Ok, where are you seeing IDP type in Moodle settings?
This is what you should be doing:
In Keycloak, new openid client. Just do the following settings:
Client ID - what you enter in Keycloak also gets entered in Moodle for ClientID
Name - just what you want to see it listed as in Keycloak
Enabled = On
Login Theme - only change from default if you have a custom theme
Client Protocol - openid-connect
Access Type - confidential (this is what creates the secret etc)
Standard Flow Enabled - on
Driect Access Grants Enabled - on
(I have everything else turned off)
Valid redirect URIs - yoursite.com/admin/oauth2callback.php
I have post logout redirecting to my website but you don't have to have this
Base URL - yousite.com
That should be all you need to change in Keycloak - save
In Moodle, new Oauth2 with following settings:
Name - only for listing in Moodle
Client ID - must match what is in Keycloak
Client Secret - copied from Credentials tab in Keycloak
Service Base URL - https://yourkeycloaksite.com/realms/your realm name here
This service will be used - Login Page and Internal Services
Scopes Included - openid profile email (I added those to both online and offline access fields)
Save
Ideally Moodle will reach out to keycloak and create all the endpoints so you do not need to do anything there - at that point it should just work...
This is what you should be doing:
In Keycloak, new openid client. Just do the following settings:
Client ID - what you enter in Keycloak also gets entered in Moodle for ClientID
Name - just what you want to see it listed as in Keycloak
Enabled = On
Login Theme - only change from default if you have a custom theme
Client Protocol - openid-connect
Access Type - confidential (this is what creates the secret etc)
Standard Flow Enabled - on
Driect Access Grants Enabled - on
(I have everything else turned off)
Valid redirect URIs - yoursite.com/admin/oauth2callback.php
I have post logout redirecting to my website but you don't have to have this
Base URL - yousite.com
That should be all you need to change in Keycloak - save
In Moodle, new Oauth2 with following settings:
Name - only for listing in Moodle
Client ID - must match what is in Keycloak
Client Secret - copied from Credentials tab in Keycloak
Service Base URL - https://yourkeycloaksite.com/realms/your realm name here
This service will be used - Login Page and Internal Services
Scopes Included - openid profile email (I added those to both online and offline access fields)
Save
Ideally Moodle will reach out to keycloak and create all the endpoints so you do not need to do anything there - at that point it should just work...