,7 +1104,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.client.id="team-a-client" \
   oauth.client.secret="team-a-client-secret" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 ```
 
@@ -1122,7 +1122,7 @@ And pass additional configuration as ENV vars:
 ```
 export OAUTH_CLIENT_ID="team-a-client"
 export OAUTH_CLIENT_SECRET="team-a-client-secret"
-export OAUTH_TOKEN_ENDPOINT_URI="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token"
+export OAUTH_TOKEN_ENDPOINT_URI="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token"
 ```
 
 Note that if you have JAAS config parameters with the same names (lowercase with dots) they would not take effect - ENV vars will override them.

examples/README-authz.md

@@ -40,7 +40,7 @@ When everything starts up without errors we should have one instance of `keycloa
 
 ## Using Keycloak Admin Console to Configure Authorization
 
-You can login to the Admin Console by opening `http://localhost:8080/auth/admin` and using `admin` as both username, and a password.
+You can login to the Admin Console by opening `http://localhost:8080/admin` and using `admin` as both username, and a password.
 
 For this example we are interested in the `kafka-authz` realm. Selecting the realm in the upper left drop-down list will open the realm.
 
@@ -159,7 +159,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.client.id="team-a-client" \
   oauth.client.secret="team-a-client-secret" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 EOF
 ```
@@ -258,7 +258,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.client.id="team-b-client" \
   oauth.client.secret="team-b-client-secret" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 EOF
 ```
@@ -318,7 +318,7 @@ Let's create a configuration for user `bob` who has full ability to manage every
 First, `bob` will authenticate to Keycloak server with his username and password and get a refresh token.
 
 ```
-export TOKEN_ENDPOINT=http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token
+export TOKEN_ENDPOINT=http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token
 REFRESH_TOKEN=$(./oauth.sh -q bob)
 ```
 
@@ -339,7 +339,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.refresh.token="$REFRESH_TOKEN" \
   oauth.client.id="kafka-cli" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 EOF
 ```

examples/README.md

@@ -66,7 +66,7 @@ When you authenticate as client application itself (`kafka-producer-client`), yo
   "exp":1567409778,
   "nbf":0,
   "iat":1567373778,
-  "iss":"http://192.168.64.103:8080/auth/realms/demo",
+  "iss":"http://192.168.64.103:8080/realms/demo",
   "sub":"f996fea8-0958-4e3a-8eee-3e61949e627b",
   "typ":"Bearer",
   "azp":"kafka-producer-client",
@@ -93,7 +93,7 @@ When authenticating as user `alice`, some roles will be added to the token, whic
   "exp":1567410424,
   "nbf":0,
   "iat":1567374424,
-  "iss":"http://192.168.64.103:8080/auth/realms/demo",
+  "iss":"http://192.168.64.103:8080/realms/demo",
   "aud":"kafka-broker",
   "sub":"062eb69a-8e18-4937-9b23-d6c158d43829",
   "typ":"Bearer",
@@ -124,7 +124,7 @@ When you authenticate as `kafka-consumer-client` you get access token that looks
   "exp":1599516353,
   "nbf":0,
   "iat":1567375553,
-  "iss":"http://192.168.64.103:8080/auth/realms/demo",
+  "iss":"http://192.168.64.103:8080/realms/demo",
   "aud":"kafka-broker",
   "sub":"89307c94-655f-424f-b709-f873fec63dcc",
   "typ":"Bearer",

examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java

@@ -45,7 +45,7 @@ public static void main(String[] args) {
 
         final String keycloakHost = external.getValue("keycloak.host", "keycloak");
         final String realm = external.getValue("realm", "demo");
-        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/auth/realms/" + realm + "/protocol/openid-connect/token";
+        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/realms/" + realm + "/protocol/openid-connect/token";
 
         //  You can also configure token endpoint uri directly via 'oauth.token.endpoint.uri' system property,
         //  or OAUTH_TOKEN_ENDPOINT_URI env variable

examples/docker/kafka-oauth-strimzi/compose-authz-kraft.yml

@@ -64,12 +64,12 @@ services:
       # Authentication config
       OAUTH_CLIENT_ID: "kafka"
       OAUTH_CLIENT_SECRET: "kafka-secret"
-      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
 
       # Validation config
-      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
-      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token/introspect"
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token/introspect"
 
       # username extraction from JWT token claim
       OAUTH_USERNAME_CLAIM: preferred_username

examples/docker/kafka-oauth-strimzi/compose-authz.yml

@@ -67,12 +67,12 @@ services:
       # Authentication config
       OAUTH_CLIENT_ID: "kafka"
       OAUTH_CLIENT_SECRET: "kafka-secret"
-      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
 
       # Validation config
-      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
-      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
       # username extraction from JWT token claim
       OAUTH_USERNAME_CLAIM: preferred_username

examples/docker/kafka-oauth-strimzi/compose-kraft.yml

@@ -69,7 +69,7 @@ services:
       # Validation config
       OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
       OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
 
       # username extraction from JWT token claim

examples/docker/kafka-oauth-strimzi/compose-plain.yml

@@ -70,12 +70,12 @@ services:
       # Authentication config
       OAUTH_CLIENT_ID: "kafka"
       OAUTH_CLIENT_SECRET: "kafka-secret"
-      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
 
       # Validation config
-      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
-      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
       # username extraction from JWT token claim
       OAUTH_USERNAME_CLAIM: preferred_username

examples/docker/kafka-oauth-strimzi/compose-ssl.yml

@@ -56,7 +56,7 @@ services:
       # Validation config
       OAUTH_JWKS_ENDPOINT_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}/protocol/openid-connect/certs"
       OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
 
       # username extraction from JWT token claim

examples/docker/kafka-oauth-strimzi/compose.yml

@@ -56,7 +56,7 @@ services:
       # Validation config
       OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
       OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
 
       # username extraction from JWT token claim

examples/kubernetes/README.md

@@ -90,7 +90,7 @@ e.g. `default` you can fix the script on the fly:
 
     KEYCLOAK_HOST=$(minishift ip)
     KEYCLOAK_PORT=$(kubectl get svc | grep keycloak | awk -F '8080:' '{print $2}' | awk -F '/' '{print $1}')
-    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/auth/admin
+    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/admin
 
 You can then open the printed URL and login with admin:admin.
 
@@ -101,7 +101,7 @@ You can connect directly to Kubernetes Node IP using a NodePort port:
 
     KEYCLOAK_HOST=$(minikube ip)
     KEYCLOAK_PORT=$(kubectl get svc | grep keycloak | awk -F '8080:' '{print $2}' | awk -F '/' '{print $1}')
-    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/auth/admin
+    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/admin
 
 You can then open the printed URL and login with admin:admin.
 
@@ -112,7 +112,7 @@ In order to connect to Keycloak Admin Console you have to create a TCP tunnel:
 
     kubectl port-forward svc/keycloak 8080:8080
 
-You can then open: http://localhost:8080/auth/admin and login with admin:admin.    
+You can then open: http://localhost:8080/admin and login with admin:admin.    
 
 
 ### Importing example realms