Skip to main content

Configure Nextcloud to Use Keycloak for User Authentication

Prerequisites: Ensure that Keycloak is deployed and configured as described in Keycloak Server Deployment and Keycloak Configuration, and that Nextcloud is installed and accessible.

This guide explains how to integrate Nextcloud with Keycloak using OpenID Connect, so LDAP users can authenticate through Keycloak and access Nextcloud with Single Sign-On (SSO).

1. Create a Keycloak Client for Nextcloud

  1. Log in to the Keycloak admin console as the admin user and select the example-sso realm.

  2. From the left-hand menu, choose Clients.

  3. Click Create client and configure the following values:

    • Client ID: nextcloud
    • Client Protocol: openid-connect
    • Client Authentication: On
    • Standard Flow Enabled: On
    • Direct Access Grants Enabled: Off
    • Service Accounts Enabled: Off
  4. Save the client.

Add Nextcloud Client

  1. In the client configuration, set the valid redirect URI to the URL shown by Nextcloud Social Login, for example:

    https://collab.example.com/apps/sociallogin/custom/provider/nextcloud/callback
  2. Go to the Credentials tab and copy the Client Secret for later.

Copy Credentials

2. Create a Nextcloud Client Scope

  1. In Keycloak, click Client scopes from the left-hand menu.

  2. Click Create client scope and enter:

    • Name: nextcloud-dedicated
    • Protocol: openid-connect
  3. Save the client scope.

  4. Select the new scope and open the Mappers tab. Add these mappers:

  • Name: email

  • Mapper Type: User Property

  • Token Claim Name: preferred_username

  • Claim JSON Type: String

  • Name: username

  • Mapper Type: User Property

  • Token Claim Name: email

  • Claim JSON Type: String

  • Name: name

  • Mapper Type: User Property

  • Token Claim Name: name

  • Claim JSON Type: String

  • Name: client roles

  • Mapper Type: User Client Role

  • Token Claim Name: resource_access.${client_id}.roles

  • Claim JSON Type: String

  • Client ID: nextcloud

Add Mapper

  1. Edit the nextcloud client and add nextcloud-dedicated to the Client scopes section.

3. Configure Nextcloud to Use Keycloak

  1. Log in to Nextcloud as an administrator and go to Apps.

  2. Install the Social Login app if it is not already enabled.

    Add App

  3. Open Settings > Social Login.

  4. Add a new provider for Keycloak with the following values:

    • Provider Name: Keycloak
    • Discovery URL: https://keycloak.example.com/realms/example-sso/.well-known/openid-configuration
    • Client ID: nextcloud
    • Client Secret: (paste the secret from Keycloak)
    • Scopes: openid email profile
    • Username Attribute: preferred_username
    • Email Attribute: email
    • Name Attribute: name
  5. Save the provider configuration.

    Add Social Settings Add Social Settings users

4. Verify User Login

  1. Visit the Nextcloud login page at https://collab.example.com/.

  2. Confirm the Login with SSO button is visible.

    SSO Login Button

  3. Click the button and sign in with an LDAP user account from Keycloak (for example, mailuser).

  4. After successful authentication, you should be redirected back to Nextcloud and signed in as the selected user.

5. Troubleshooting

  • If login fails, verify the Keycloak redirect URI matches the Nextcloud callback URL exactly.
  • Ensure the Keycloak client has Client authentication enabled and the client secret is correct.
  • Confirm that the openid, email, and profile scopes are included in the provider settings.
  • Check the Keycloak client and user mappings for email and preferred_username values.