diff --git a/Gemfile b/Gemfile
index d2cd6fc92..1f32a75f4 100755
--- a/Gemfile
+++ b/Gemfile
@@ -70,11 +70,11 @@ end
 
 gem 'omniauth', '~> 2.0'
 
-gem 'omniauth-keycloak', '~> 1.3'
+gem 'omniauth-keycloak'
 
-gem 'omniauth-rails_csrf_protection', '~> 1.0'
+gem 'omniauth-rails_csrf_protection'
 
-gem 'omniauth-google-oauth2', '~> 1.0'
+gem 'omniauth-google-oauth2'
 
 gem 'rails-healthcheck', '~> 1.4'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 0259ef5fc..ee148797b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -91,7 +91,7 @@ GEM
     cal-heatmap-rails (3.6.2)
     choice (0.2.0)
     colorize (0.8.1)
-    concurrent-ruby (1.1.9)
+    concurrent-ruby (1.1.10)
     connection_pool (2.2.5)
     cookies_eu (1.7.8)
       js_cookie_rails (~> 2.2.0)
@@ -125,25 +125,10 @@ GEM
     docile (1.4.0)
     erubi (1.10.0)
     execjs (2.8.1)
-    faraday (1.7.0)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0.1)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.1)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      multipart-post (>= 1.2, < 3)
+    faraday (2.3.0)
+      faraday-net_http (~> 2.0)
       ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-httpclient (1.0.1)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
+    faraday-net_http (2.0.3)
     ffi (1.15.5)
     font-awesome-sass (6.1.1)
       sassc (~> 2.0)
@@ -154,10 +139,10 @@ GEM
     globalid (0.5.2)
       activesupport (>= 5.0)
     hashdiff (1.0.1)
-    hashie (4.1.0)
+    hashie (5.0.0)
     heapy (0.2.0)
       thor
-    i18n (1.8.10)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     intercom-rails (0.4.2)
       activesupport (> 3.0)
@@ -176,7 +161,7 @@ GEM
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
-    jwt (2.2.3)
+    jwt (2.4.1)
     launchy (2.5.0)
       addressable (~> 2.7)
     letter_opener (1.7.0)
@@ -184,7 +169,7 @@ GEM
     listen (3.7.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.12.0)
+    loofah (2.18.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -194,8 +179,8 @@ GEM
     method_source (1.0.0)
     mini_histogram (0.3.1)
     mini_mime (1.1.1)
-    mini_portile2 (2.6.1)
-    minitest (5.14.4)
+    mini_portile2 (2.8.0)
+    minitest (5.16.2)
     minitest-reporters (1.4.3)
       ansi
       builder
@@ -205,35 +190,34 @@ GEM
     msgpack (1.4.2)
     multi_json (1.15.0)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
     mysql2 (0.5.3)
     nio4r (2.5.8)
-    nokogiri (1.12.3)
-      mini_portile2 (~> 2.6.1)
+    nokogiri (1.13.7)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    oauth2 (1.4.7)
-      faraday (>= 0.8, < 2.0)
+    oauth2 (1.4.10)
+      faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (2.0.4)
+    omniauth (2.1.0)
       hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
+      rack (>= 2.2.3)
       rack-protection
-    omniauth-google-oauth2 (1.0.0)
+    omniauth-google-oauth2 (1.0.1)
       jwt (>= 2.0)
       oauth2 (~> 1.1)
       omniauth (~> 2.0)
       omniauth-oauth2 (~> 1.7.1)
-    omniauth-keycloak (1.3.0)
+    omniauth-keycloak (1.4.2)
       json-jwt (~> 1.13.0)
-      omniauth (~> 2.0.4)
+      omniauth (>= 2.0)
       omniauth-oauth2 (~> 1.7.1)
-    omniauth-oauth2 (1.7.1)
-      oauth2 (~> 1.4)
+    omniauth-oauth2 (1.7.3)
+      oauth2 (>= 1.4, < 3)
       omniauth (>= 1.9, < 3)
-    omniauth-rails_csrf_protection (1.0.0)
+    omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
     orm_adapter (0.5.0)
@@ -254,17 +238,17 @@ GEM
     pundit (2.1.1)
       activesupport (>= 3.0.0)
     racc (1.4.16)
-    rack (2.2.3)
+    rack (2.2.4)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
     rack-mini-profiler (2.3.3)
       rack (>= 1.2.0)
-    rack-protection (2.1.0)
+    rack-protection (2.2.1)
       rack
     rack-proxy (0.7.0)
       rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack-test (2.0.2)
+      rack (>= 1.3)
     rails (6.1.4.1)
       actioncable (= 6.1.4.1)
       actionmailbox (= 6.1.4.1)
@@ -295,7 +279,7 @@ GEM
     rails-healthcheck (1.4.0)
       actionpack
       railties
-    rails-html-sanitizer (1.4.2)
+    rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
     railties (6.1.4.1)
       actionpack (= 6.1.4.1)
@@ -386,7 +370,7 @@ GEM
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
-    zeitwerk (2.4.2)
+    zeitwerk (2.6.0)
 
 PLATFORMS
   ruby
@@ -422,9 +406,9 @@ DEPENDENCIES
   mocha (~> 1.11)
   mysql2
   omniauth (~> 2.0)
-  omniauth-google-oauth2 (~> 1.0)
-  omniauth-keycloak (~> 1.3)
-  omniauth-rails_csrf_protection (~> 1.0)
+  omniauth-google-oauth2
+  omniauth-keycloak
+  omniauth-rails_csrf_protection
   postmark-rails
   puma (~> 5.0)
   puma_worker_killer
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 40f566a11..4ab96849a 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -326,8 +326,9 @@
   if Rails.application.config.keycloak_realm.present?
     config.omniauth :keycloak_openid, 'quepid', 'example-secret-if-configured',
                     client_options: {
-                      site:  Rails.application.config.keycloak_site,
-                      realm: Rails.application.config.keycloak_realm,
+                      site:     Rails.application.config.keycloak_site,
+                      realm:    Rails.application.config.keycloak_realm,
+                      base_url: '',
                     },
                     strategy_class: OmniAuth::Strategies::KeycloakOpenId
   end
diff --git a/docker-compose.yml b/docker-compose.yml
index f3aeaa154..9bd19ca17 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -40,19 +40,20 @@ services:
       - 6379:6379
 
   keycloak:
-    image: quay.io/keycloak/keycloak:13.0.0
+    image: quay.io/keycloak/keycloak:18.0.2
     container_name: quepid_keycloak
     hostname: keycloak
-    command: ["-b", "0.0.0.0", "-Dkeycloak.migration.action=import", "-Dkeycloak.migration.provider=dir", "-Dkeycloak.migration.dir=/opt/jboss/keycloak/realm-config", "-Dkeycloak.migration.strategy=OVERWRITE_EXISTING", "-Djboss.socket.binding.port-offset=1000", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
+    command: ["start-dev", "--import-realm"]
     ports:
       - 9080:9080
       - 9443:9443
     environment:
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: password
+      KC_HTTP_PORT: 9080
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: password
       DB_VENDOR: h2
     volumes:
-      - ./keycloak/realm-config:/opt/jboss/keycloak/realm-config
+      - ./keycloak/realm-config/quepid-realm.json:/opt/keycloak/data/import/quepid-realm.json:ro
 
   nginx:
     image: nginx:1.21.4
diff --git a/docs/operating_documentation.md b/docs/operating_documentation.md
index 40b7ce4bf..9fabc9915 100644
--- a/docs/operating_documentation.md
+++ b/docs/operating_documentation.md
@@ -123,6 +123,8 @@ We have a Realm called `Quepid`, and it includes a Client called `quepid`.  The
 
 We *assume* that the client definition in Keycloak will be named `quepid`, you can't change that.  You can pick your Realm name however.
 
+Keycloak 17+ removes the `/auth` portion of the url.  If you are using earlier versions of keycloak, you need to set `base_url:'/auth'` in devise.rb.
+
 
 
 ## Legal Pages & GDPR