diff --git a/README.md b/README.md
index 89bde75b..e43c2a31 100644
--- a/README.md
+++ b/README.md
@@ -295,8 +295,8 @@ If your authorization server generates JWT tokens, and exposes the JWKS Endpoint
 since it does not require contacting the authorization server whenever a new Kafka client connects to the Kafka Broker.
 
 Specify the following `oauth.*` properties:
-- `oauth.jwks.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/certs")
-- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/auth/realms/demo" - only access tokens issued by this issuer will be accepted)
+- `oauth.jwks.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/certs")
+- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/realms/demo" - only access tokens issued by this issuer will be accepted)
 
 Some authorization servers don't provide the `iss` claim. In that case you would not set `oauth.valid.issuer.uri`, and you would explicitly turn off issuer checking by setting the following option to `false`:
 - `oauth.check.issuer` (e.g. "false")
@@ -373,8 +373,8 @@ When your authorization server is configured to use opaque tokens (not JWT) or i
 This will result in Kafka Broker making a request to authorization server every time a new Kafka client connection is established.
 
 Specify the following `oauth.*` properties:
-- `oauth.introspection.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token/introspect")
-- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/auth/realms/demo" - only access tokens issued by this issuer will be accepted)
+- `oauth.introspection.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token/introspect")
+- `oauth.valid.issuer.uri` (e.g.: "https://localhost:8443/realms/demo" - only access tokens issued by this issuer will be accepted)
 - `oauth.client.id` (e.g.: "kafka" - this is the OAuth2 client configuration id for the Kafka broker)
 - `oauth.client.secret` (e.g.: "kafka-secret")
  
@@ -427,7 +427,7 @@ Otherwise, if the response contains `"client_id": "my-producer"` then the princi
 Sometimes the Introspection Endpoint does not provide any useful identifying information that we can use for the user id.
 In that case you can configure User Info Endpoint:
  
-- `oauth.userinfo.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/userinfo")
+- `oauth.userinfo.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/userinfo")
 
 If the user id could not be extracted from Introspection Endpoint response, then the same rules (`oauth.username.claim`, `oauth.fallback.username.claim`, `oauth.fallback.username.prefix`) will be used to try extract the user id from User Info Endpoint response.
 
@@ -529,7 +529,7 @@ When configuring the listener for `SASL/PLAIN` using `org.apache.kafka.common.se
 
 There is an additional `oauth.*` option you can specify (it's optional):
 
-- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token")
+- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token")
 
 If this option is not specified the listener treats the `username` parameter of the SASL/PLAIN authentication as the account name, and the `password` parameter as the raw access token which is passed to the validation as if SASL/OAUTHBEARER was used.
 
@@ -558,7 +558,7 @@ All the Kafka brokers in the cluster should be configured with the same client I
 When you configure your listener to support OAuth, you can configure it to support OAUTHBEARER, but you can also configure it to support the OAuth over PLAIN as explained previously. PLAIN does not make much sense on the broker for inter-broker communication since OAUTHBEARER is supported. Therefore, it is best to only use OAUTHBEARER mechanism for inter-broker communication.
 
 Specify the following `oauth.*` properties in `sasl.jaas.config` configuration:
-- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token")
+- `oauth.token.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token")
 - `oauth.client.id` (e.g.: "kafka" - this is the client configuration id for Kafka Broker)
 - `oauth.client.secret` (e.g.: "kafka-secret")
 - `oauth.username.claim` (e.g.: "preferred_username")
@@ -583,9 +583,9 @@ inter.broker.listener.name=REPLICATION
 listener.name.replication.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
 oauth.client.id="kafka" \
 oauth.client.secret="kafka-secret" \
-oauth.token.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/token" \
-oauth.valid.issuer.uri="http://sso:8080/auth/realms/demo" \
-oauth.jwks.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/certs" \
+oauth.token.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/token" \
+oauth.valid.issuer.uri="http://sso:8080/realms/demo" \
+oauth.jwks.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/certs" \
 oauth.username.claim="preferred_username" ;
 
 # Server-side-authentication handler
@@ -598,8 +598,8 @@ listener.name.replication.oauthbearer.sasl.login.callback.handler.class=io.strim
 # The EXTERNAL listener only needs server-side-authentication support because we don't use it for inter-broker communication:
 
 listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
-oauth.valid.issuer.uri="http://sso:8080/auth/realms/demo" \
-oauth.jwks.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/certs" \
+oauth.valid.issuer.uri="http://sso:8080/realms/demo" \
+oauth.jwks.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/certs" \
 oauth.username.claim="preferred_username" \
 unsecuredLoginStringClaim_sub="unused" ;
 
@@ -611,9 +611,9 @@ listener.name.external.oauthbearer.sasl.server.callback.handler.class=io.strimzi
 
 # On EXTERNAL listener we may also want to support OAuth over PLAIN
 listener.name.external.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
-oauth.token.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/token" \
-oauth.valid.issuer.uri="http://sso:8080/auth/realms/demo" \
-oauth.jwks.endpoint.uri="http://sso:8080/auth/realms/demo/protocol/openid-connect/certs" \
+oauth.token.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/token" \
+oauth.valid.issuer.uri="http://sso:8080/realms/demo" \
+oauth.jwks.endpoint.uri="http://sso:8080/realms/demo/protocol/openid-connect/certs" \
 oauth.username.claim="preferred_username" \
 unsecuredLoginStringClaim_sub="unused" ;
 
@@ -707,7 +707,7 @@ You also need a properly configured OAuth authentication support, as described i
 All the configuration properties for KeycloakAuthorizer begin with a `strimzi.authorization.` prefix.
 
 The token endpoint used by KeycloakAuthorizer has to be the same as the one used for OAuth authentication:
-- `strimzi.authorization.token.endpoint.uri` (e.g.: "https://localhost:8443/auth/realms/demo/protocol/openid-connect/token" - the endpoint used to exchange the access token for a list of grants)
+- `strimzi.authorization.token.endpoint.uri` (e.g.: "https://localhost:8443/realms/demo/protocol/openid-connect/token" - the endpoint used to exchange the access token for a list of grants)
 - `strimzi.authorization.client.id` (e.g.: "kafka" - the client representing a Kafka Broker which has Authorization Services enabled)
 
 The authorizer will regularly reload the list of grants for active sessions. By default, it will do this once every minute.
@@ -1104,7 +1104,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.client.id="team-a-client" \
   oauth.client.secret="team-a-client-secret" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 ```
 
@@ -1122,7 +1122,7 @@ And pass additional configuration as ENV vars:
 ```
 export OAUTH_CLIENT_ID="team-a-client"
 export OAUTH_CLIENT_SECRET="team-a-client-secret"
-export OAUTH_TOKEN_ENDPOINT_URI="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token"
+export OAUTH_TOKEN_ENDPOINT_URI="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token"
 ```
 
 Note that if you have JAAS config parameters with the same names (lowercase with dots) they would not take effect - ENV vars will override them.
diff --git a/examples/README-authz.md b/examples/README-authz.md
index 4d65d9f6..8cb38d55 100644
--- a/examples/README-authz.md
+++ b/examples/README-authz.md
@@ -40,7 +40,7 @@ When everything starts up without errors we should have one instance of `keycloa
 
 ## Using Keycloak Admin Console to Configure Authorization
  
-You can login to the Admin Console by opening `http://localhost:8080/auth/admin` and using `admin` as both username, and a password.
+You can login to the Admin Console by opening `http://localhost:8080/admin` and using `admin` as both username, and a password.
 
 For this example we are interested in the `kafka-authz` realm. Selecting the realm in the upper left drop-down list will open the realm.
 
@@ -159,7 +159,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.client.id="team-a-client" \
   oauth.client.secret="team-a-client-secret" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 EOF
 ```
@@ -258,7 +258,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.client.id="team-b-client" \
   oauth.client.secret="team-b-client-secret" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 EOF
 ```
@@ -318,7 +318,7 @@ Let's create a configuration for user `bob` who has full ability to manage every
 First, `bob` will authenticate to Keycloak server with his username and password and get a refresh token.
 
 ```
-export TOKEN_ENDPOINT=http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token
+export TOKEN_ENDPOINT=http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token
 REFRESH_TOKEN=$(./oauth.sh -q bob)
 ```
 
@@ -339,7 +339,7 @@ sasl.mechanism=OAUTHBEARER
 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   oauth.refresh.token="$REFRESH_TOKEN" \
   oauth.client.id="kafka-cli" \
-  oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+  oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
 sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
 EOF
 ```
diff --git a/examples/README.md b/examples/README.md
index 1a8d3342..e6b01d92 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -66,7 +66,7 @@ When you authenticate as client application itself (`kafka-producer-client`), yo
   "exp":1567409778,
   "nbf":0,
   "iat":1567373778,
-  "iss":"http://192.168.64.103:8080/auth/realms/demo",
+  "iss":"http://192.168.64.103:8080/realms/demo",
   "sub":"f996fea8-0958-4e3a-8eee-3e61949e627b",
   "typ":"Bearer",
   "azp":"kafka-producer-client",
@@ -93,7 +93,7 @@ When authenticating as user `alice`, some roles will be added to the token, whic
   "exp":1567410424,
   "nbf":0,
   "iat":1567374424,
-  "iss":"http://192.168.64.103:8080/auth/realms/demo",
+  "iss":"http://192.168.64.103:8080/realms/demo",
   "aud":"kafka-broker",
   "sub":"062eb69a-8e18-4937-9b23-d6c158d43829",
   "typ":"Bearer",
@@ -124,7 +124,7 @@ When you authenticate as `kafka-consumer-client` you get access token that looks
   "exp":1599516353,
   "nbf":0,
   "iat":1567375553,
-  "iss":"http://192.168.64.103:8080/auth/realms/demo",
+  "iss":"http://192.168.64.103:8080/realms/demo",
   "aud":"kafka-broker",
   "sub":"89307c94-655f-424f-b709-f873fec63dcc",
   "typ":"Bearer",
diff --git a/examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java b/examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java
index d14eab0e..8550044a 100644
--- a/examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java
+++ b/examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java
@@ -45,7 +45,7 @@ public static void main(String[] args) {
 
         final String keycloakHost = external.getValue("keycloak.host", "keycloak");
         final String realm = external.getValue("realm", "demo");
-        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/auth/realms/" + realm + "/protocol/openid-connect/token";
+        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/realms/" + realm + "/protocol/openid-connect/token";
 
         //  You can also configure token endpoint uri directly via 'oauth.token.endpoint.uri' system property,
         //  or OAUTH_TOKEN_ENDPOINT_URI env variable
diff --git a/examples/docker/kafka-oauth-strimzi/compose-authz-kraft.yml b/examples/docker/kafka-oauth-strimzi/compose-authz-kraft.yml
index f2e1f2e7..4458972a 100644
--- a/examples/docker/kafka-oauth-strimzi/compose-authz-kraft.yml
+++ b/examples/docker/kafka-oauth-strimzi/compose-authz-kraft.yml
@@ -64,12 +64,12 @@ services:
       # Authentication config
       OAUTH_CLIENT_ID: "kafka"
       OAUTH_CLIENT_SECRET: "kafka-secret"
-      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
 
       # Validation config
-      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
-      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token/introspect"
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token/introspect"
 
       # username extraction from JWT token claim
       OAUTH_USERNAME_CLAIM: preferred_username
diff --git a/examples/docker/kafka-oauth-strimzi/compose-authz.yml b/examples/docker/kafka-oauth-strimzi/compose-authz.yml
index 7c96f243..91f57a4d 100644
--- a/examples/docker/kafka-oauth-strimzi/compose-authz.yml
+++ b/examples/docker/kafka-oauth-strimzi/compose-authz.yml
@@ -67,12 +67,12 @@ services:
       # Authentication config
       OAUTH_CLIENT_ID: "kafka"
       OAUTH_CLIENT_SECRET: "kafka-secret"
-      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
 
       # Validation config
-      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
-      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
       # username extraction from JWT token claim
       OAUTH_USERNAME_CLAIM: preferred_username
diff --git a/examples/docker/kafka-oauth-strimzi/compose-kraft.yml b/examples/docker/kafka-oauth-strimzi/compose-kraft.yml
index f3480f59..c37d488a 100644
--- a/examples/docker/kafka-oauth-strimzi/compose-kraft.yml
+++ b/examples/docker/kafka-oauth-strimzi/compose-kraft.yml
@@ -69,7 +69,7 @@ services:
       # Validation config
       OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
       OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
 
       # username extraction from JWT token claim
diff --git a/examples/docker/kafka-oauth-strimzi/compose-plain.yml b/examples/docker/kafka-oauth-strimzi/compose-plain.yml
index 02349982..e6170719 100644
--- a/examples/docker/kafka-oauth-strimzi/compose-plain.yml
+++ b/examples/docker/kafka-oauth-strimzi/compose-plain.yml
@@ -70,12 +70,12 @@ services:
       # Authentication config
       OAUTH_CLIENT_ID: "kafka"
       OAUTH_CLIENT_SECRET: "kafka-secret"
-      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
+      OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/token"
 
       # Validation config
-      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}"
-      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      OAUTH_VALID_ISSUER_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}"
+      OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-kafka-authz}/protocol/openid-connect/certs"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
       # username extraction from JWT token claim
       OAUTH_USERNAME_CLAIM: preferred_username
diff --git a/examples/docker/kafka-oauth-strimzi/compose-ssl.yml b/examples/docker/kafka-oauth-strimzi/compose-ssl.yml
index b58d78e6..8d652a57 100644
--- a/examples/docker/kafka-oauth-strimzi/compose-ssl.yml
+++ b/examples/docker/kafka-oauth-strimzi/compose-ssl.yml
@@ -56,7 +56,7 @@ services:
       # Validation config
       OAUTH_JWKS_ENDPOINT_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}/protocol/openid-connect/certs"
       OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
 
       # username extraction from JWT token claim
diff --git a/examples/docker/kafka-oauth-strimzi/compose.yml b/examples/docker/kafka-oauth-strimzi/compose.yml
index a31f10c7..bf60bacf 100644
--- a/examples/docker/kafka-oauth-strimzi/compose.yml
+++ b/examples/docker/kafka-oauth-strimzi/compose.yml
@@ -56,7 +56,7 @@ services:
       # Validation config
       OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
       OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/certs"
-      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/auth/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
+      #OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
 
 
       # username extraction from JWT token claim
diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md
index 937b4634..5f272cab 100644
--- a/examples/kubernetes/README.md
+++ b/examples/kubernetes/README.md
@@ -90,7 +90,7 @@ e.g. `default` you can fix the script on the fly:
 
     KEYCLOAK_HOST=$(minishift ip)
     KEYCLOAK_PORT=$(kubectl get svc | grep keycloak | awk -F '8080:' '{print $2}' | awk -F '/' '{print $1}')
-    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/auth/admin
+    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/admin
 
 You can then open the printed URL and login with admin:admin.
 
@@ -101,7 +101,7 @@ You can connect directly to Kubernetes Node IP using a NodePort port:
 
     KEYCLOAK_HOST=$(minikube ip)
     KEYCLOAK_PORT=$(kubectl get svc | grep keycloak | awk -F '8080:' '{print $2}' | awk -F '/' '{print $1}')
-    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/auth/admin
+    echo http://$KEYCLOAK_HOST:$KEYCLOAK_PORT/admin
 
 You can then open the printed URL and login with admin:admin.
 
@@ -112,7 +112,7 @@ In order to connect to Keycloak Admin Console you have to create a TCP tunnel:
 
     kubectl port-forward svc/keycloak 8080:8080
     
-You can then open: http://localhost:8080/auth/admin and login with admin:admin.    
+You can then open: http://localhost:8080/admin and login with admin:admin.    
 
 
 ### Importing example realms
diff --git a/examples/kubernetes/kafka-oauth-authz-metrics-client.yaml b/examples/kubernetes/kafka-oauth-authz-metrics-client.yaml
index ad44ed9d..7ffb0cae 100644
--- a/examples/kubernetes/kafka-oauth-authz-metrics-client.yaml
+++ b/examples/kubernetes/kafka-oauth-authz-metrics-client.yaml
@@ -14,7 +14,7 @@ data:
       sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
         oauth.client.id="team-a-client" \
         oauth.client.secret="$SECRET" \
-        oauth.token.endpoint.uri="http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token" ;
+        oauth.token.endpoint.uri="http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token" ;
       sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
     EOF
 
diff --git a/examples/kubernetes/kafka-oauth-over-plain-single-authz.yaml b/examples/kubernetes/kafka-oauth-over-plain-single-authz.yaml
index f9ee7089..8e999d74 100644
--- a/examples/kubernetes/kafka-oauth-over-plain-single-authz.yaml
+++ b/examples/kubernetes/kafka-oauth-over-plain-single-authz.yaml
@@ -14,14 +14,14 @@ spec:
         authentication:
           type: oauth
           enablePlain: true
-          tokenEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token
-          validIssuerUri: http://keycloak:8080/auth/realms/kafka-authz
-          jwksEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/certs
+          tokenEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token
+          validIssuerUri: http://keycloak:8080/realms/kafka-authz
+          jwksEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/certs
           userNameClaim: preferred_username
     authorization:
       type: keycloak
       clientId: kafka
-      tokenEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token
+      tokenEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token
       delegateToKafkaAcls: true
       superUsers:
       - User:service-account-kafka
diff --git a/examples/kubernetes/kafka-oauth-single-authz-metrics.yaml b/examples/kubernetes/kafka-oauth-single-authz-metrics.yaml
index 4c267f81..4e4cbef7 100644
--- a/examples/kubernetes/kafka-oauth-single-authz-metrics.yaml
+++ b/examples/kubernetes/kafka-oauth-single-authz-metrics.yaml
@@ -14,8 +14,8 @@ spec:
         tls: false
         authentication:
           type: oauth
-          validIssuerUri: http://keycloak:8080/auth/realms/kafka-authz
-          jwksEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/certs
+          validIssuerUri: http://keycloak:8080/realms/kafka-authz
+          jwksEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/certs
           userNameClaim: preferred_username
           checkAccessTokenType: false
           customClaimCheck: "@.typ && @.typ == 'Bearer'"
@@ -26,7 +26,7 @@ spec:
     authorization:
       type: keycloak
       clientId: kafka
-      tokenEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token
+      tokenEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token
       delegateToKafkaAcls: true
       superUsers:
       - User:service-account-kafka
diff --git a/examples/kubernetes/kafka-oauth-single-authz.yaml b/examples/kubernetes/kafka-oauth-single-authz.yaml
index beeeeb12..91e11853 100644
--- a/examples/kubernetes/kafka-oauth-single-authz.yaml
+++ b/examples/kubernetes/kafka-oauth-single-authz.yaml
@@ -4,7 +4,7 @@ metadata:
   name: my-cluster
 spec:
   kafka:
-    version: 3.4.0
+    version: 3.7.0
     replicas: 1
     listeners:
       - name: plain
@@ -13,8 +13,8 @@ spec:
         tls: false
         authentication:
           type: oauth
-          validIssuerUri: http://keycloak:8080/auth/realms/kafka-authz
-          jwksEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/certs
+          validIssuerUri: http://keycloak:8080/realms/kafka-authz
+          jwksEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/certs
           userNameClaim: preferred_username
           checkAccessTokenType: false
           customClaimCheck: "@.typ && @.typ == 'Bearer'"
@@ -25,7 +25,7 @@ spec:
     authorization:
       type: keycloak
       clientId: kafka
-      tokenEndpointUri: http://keycloak:8080/auth/realms/kafka-authz/protocol/openid-connect/token
+      tokenEndpointUri: http://keycloak:8080/realms/kafka-authz/protocol/openid-connect/token
       delegateToKafkaAcls: true
       superUsers:
       - service-account-kafka
diff --git a/examples/kubernetes/kafka-oauth-single-introspect.yaml b/examples/kubernetes/kafka-oauth-single-introspect.yaml
index c8f02aed..1a85d08f 100644
--- a/examples/kubernetes/kafka-oauth-single-introspect.yaml
+++ b/examples/kubernetes/kafka-oauth-single-introspect.yaml
@@ -13,8 +13,8 @@ spec:
         tls: false
         authentication:
           type: oauth
-          validIssuerUri: http://keycloak:8080/auth/realms/demo
-          introspectionEndpointUri: http://keycloak:8080/auth/realms/demo/protocol/openid-connect/token/introspect
+          validIssuerUri: http://keycloak:8080/realms/demo
+          introspectionEndpointUri: http://keycloak:8080/realms/demo/protocol/openid-connect/token/introspect
           userNameClaim: preferred_username
           clientId: kafka-broker
           clientSecret:
diff --git a/examples/kubernetes/kafka-oauth-single.yaml b/examples/kubernetes/kafka-oauth-single.yaml
index 07b40eb6..6fbca61b 100644
--- a/examples/kubernetes/kafka-oauth-single.yaml
+++ b/examples/kubernetes/kafka-oauth-single.yaml
@@ -13,8 +13,8 @@ spec:
         tls: false
         authentication:
           type: oauth
-          validIssuerUri: http://keycloak:8080/auth/realms/demo
-          jwksEndpointUri: http://keycloak:8080/auth/realms/demo/protocol/openid-connect/certs
+          validIssuerUri: http://keycloak:8080/realms/demo
+          jwksEndpointUri: http://keycloak:8080/realms/demo/protocol/openid-connect/certs
           userNameClaim: preferred_username
     logging:
       type: inline
diff --git a/examples/kubernetes/keycloak-postgres.yaml b/examples/kubernetes/keycloak-postgres.yaml
index 25d0ad19..0fbf3724 100644
--- a/examples/kubernetes/keycloak-postgres.yaml
+++ b/examples/kubernetes/keycloak-postgres.yaml
@@ -27,29 +27,17 @@ metadata:
 spec:
   containers:
   - name: keycloak
-    image: quay.io/keycloak/keycloak:19.0.3-legacy
-    args:
-    - "-b 0.0.0.0"
-    - "-Dkeycloak.profile.feature.upload_scripts=enabled"
+    image: quay.io/keycloak/keycloak:23.0.5
+    args: ["-v", "start", "--import-realm", "--features=token-exchange,authorization,scripts"]
     env:
-    - name: KEYCLOAK_USER
+    - name: KEYCLOAK_ADMIN
       value: admin
-    - name: KEYCLOAK_PASSWORD
+    - name: KEYCLOAK_ADMIN_PASSWORD
       value: admin
-    - name: KEYCLOAK_IMPORT
-      value: /tmp/realms/kafka-authz-realm.json,/tmp/realms/demo-realm.json
-    - name: PROXY_ADDRESS_FORWARDING
-      value: "true"
-    - name: KEYCLOAK_LOGLEVEL
-      value: INFO
-    - name: DB_ADDR
-      value: postgres.myproject.svc.cluster.local:5432
-    - name: DB_DATABASE
+    - name: KC_HOSTNAME
       value: keycloak
-    - name: DB_USER
-      value: kcuser
-    - name: DB_PASSWORD
-      value: kcuserpass
+    - name: KC_HTTP_ENABLED
+      value: "true"
     ports:
     - name: http
       containerPort: 8080
@@ -57,11 +45,11 @@ spec:
       containerPort: 8443
     readinessProbe:
       httpGet:
-        path: /auth/realms/master
+        path: /realms/master
         port: 8080
     volumeMounts:
       - name: realms
-        mountPath: /tmp/realms
+        mountPath: /opt/keycloak/data/import
   volumes:
     - name: realms
       configMap:
diff --git a/examples/kubernetes/keycloak.yaml b/examples/kubernetes/keycloak.yaml
index 1eeb3306..308790be 100644
--- a/examples/kubernetes/keycloak.yaml
+++ b/examples/kubernetes/keycloak.yaml
@@ -45,5 +45,5 @@ spec:
       containerPort: 8443
     readinessProbe:
       httpGet:
-        path: /auth/realms/master
+        path: /realms/master
         port: 8080
diff --git a/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleConcurrentProducer.java b/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleConcurrentProducer.java
index ad3e81b9..7d0ddeb1 100644
--- a/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleConcurrentProducer.java
+++ b/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleConcurrentProducer.java
@@ -177,7 +177,7 @@ private static void configureTokenEndpoint(Properties defaults, Config external)
 
         final String keycloakHost = external.getValue("keycloak.host", "keycloak");
         final String realm = external.getValue("realm", "kafka-authz");
-        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/auth/realms/" + realm + "/protocol/openid-connect/token";
+        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/realms/" + realm + "/protocol/openid-connect/token";
 
         //  You can also configure token endpoint uri directly via 'oauth.token.endpoint.uri' system property,
         //  or OAUTH_TOKEN_ENDPOINT_URI env variable
diff --git a/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleProducer.java b/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleProducer.java
index 10ce36a4..a9d08793 100644
--- a/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleProducer.java
+++ b/examples/producer/src/main/java/io/strimzi/examples/producer/ExampleProducer.java
@@ -42,7 +42,7 @@ public static void main(String[] args) {
 
         final String keycloakHost = external.getValue("keycloak.host", "keycloak");
         final String realm = external.getValue("realm", "demo");
-        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/auth/realms/" + realm + "/protocol/openid-connect/token";
+        final String tokenEndpointUri = "http://" + keycloakHost + ":8080/realms/" + realm + "/protocol/openid-connect/token";
 
         //  You can also configure token endpoint uri directly via 'oauth.token.endpoint.uri' system property,
         //  or OAUTH_TOKEN_ENDPOINT_URI env variable
diff --git a/oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java b/oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java
index 4311ea98..ed320c96 100644
--- a/oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java
+++ b/oauth-keycloak-authorizer/src/main/java/io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.java
@@ -80,7 +80,7 @@
  * Required configuration:
  * </p>
  * <ul>
- * <li><em>strimzi.authorization.token.endpoint.uri</em> A URL of the Keycloak's token endpoint (e.g. <code>https://keycloak:8443/auth/realms/master/protocol/openid-connect/token</code>).<br>
+ * <li><em>strimzi.authorization.token.endpoint.uri</em> A URL of the Keycloak's token endpoint (e.g. <code>https://keycloak:8443/realms/master/protocol/openid-connect/token</code>).<br>
  * If not present, <em>oauth.token.endpoint.uri</em> is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication.
  * </li>
  * <li><em>strimzi.authorization.client.id</em> A client id of the OAuth client definition in Keycloak, that has Authorization Services enabled.<br>
diff --git a/testsuite/docker/kafka/config/log4j.properties b/testsuite/docker/kafka/config/log4j.properties
index f8a1a7d2..21977c3f 100644
--- a/testsuite/docker/kafka/config/log4j.properties
+++ b/testsuite/docker/kafka/config/log4j.properties
@@ -91,5 +91,5 @@ log4j.logger.state.change.logger=TRACE, stateChangeAppender
 log4j.additivity.state.change.logger=false
 
 # Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
-log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender
+log4j.logger.kafka.authorizer.logger=DEBUG, authorizerAppender
 log4j.additivity.kafka.authorizer.logger=false