Troubleshooting
Docker Redmine SSO: fixing issuer URL mismatch with Keycloak
RRedmineShop

Symptom
Authorization redirect works, but token exchange fails or ID token issuer validation errors appear in logs. Common in local Docker stacks where Redmine talks to http://keycloak:8080 but the browser uses http://localhost:8190.
Fix
In Administration → Plugins → Redmine SSO Suite:
- Issuer URL (server-side): internal Docker hostname, e.g.
http://demo-keycloak:8080/realms/your-realm - Public issuer URL: browser-facing URL, e.g.
http://localhost:8190/realms/your-realm
The plugin rewrites authorization URLs for the browser while validating tokens against either issuer.
Production
When both Redmine and Keycloak share the same public hostname, leave Public issuer URL blank.
Full walkthrough: Keycloak OIDC setup guide.