This guide shows how to configure Jenkins to authenticate users via Keycloak using OpenID Connect (OIDC). It’s based on:
- Jenkins:
2.504.2 - Keycloak:
26.2.5 - Plugin:
OpenID Connect Authentication v4.494.v6b_f419104767
Prerequisites
- Jenkins is publicly accessible at:
https://jenkins.maksonlee.com - Keycloak is running at:
https://keycloak.maksonlee.com - You have admin access to both Jenkins and Keycloak
- You’ve created a Keycloak realm (e.g.
maksonlee.com)
- Install OpenID Connect Plugin in Jenkins
- Go to: Manage Jenkins → Plugin Manager → Available
- Search for:
OpenId Connect Authentication - Install the plugin and restart Jenkins
- Create Client in Keycloak for Jenkins
General Settings:
- Navigate to: Clients → Create client
Capability Configuration:
Login Settings:
Click Save
- Get the Client Secret
- Go to: Clients → jenkins → Credentials
- Copy the Client Secret for use in Jenkins
- Configure Jenkins with Keycloak OIDC
Go to: Manage Jenkins → Security
Set the Security Realm:
Login with Openid Connect
Then fill in:
| Field | Value |
|---|---|
| Client ID | jenkins |
| Client Secret | (paste from Keycloak) |
| Well-known endpoint | https://keycloak.maksonlee.com/realms/maksonlee.com/.well-known/openid-configuration |
| Advanced -> Override scopes | openid email profile |
Advanced configuration → User fields
| Jenkins Field | Keycloak Claim |
|---|---|
| User name field name | preferred_username |
| Email field name | email |
| Full name field name | name |
| Groups field name | groups (optional) |
Click Save
- Test Login
- Log out of Jenkins
- You’ll be redirected to Keycloak for authentication
- Once authenticated, you’ll be signed into Jenkins