Nextcloud Part 3 - Single Sign-On with Keycloak
I started with a guide I found on integrating Keycloak with Nextcloak with OpenID Connect (OID). I will want to open the OpenID Endpoint configuration page from the Keycloak Administration page so it’s handy to reference.
Keycloak Client Configuration
Under Clients, Create a new client:
- Client ID - nextcloud
- Client Protocol - openid-connect
- Root URL: https://nextcloud.domain.tld
On the settings page:
- Access type - confidential
- Root URL - https://nextcloud.domain.tld
- Valid Redirect URIs - http://nextcloud.domain.tld/* and https://nextcloud.domain.tld/*
- Web Origins - +
On the roles tab, add a new role named “admin”.
On the mapper tab, I create a new Mapper:
- Name - role
- Mapper Type - User Client Role
- Client Id - nextcloud
- Token Claim Name - nextcloud-roles
- Claim JSON Type - String
Now, I go to a user into the Role Mappings and select the next nextcloud client and assign the admin role. Verify it was accepted by going back to clients > nextcloud > Client Scopes > Evaluate, selecting the user, then viewing the Generated Access Token.
One last thing to do in Keycloak. I go to the Credentials tab on the Installation tab (select Keycloak OIDC JSON format) to get the client secret which will be needed to configure Nextcloud for logins.
To use OpenID Connect (OIDC), I enabled the Social Login app which enabled a new section in the Settings app to configure it. The OpenID Connect claims to be a fork of Social Login, but there was no section in the Settings app and it appears that it needs to be configured by modifying the config.php.
Here are the settings I used for Social Login:
- Disable auto create new users - unchecked (only users I create in Keycloak will be allowed to login and I should haven’t to create a Nextcloud account for them)
- Create users with disabled account - unchecked
- Allow users to connect social logins with their account - unchecked (there are no existing users)
- Prevent create an account if the email address exists in another account - checked
- Update user profile on every login - check (user changes in Keycloak propogate on next login)
- Donot prune not available user groups on login - unchecked (propogate Keycloak changes on next login)
- Automatically create groups if they exist - unchecked (will manually map groups in connector settings so there isn’t a keycloak prefix added to the groups)
- Restrict login for users without mapped groups - unchecked (all users should have access even if they aren’t in a group)
- Disable notify admins about new users - unchecked (yes, I want to know)
Be sure to save (there is no warning if you don’t).
Now to add a new Custom OpenID Connect:
- Internal name - keycloak
- Title - Keycloak SSO
- Authorize url - <authorization_endpoint> from the realm OpenID Configuration page
- Token URL - <token_endpoint> from the realm OpenID Configuration page
- User info URL - <userinfo_endpoint> from the realm OpenID Configuration page
- Logout URL - <end_session_endpoint> from the realm OpenID Configuration page
- Client Id - nextcloud
- Client Secret - from the client Credentials page from the Installation tab (Keycloak OIDC JSON)
- Scope - openid
- Groups claim - nextcloud-roles
Then map roles as needed.
Success! I was able to open a new private browser window and go to https://nextcloud.domain.tld, login to Keycloak, put in OTP code, and go back to Nextcloud.
UPDATE: I had to make a couple of changes to the /var/www/data/config/config.php for Nextcloud to make it aware that it’s actually behind a reverse proxy which handles HTTPS. These need to be added or updated in the $CONFIG array.
'overwriteprotocol' => 'https', 'overwrite.cli.url' => 'https://nextcloud.domain.tld',
UPDATE 2: I didn’t like the way the Social Login app created users names using the internal name of the OpenID Connector and the UUID of the users (e.g. keycloak-oid-ebf34-344f-443d-78ed). I originally tried the OpenID Connect app and it didn’t work, but I don’t think the Keycloak configuration was quite correct. Instead, I followed the instructions on the nextcloud-oidc-login Github repository which included how to how to use it with Keycloak. Unfortunately, I lost the ability to specify roles in Keycloak, but I gained the ability to define the quota and use the same username as Keycloak’s user entry.
I had to modify the Nextcloud config.php to add:
allow_user_to_change_display_name' => false, 'lost_password_link' => 'disabled', 'oidc_login_provider_url' => 'https://sso.domain.tld/auth/realms/domain', 'oidc_login_disable_registration' => false, 'oidc_login_client_id' => 'nextcloud', 'oidc_login_client_secret' => '<secret from installation JSON>', 'oidc_login_auto_redirect' => false, 'oidc_login_redir_fallback' => true, 'oidc_login_logout_url' => 'https://sso.domain.tld/auth/realms/domain/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fnextcloud.domain.tld%2F', 'oidc_login_default_quota' => '100000000000', 'oidc_login_button_text' => 'Log in with Keycloak (OIDC)', 'oidc_login_attributes' => array( 'id' => 'preferred_username', 'mail' => 'email', 'name' => 'name', 'mail' => 'mail', 'quota' => 'ownCloudQuota', 'home' => 'homeDirectory', ), // If you are running Nextcloud behind a reverse proxy, make sure this is set 'overwriteprotocol' => 'https', // Set OpenID Connect scope 'oidc_login_scope' => 'openid profile', Then also: * Add a Mapper to the Nextcloud OIDC Client * Set Mapper Type to user attribute * Set Name, User Attribute, and Token Claim Name to ownCloudQuota * Set Claim JSON Type as string. * Add a User Attribute to necessary user accounts in Keycloak * Set Key as ownCloudQuota and Value to your preferred limit * Remove the role Mapper and Client role created earlier as the OIDC Login app does not support them. Groups will be managed within Nextcloud.