Nextcloud and Keycloak integration

Hi

I have just installed keycloak. Now i want to configure it with NC as a SSO. But I don’t know how to configure keycloak in nextcloud?

I tried to follow this procedure, but many options described in procedure i could not found like Access type, Mapper etc in Keycloak.

I have keycloak 19 installed. Please advice simple procedure

@bb77 @golag @Erlend_Braekken @stevesobol @Blubbman @mactrent

At the moment my integration is not completed… I found this guide very useful:

it uses an official user_oidc app. At first glance it sounds little limited but it does exactly what I need - user from KC can login whether they exist or not in NC… it works well so far I see… but I still need to some fine-tuning to assign specific user attributes, groups etc…

I tested and decided not to use:

1 Like

Hi

Thanks a lot. I am trying this procedure and will be back here. Is this work if a user exist in NC but not in keyloak, are they able to login? with their same files emails and things configured in nextcloud?

OIDC login is an additional login method… (I think but unsure) you can configure NC to auto-redirect to KC or keep it a manual step in the login dialog… from the administration point of view I would try to avoid duplicate user management and add all NC users to KC.

1 Like

Hi

can you please guide for this error?

user_oidc Could not reach provider at URL
https://sso.mydomain.com:8443/realms/myrealmname/protocol/openid-connect/auth

The error message is pretty clear. check firewall, reverse proxy etc. most likely your NC is routing traffic in a different way and and for this reason it can’t reach KC… run curl https://sso.mydomain.com:8443/realms/myrealmname/protocol/openid-connect/auth (add -v or -vv if needed) which might provide better insight into the problem…

1 Like

curl https://sso.mydomain.cloud:8443/realms/myrealmname/protocol/openid-connect/auth

curl: (60) SSL certificate problem: unable to get local issuer certificate

But ssl is working for keycloak webadmin page

image

I have generated certificate using letsencrypt and provide certificates paths in keycloak.conf

please suggest

If both your Nextcloud and Keycloak servers share the same NAT router, your Nextcloud server may be connecting to your router’s web interface by accident - see also “hairpin NAT” and “split horizon DNS” for why this might be and how to fix it in general.
Try adding KC_LAN_IP sso.mydomain.cloud to the end of the /etc/hosts file on your Nextcloud server. Replace “KC_LAN_IP” with the local IP of your Keycloak server, or if you’ve set up a reverse proxy handling SSL for it, the local IP of that reverse proxy.

As an aside, is there a reason you tagged me in your post? I don’t know that we’ve interacted before, and I’ve not previously posted anything about Keycloak that I recall.

Thank you for your reply @mactrent .

Yes i have tagged you because you have posted about keycloak so i assumed that you have experience on these stuff.

In our case, its a VPS on a direct public IP. A record in defined DNS settings of hosting panel. No NAT direct access to internet. Do you think still we require entry in /etc/hosts with public our VPS public IP?

I guess the question is: are Nextcloud and Keycloak both using the same public IP, or do they each have their own A record pointing to separate public IPs? If they’re both using the same IP, then you probably will need to find another address that they can use to communicate to each-other. I would try running ifconfig or ip address show on each to see if they share a LAN subnet.

You can verify whether this is a NAT problem by adding the -k (allow insecure connections) flag to that curl command, and seeing what comes back:

curl -k https://sso.mydomain.cloud:8443/realms/myrealmname/protocol/openid-connect/auth

If the response looks like what you’d expect Keycloak to send, then probably you don’t need anything in the hosts file after all - it’ll be some SSL/TLS error such as mismatched versions or an untrusted CA.

Both Nextcloud and Keyecloak are on separat VPS with different Public IP Address with different A records : like mydomai.com is pointing to nextcloud Publics IP1 and sso.mydomain.com is pointing to keycloak Public IP2,

I will check curl reponse and will back here

Thank you for your instant response :smiling_face_with_three_hearts:

sounds like your NC server doesn’t trust the issuer certificate of the KC server.

Review this informative article - there are steps to analyze the problem, if it doesn’t help use you favorite search engine:

https://kb.vmware.com/s/article/78471

Hi

I have resolved SSL issue now i am getting this new error

Could not reach provider at URL https://sso.mydomain.cloud/realms/SSO/protocol/openid-connect/auth

Note: i have configured reverse proxy now,

curl https://sso.dcorp.cloud/realms/SSO/protocol/openid-connect/auth

would be great you describe the TLS problem and solution…

The curl output is the same for me… Nothing to say further, please review you settings, my OpenID config looks like this:

KC settings as described in the blog I referred initially…

SSL issue resolved as follows:

In conf folder of keycloak generated keystore as

keytool -genkeypair -alias sso.mydomain.com -keyalg RSA -keysize 2048 -validity 1825 -keystore server.keystore -dname “cn=sso.mydomain.cloud,o=Acme,c=GB” -keypass password -storepass password

in keycloak.conf, described only following lines

proxy=edge

http-enabled=true

http-port=8180

hostname=sso.mydomain.com

Then configure reverse proxy in apache with following config

VirtualHost *:80>
ServerName sso.mydomain.com

AllowEncodedSlashes NoDecode

ProxyPreserveHost On

RequestHeader set X-Forwarded-Proto “https”

RequestHeader set X-Forwarded-Port “443”

SSLProxyEngine on
ProxyPassReverse / https://127.0.0.1:8443/
ProxyPass / https://127.0.0.1:8443/
</VirtualHost
Then run certbot command to generate ssl certificate for my sso domain.

Then start keycloak as

./kc.sh start --https-key-store-password=password

This is my configuration at NC

When i click on SSO login i get this error on NC:

Could not the reach OpenID Connect provider

Could not reach provider at URLhttps://sso.mydomain.com/realms/SSO/protocol/openid-connect/auth

Error at keycloak

dolphinslairapps kc.sh[829823]: 2022-08-24 15:46:24,366 WARN [org.keycloak.events] (executor-thread-9) type=LOGIN_ERROR, realmId=62ac84de-b7f3-4823-a24e-bc5d4a1e9c5b, clientId=null, userId=null, ipAddress=IP, error=invalid_request

I’m sorry I have no idea but I have the feeling you might have some issues with your reverse proxy config might be too complex and something doesn’t match good. I see you are referring to different ports which might be not consistent:

In my installation I run both NC and KC with plain http and only have TLS/letencrypt on my reverse proxy (traefik)

this might or might not be the reason for your issue but my config looks easier for me

  • additional hint - I use local DNS server which point public fqdn nc.mydomain.tld and keycloak.mydomain.tld to local IP addresses and avoid a loop through the internet which can add additional issues (like rebind protection)

I guess need to review from scratch.

Can you please let me know procedure (link) for installing/hosting keycloak including database configure which you have followed?

my installation is based on docker containers and traefik reverse proxy so I can’t help with your system. I found this article series useful

https://keepgrowing.in/tools/keycloak-in-docker-1-how-to-run-keycloak-in-a-docker-container/

but I was reading a lot about Nextcloud, OIDC and Keycloak so it was not hard to perform basic setup and integration (the hardest part in terms of Nextcloud was to discover two most common OIDC apps in Nextcloud are not good for me - so I installed all 3 alternatives before decided to continue with the official user_oidc). Now finding out what is the best way to manage Nextcloud users from Keycloak which attributes, roles etc I can manage on KC is the hardest part of the jorney for me