Nextcloud and Keycloak : how to keep old users

Bschalck · October 7, 2024, 2:05pm

Hello !

I have an existing Nextcloud server for a custormer ( ~ 30users ) .
He asks me to add matrix/element app on it .

I install it ( server/client/app) and everything is OK … but users do not have same credentials.

So I install Keycloak server , create realms for Nextcloud & Element.

That works for new user, who has its account on keycloak …

But my question is : what to do with existing users on nextcloud ?
Should I export user info and create new Keycloak account ?
Is there any tool/app to make this in simple way ?

Thanks for reading

wwe · October 7, 2024, 9:07pm

please use search and follow relevant tags e.g. keycloak and you will find very similar questions e.g. How do i map existing users to Keycloak?

Bschalck · October 8, 2024, 8:03am

Hello .
I already see it , I will try to check with user_oidc.

Bschalck · October 8, 2024, 9:35am

Well I can connect with my local user with classic authentification … But there are not linked into KeyCloak . Do you know how to do ?

hmmm is this lint to this https://github.com/nextcloud/user_oidc#auto-provisioning ?

wwe · October 8, 2024, 8:10pm

what did you try so far and where did you fail?

Bschalck · October 9, 2024, 12:09pm

HEllo ,

thanks for your support.
So I have a user on nextcloud : test_user

What I expect :

the nextcloud user is copied/moved/transfered to Keycloak when using user_oidc connection, in order to use it with another application ( element ) .

Can you tell me if it is possible , with this in the config.php

'user_oidc' => [
    'auto_provision' => true, // default: true
    'soft_auto_provision' => true, // default: true
],

?

wwe · October 9, 2024, 8:01pm

this works other way round. NC can trust some other entity - Keycloak IdP - that this entity proof the identity of some user in a right… there is no “copy” of user objects from an application to an IdP… And once the IdP authenticates the user it could act in two ways

create a new user using unique attributes provided by an IdP (which is the safest method to avoid access to existing data by wrong user)
or it could connect the user object from IdP using some attribute “mapping” to know the IdP user belongs to a existing local user. this is done by providing an IdP attribute which exactly match the user ID of Nextcloud user. the settings are very clear mentioned in the above topic.

Bschalck · October 10, 2024, 12:02pm

Ok , so as I understand, in any case the user has to be created in KeyCloak manually, can you confirm ?

wwe · October 10, 2024, 1:02pm

Keycloak is the source of truth in such scenario. yes the user must come from KC

Bschalck · October 10, 2024, 1:39pm

thanks a lt for your time .
I will work on it

system · October 18, 2024, 1:40pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.