Nextcloud groups mapping via keycloak


Im trying to use nextcloud with openid-connect via keycloak.

The overall configuration works and the login with keycloak users are working.
But i can’t map any groups (for example “admin”) from keycloak to nextcloud.

I searched for solutions and every blog/site mostly is doing the same settings as me, but still doens’t want to work…

My configuration for nextcloud 28.0.5

Social Login App:

Title: keycloak
Authorize url: keycloakserverurl/realms/realmname/protocol/openid-connect/auth
Token url: keycloakserverurl/realms/realmname/protocol/openid-connect/token
User info url: keycloakserverurl/realms/realmname/protocol/openid-connect/userinfo
Logout url: keycloakserverurl/realms/realmname/protocol/openid-connect/logout
Client ID: nextcloud
Client Secret: MyClientSecret
Scope: openid
Groups claim: nextcloud-roles

My Keycloak configuration:

client-ID: nextcloud
Root URL: mynextcloudserverurl
Valid redirect URLs: mynextcloudserverurl/*
Web Origins: mynextcloudserverurl

Client authentication ON
Authentication flow:

  • Standard flow ON
  • Direct access grants ON
  • Implicit flow ON

Clients → Client details → roles → “admin” (for the admin group)

Clients → Client details → Client scopes → “nextcloud-dedicted” → add prefdefined mappers

Mapper type: User Client Role
Name: client roles
Client-ID: nextcloud
Token Claim Name: nextcloud-roles
Claim JSON Type: String
Add to ID token ON
Add to access token ON
Add to userinfo ON
Add to token ON

Full Scope allowed OFF

Created a Group “Nextcloud_Admins” with the client role “admin” from nextcloud.
Put a user in the group.

Login works, but no group mapping happens.

Also if i do the evaluate test for the nextcloud client in keycloak im getting following under “Generated acces token”

  "resource_access": {
    "nextcloud": {
      "roles": [

What am I doing wrong or did I missed a settings?

please review " Add group mapping" in Janik von Rotz - OpenID Connect with Nextcloud and Keycloak

BTW: Keycloak looses all login session when server restarts - a cluster build from multiple servers required for “production” setup. For this reason I stopped using it in favor of authentik or Zitadel.

Thanks for your reply!

I got the solution by my own this morning after i checked all my configuration again and saw this “Add group mapping” option and then tried it…

I just was blind - sorry.

I’m just using keycloak for my homelab - Just to try it out and kinda try to understand how it works. Thanks for the hint! :slight_smile:

Best greetings

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.