At the moment my integration is not completed… I found this guide very useful:
it uses an official user_oidc app. At first glance it sounds little limited but it does exactly what I need - user from KC can login whether they exist or not in NC… it works well so far I see… but I still need to some fine-tuning to assign specific user attributes, groups etc…
I tested and decided not to use:
more powerful and mature sociallogin because the maintainer refuses to implement OIDC login fore existing Nextcloud users and
Thanks a lot. I am trying this procedure and will be back here. Is this work if a user exist in NC but not in keyloak, are they able to login? with their same files emails and things configured in nextcloud?
OIDC login is an additional login method… (I think but unsure) you can configure NC to auto-redirect to KC or keep it a manual step in the login dialog… from the administration point of view I would try to avoid duplicate user management and add all NC users to KC.
The error message is pretty clear. check firewall, reverse proxy etc. most likely your NC is routing traffic in a different way and and for this reason it can’t reach KC… run curl https://sso.mydomain.com:8443/realms/myrealmname/protocol/openid-connect/auth (add -v or -vv if needed) which might provide better insight into the problem…
If both your Nextcloud and Keycloak servers share the same NAT router, your Nextcloud server may be connecting to your router’s web interface by accident - see also “hairpin NAT” and “split horizon DNS” for why this might be and how to fix it in general.
Try adding KC_LAN_IP sso.mydomain.cloud to the end of the /etc/hosts file on your Nextcloud server. Replace “KC_LAN_IP” with the local IP of your Keycloak server, or if you’ve set up a reverse proxy handling SSL for it, the local IP of that reverse proxy.
As an aside, is there a reason you tagged me in your post? I don’t know that we’ve interacted before, and I’ve not previously posted anything about Keycloak that I recall.
Yes i have tagged you because you have posted about keycloak so i assumed that you have experience on these stuff.
In our case, its a VPS on a direct public IP. A record in defined DNS settings of hosting panel. No NAT direct access to internet. Do you think still we require entry in /etc/hosts with public our VPS public IP?
I guess the question is: are Nextcloud and Keycloak both using the same public IP, or do they each have their own A record pointing to separate public IPs? If they’re both using the same IP, then you probably will need to find another address that they can use to communicate to each-other. I would try running ifconfig or ip address show on each to see if they share a LAN subnet.
You can verify whether this is a NAT problem by adding the -k (allow insecure connections) flag to that curl command, and seeing what comes back:
If the response looks like what you’d expect Keycloak to send, then probably you don’t need anything in the hosts file after all - it’ll be some SSL/TLS error such as mismatched versions or an untrusted CA.
Both Nextcloud and Keyecloak are on separat VPS with different Public IP Address with different A records : like mydomai.com is pointing to nextcloud Publics IP1 and sso.mydomain.com is pointing to keycloak Public IP2,
I’m sorry I have no idea but I have the feeling you might have some issues with your reverse proxy config might be too complex and something doesn’t match good. I see you are referring to different ports which might be not consistent:
In my installation I run both NC and KC with plain http and only have TLS/letencrypt on my reverse proxy (traefik)
this might or might not be the reason for your issue but my config looks easier for me
additional hint - I use local DNS server which point public fqdn nc.mydomain.tld and keycloak.mydomain.tld to local IP addresses and avoid a loop through the internet which can add additional issues (like rebind protection)
but I was reading a lot about Nextcloud, OIDC and Keycloak so it was not hard to perform basic setup and integration (the hardest part in terms of Nextcloud was to discover two most common OIDC apps in Nextcloud are not good for me - so I installed all 3 alternatives before decided to continue with the official user_oidc). Now finding out what is the best way to manage Nextcloud users from Keycloak which attributes, roles etc I can manage on KC is the hardest part of the jorney for me…