diff --git a/assembly/assembly-root-war/src/main/webapp/_app/keycloackLoader.js b/assembly/assembly-root-war/src/main/webapp/_app/keycloackLoader.js
index c152d5152a..e3e247a469 100644
--- a/assembly/assembly-root-war/src/main/webapp/_app/keycloackLoader.js
+++ b/assembly/assembly-root-war/src/main/webapp/_app/keycloackLoader.js
@@ -110,8 +110,8 @@ export class KeycloakLoader {
                     onLoad: 'login-required',
                     checkLoginIframe: false,
                     useNonce: useNonce,
-                    scope: 'email profile',
-                    redirectUri: keycloakSettings['che.keycloak.redirect_url.ide']
+                    scope: 'openid',
+                    redirectUri: decodeURIComponent(location.href)
                 })
                 .success(() => {
                     resolve(keycloak);
diff --git a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
index d62d758a72..c4451fbff8 100644
--- a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/deployment.yaml
@@ -74,8 +74,13 @@ spec:
         - name: CHE_HOST
           value: {{ template "cheHost" . }}
 {{- if .Values.global.useInternalClusterSVCNames }}
-        - name: KEYCLOAK_HOSTNAME
-          value: {{ template "keycloakHost" . }}
+        {{- if .Values.global.tls.enabled }}
+        - name: KEYCLOAK_FRONTEND_URL
+          value: https://{{ template "keycloakHost" . }}/auth
+        {{- else }}
+        - name: KEYCLOAK_FRONTEND_URL
+          value: http://{{ template "keycloakHost" . }}/auth
+        {{- end }}
 {{- end }}
         - name: ROUTING_SUFFIX
           value: {{ .Values.global.ingressDomain }}
diff --git a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/ingress.yaml b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/ingress.yaml
index c45fc7ed04..7f7cec9110 100644
--- a/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/ingress.yaml
+++ b/deploy/kubernetes/helm/che/custom-charts/che-keycloak/templates/ingress.yaml
@@ -18,6 +18,7 @@ metadata:
     component: keycloak
   annotations:
     kubernetes.io/ingress.class: {{ .Values.global.ingress.class | quote }}
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
     {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-read-timeout: "3600"
     {{ .Values.global.ingressAnnotationsPrefix }}ingress.kubernetes.io/proxy-connect-timeout: "3600"
 {{- if .Values.global.tls.enabled }}
diff --git a/dockerfiles/keycloak/Dockerfile b/dockerfiles/keycloak/Dockerfile
index 23d576e434..0af6915087 100644
--- a/dockerfiles/keycloak/Dockerfile
+++ b/dockerfiles/keycloak/Dockerfile
@@ -6,15 +6,15 @@
 # SPDX-License-Identifier: EPL-2.0
 #
 
-FROM jboss/keycloak:6.0.1
+FROM quay.io/keycloak/keycloak:15.0.2
+
 ADD che /opt/jboss/keycloak/themes/che
 ADD che-username-readonly /opt/jboss/keycloak/themes/che-username-readonly
 ADD . /scripts/
 ADD cli /scripts/cli
-RUN ln -s /opt/jboss/tools/docker-entrypoint.sh && \
-    curl -sSL https://github.com/che-incubator/KEYCLOAK-10169-OpenShift4-User-Provider/releases/download/6.0.1-openshift-v4/openshift4-extension-6.0.1.jar -o /opt/jboss/keycloak/standalone/deployments/openshift4-extension-6.0.1.jar && \
-    unzip -j /opt/jboss/keycloak/standalone/deployments/openshift4-extension-6.0.1.jar -d /opt/jboss/keycloak/themes/base/admin/resources/partials \
-    theme-resources/resources/realm-identity-provider-openshift-v4.html theme-resources/resources/realm-identity-provider-openshift-v4-ext.html
+USER root
+RUN microdnf install findutils && microdnf clean all && \
+    ln -s /opt/jboss/tools/docker-entrypoint.sh && chmod +x /opt/jboss/tools/docker-entrypoint.sh
 
 USER root
 RUN chown -R 1000:0 /scripts && \
diff --git a/dockerfiles/keycloak/kc_realm_user.sh b/dockerfiles/keycloak/kc_realm_user.sh
index 7d74f69886..357f42cc2b 100755
--- a/dockerfiles/keycloak/kc_realm_user.sh
+++ b/dockerfiles/keycloak/kc_realm_user.sh
@@ -66,12 +66,6 @@ cat /scripts/che-realm.json.erb | \
                                 sed -e "s@<%= scope\.lookupvar('che::che_server_url') %>@${PROTOCOL}://${CHE_HOST}@" \
                                 > /scripts/che-realm.json
 
-echo "Creating Admin user..."
-
-if [ $KEYCLOAK_USER ] && [ $KEYCLOAK_PASSWORD ]; then
-    /opt/jboss/keycloak/bin/add-user-keycloak.sh --user $KEYCLOAK_USER --password $KEYCLOAK_PASSWORD
-fi
-
 # Handle CA certificates
 KEYSTORE_PATH=/scripts/openshift.jks
 TRUST_STORE_PASSWORD=${TRUSTPASS:-openshift}
@@ -96,10 +90,6 @@ if [ -f "$KEYSTORE_PATH" ]; then
     /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/cli/add_openshift_certificate.cli && rm -rf /opt/jboss/keycloak/standalone/configuration/standalone_xml_history
 fi
 
-# Patch configuration to allow to set 'keycloak.hostname.fixed.alwaysHttps'
-sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone.xml
-sed -i 's|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/>|<property name="httpsPort" value="${keycloak.hostname.fixed.httpsPort:-1}"/><property name="alwaysHttps" value="${keycloak.hostname.fixed.alwaysHttps:false}"/>|g' /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
-
 # POSTGRES_PORT is assigned by Kubernetes controller
 # and it isn't fit to docker-entrypoin.sh.
 unset POSTGRES_PORT
@@ -112,8 +102,4 @@ SYS_PROPS="-Dkeycloak.migration.action=import \
     -Dkeycloak.migration.dir=/scripts/ \
     -Djboss.bind.address=0.0.0.0"
 
-if [ $KEYCLOAK_HOSTNAME ] && [ $PROTOCOL == "https" ]; then
-  SYS_PROPS+=" -Dkeycloak.hostname.fixed.alwaysHttps=true"
-fi
-
-exec /opt/jboss/docker-entrypoint.sh $SYS_PROPS
+exec /opt/jboss/tools/docker-entrypoint.sh $SYS_PROPS