From 12399b5364f37bacb64a68030704f7ce7d6cb82b Mon Sep 17 00:00:00 2001
From: Lionel Sambuc <lionel.sambuc@epfl.ch>
Date: Mon, 27 Apr 2026 14:12:28 +0200
Subject: [PATCH 1/3] fix: Allow config of WebOrigins & RedirectUris

---
 .../renku/templates/setup-job-keycloak-realms.yaml   |  4 ++++
 helm-chart/renku/values.yaml                         |  2 ++
 scripts/init-realm/utils.py                          | 12 ++++++++++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml
index d3ba40449a..08d735c78d 100644
--- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml
+++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml
@@ -109,6 +109,10 @@ spec:
               value: "false"
             - name: NOTEBOOKS_KC_CLIENT_OAUTH_FLOW
               value: "authorization_code"
+            - name: NOTEBOOKS_KC_CLIENT_EXTRA_REDIRECT_URIS
+              value: {{ .Values.notebooks.oidc.extraRedirectUris | quote }}
+            - name: NOTEBOOKS_KC_CLIENT_EXTRA_WEB_ORIGINS
+              value: {{ .Values.notebooks.oidc.extraWebOrigins | quote }}
             - name: SWAGGER_KC_CLIENT_ID
               value: swagger
             - name: SWAGGER_KC_CLIENT_PUBLIC
diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
index a660a97c81..916f43f89f 100644
--- a/helm-chart/renku/values.yaml
+++ b/helm-chart/renku/values.yaml
@@ -879,6 +879,8 @@ notebooks:
     tokenUrl:
     authUrl:
     allowUnverifiedEmail: false
+    extraRedirectUris:
+    extraWebOrigins:
   sessionIngress:
     host:
     ## If you want to use the default cluster tls cert, set the flag below to true.
diff --git a/scripts/init-realm/utils.py b/scripts/init-realm/utils.py
index 5012af7d66..130bfbf126 100644
--- a/scripts/init-realm/utils.py
+++ b/scripts/init-realm/utils.py
@@ -93,6 +93,8 @@ class OIDCClient:
     service_account_roles: List[str] = field(default_factory=list)
     service_account_realm_roles: List[str] = field(default_factory=list)
     public_client: bool = False
+    client_extra_web_origins: List[str] = field(default_factory=list)
+    client_extra_redirect_uris: List[str] = field(default_factory=list)
 
     def __post_init__(self):
         self.base_url = self.base_url.rstrip("/")
@@ -163,8 +165,8 @@ def to_dict(self) -> Dict[str, Any]:
             "baseUrl": self.base_url,
             "publicClient": self.public_client,
             "attributes": self.attributes,
-            "redirectUris": [self.base_url + "/*"],
-            "webOrigins": [self.base_url + "/*"],
+            "redirectUris": [self.base_url + "/*"] + self.client_extra_redirect_uris,
+            "webOrigins": [self.base_url + "/*"] + self.client_extra_web_origins,
             "protocolMappers": default_protocol_mappers
             + [
                 {
@@ -207,6 +209,12 @@ def from_env(cls, prefix: str = "RENKU_KC_CLIENT_") -> "OIDCClient":
             service_account_realm_roles=json.loads(
                 os.environ.get(f"{prefix}SERVICE_ACCOUNT_REALM_ROLES", "[]")
             ),
+            client_extra_redirect_uris=json.loads(
+                os.environ.get(f"{prefix}EXTRA_REDIRECT_URIS", "[]")
+            ),
+            client_extra_web_origins=json.loads(
+                os.environ.get(f"{prefix}EXTRA_WEB_ORIGINS", "[]")
+            )
         )
 
 

From 9939214cef53aa8002dcbba50fd80489f6ae2558 Mon Sep 17 00:00:00 2001
From: Lionel Sambuc <lionel.sambuc@epfl.ch>
Date: Mon, 27 Apr 2026 14:54:00 +0200
Subject: [PATCH 2/3] fix: By default, explicitly set an empty list

---
 helm-chart/renku/values.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
index 916f43f89f..b3500efa6f 100644
--- a/helm-chart/renku/values.yaml
+++ b/helm-chart/renku/values.yaml
@@ -879,8 +879,8 @@ notebooks:
     tokenUrl:
     authUrl:
     allowUnverifiedEmail: false
-    extraRedirectUris:
-    extraWebOrigins:
+    extraRedirectUris: '[]'
+    extraWebOrigins: '[]'
   sessionIngress:
     host:
     ## If you want to use the default cluster tls cert, set the flag below to true.

From 7d48440927030c99f73bd5128fd779addee36f11 Mon Sep 17 00:00:00 2001
From: Lionel Sambuc <lionel.sambuc@epfl.ch>
Date: Tue, 28 Apr 2026 13:46:20 +0200
Subject: [PATCH 3/3] fix: Add a comment about the format of the value

---
 helm-chart/renku/values.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
index b3500efa6f..5a402a45d3 100644
--- a/helm-chart/renku/values.yaml
+++ b/helm-chart/renku/values.yaml
@@ -879,7 +879,15 @@ notebooks:
     tokenUrl:
     authUrl:
     allowUnverifiedEmail: false
+    ## This value is a yaml string of a json list of URIs strings, i.e.
+    ## '["https://domain-a.example.org/*", "https://domain-b.example.net/*"]'
+    ## Each URI should follow the format expected by Keycloak in the Redirect
+    ## URIs field of a keycloak client.
     extraRedirectUris: '[]'
+    ## This value is a yaml string of a json list of URIs strings, i.e.
+    ## '["https://domain-a.example.org/*", "https://domain-b.example.net/*"]'
+    ## Each URI should follow the format expected by Keycloak in the Web Origins
+    ## field of a keycloak client.
     extraWebOrigins: '[]'
   sessionIngress:
     host: