November 14, 2022
I want to use a Keycloak instance (SSO provider) for authenticating users on a nextcloud application.
The only kind of documentation they provide is this blog entry. It’s even using the same provider as me as exemple (keycloak). Unfortunately, that doesn’t work “as is”.
This is what I had to change to make it work. For the record, this is using nextcloud version 25.
keycloak provides a json called “OpenID Endpoint Configuration”, whose url looks like
The blog explicitely mentions not using this URL, but one found inside the json, labelled “authorization endpoint”, with an URL that looks like
BUT, in a following image, when actually configuring nextcloud, you can see that the url he uses contains “penid-configuration”.
As a matter of fact, the field used in nextcloud is called “Discovery endpoint”, which really asks for the first URL, and not the second.
This is the first change i had to make : until i use the json url, i would get errors like “invalid request”, “No Bearer token” or “Could not reach the provider at URL…”.
That one was a lot easier. The default configuration in nextcloud doesn’t define any scope. That would raises those errors (in keycloak logs):
keycloak_1 | 16:51:14,018 ERROR [org.keycloak.services] (default task-51) KC-SERVICES0093: Invalid parameter value for: scope
The fix is easy. In nextcloud “OpenID Connect” configuration, edit the (keycloak) provider, and add this to the “Scope” field: “openid email profile”. This is what is suggested, but the field is empty until you explicitely configure it
The plugin seems to work. Don’t get me wrong: even if I’m angry at how long/difficult it was to configure this, I’m using it, in production.
But it definitely lacks some documentation. The blog entry is ambiguous, and it doesn’t allow to properly configure the plugin/application. Also, the screenshots are for an older version of nextcloud, this add to the confusion.
Unrelated to this specific plugin, there are several (currently 3) applications providing this service. It’s far from obvious which one is “official”. And one (“by Gluu”) is actually a very dubious way to make you pay for something that doesn’t require payment.