We’re running an enterprise deployment of Nextcloud 31.0.4 integrated with Keycloak (OIDC) for Single Sign-On (SSO). While SSO login works perfectly, Nextcloud does not log users out when their Keycloak session expires. This creates a compliance and security risk, as users can continue accessing Nextcloud even after their central session is invalid.
Current Setup:
user_oidc app (v7.2.0) is active
oidc_login is installed but not enabled
Keycloak is the sole identity provider (SSO realm)
Logging out from Keycloak or session expiry in Keycloak does not log the user out from Nextcloud
Verified that oidc_provider_bearer_validation is active
No command like user_oidc:debug exists to verify access token storage
Session persists in Nextcloud until manual logout or PHP session expiry
— Business Concern:
We are required to enforce centralized session management across apps like Nextcloud, OpenWebUI, and Scalenow AI — all federated under Keycloak. Without token revalidation, Nextcloud sessions become detached from central identity, breaking our compliance model (e.g., ISO 27001, GDPR session control).
Request for Guidance:
Does the user_oidc app (v7.2.0) support active token revalidation during session?
If not, is there a roadmap or workaround to enforce logout on Keycloak session expiry?
Are there best practices for integrating external session validation via reverse proxy or middleware?
—Happy to share more details or test recommended changes. Appreciate any guidance from those who’ve tackled this!
Why This Matters:
We’re operating in a regulated enterprise environment where centralized session control is mandatory for compliance (e.g., ISO 27001, GDPR). Apps like Nextcloud, OpenWebUI, and other internal tools all rely on Keycloak. If one system maintains a stale session, it creates a security and audit gap.
Request for Guidance: