November 14, 2022

System Administration

Nextcloud and Keycloak integration

by orzel
Categories: Admin
Tags: ,
Comments: Leave a Comment

I want to use a Keycloak instance (SSO provider) for authenticating users on a nextcloud application.

Since version 19, nextcloud has an “official” plugin for connecting to an openid server (one of different SSO protocols). The plugin is called “OpenID Connect user backend” (official plugin, github).

The only kind of documentation they provide is this blog entry. It’s even using the same provider as me as exemple (keycloak). Unfortunately, that doesn’t work “as is”.

This is what I had to change to make it work. For the record, this is using nextcloud version 25.

Discovery endpoint

keycloak provides a json called “OpenID Endpoint Configuration”, whose url looks like https://<keycloakserver>/auth/realms/xxx/.well-known/openid-configuration

The blog explicitely mentions not using this URL, but one found inside the json, labelled “authorization endpoint”, with an URL that looks like https://<keycloakserver>/auth/realms/xxx/protocol/openid-connect/auth"

BUT, in a following image, when actually configuring nextcloud, you can see that the url he uses contains “penid-configuration”.

As a matter of fact, the field used in nextcloud is called “Discovery endpoint”, which really asks for the first URL, and not the second.

This is the first change i had to make : until i use the json url, i would get errors like “invalid request”, “No Bearer token” or “Could not reach the provider at URL…”.

Scopes

That one was a lot easier. The default configuration in nextcloud doesn’t define any scope. That would raises those errors (in keycloak logs):

keycloak_1       | 16:51:14,018 ERROR [org.keycloak.services] (default task-51) KC-SERVICES0093: Invalid parameter value for: scope

The fix is easy. In nextcloud “OpenID Connect” configuration, edit the (keycloak) provider, and add this to the “Scope” field: “openid email profile”. This is what is suggested, but the field is empty until you explicitely configure it

Conclusion

The plugin seems to work. Don’t get me wrong: even if I’m angry at how long/difficult it was to configure this, I’m using it, in production.

But it definitely lacks some documentation. The blog entry is ambiguous, and it doesn’t allow to properly configure the plugin/application. Also, the screenshots are for an older version of nextcloud, this add to the confusion.

Unrelated to this specific plugin, there are several (currently 3) applications providing this service. It’s far from obvious which one is “official”. And one (“by Gluu”) is actually a very dubious way to make you pay for something that doesn’t require payment.


Leave a Reply

Your email address will not be published. Required fields are marked *