Ask Question
« General Questions on Nuxeo

nuxeo authentication using keycloak

Hello,

I want to configure my Nuxeo in order to allow authentication using Keycloak. I started by configuring my Nuxeo with LDAP. The particularity of my LDAP is that I dont have “member” attribute in my group object, I have a custom attribute to get members dynamically (it contains an url which is the request to get the members). Nuxeo works fine witch this configuration and I succeeded to login in to my Nuxeo with different users of my LDAP and I am also able to get the groups of each user !

Now, I configured my Keycloak. I also used the same LDAP to configure Keycloak, and It was more diffucult than Nuxeo. Keycloak does not support dynamic members attribute, so I succeeded to import both users and groups to my Keycloak but separated.

Then, I wanted to configure Nuxeo in order to allow authentication using Keycloak. I used the documentation in github : https://github.com/nuxeo/nuxeo/tree/release-10.10/nuxeo-services/login/nuxeo-platform-login-keycloak But it doesn't work .. When I go to http://localhost:8080/nuxeo I am redirected to Keycloak login page, I enter my username and password and click ok, it redirect me back to nuxeo but an error page with no messages in logs ..

I want to ask you if you have any advice :

  • which version of Keycloak should I use with Nuxeo 10.10 ?
  • is there a hotfix fix to install to my Nuxeo ?
  • which version of tomcat adapter jars should I use ?
  • which branch of nuxeo-platform-login-keycloak should I build ? does maven version count ?
  • is there any special additional configuration in keycloak ?

Best Regards.

Ghazi HAKIM
Java Developer (1.2K)   1   5   8 		08/26/2020 ( History)
0 votes
1 answers
1996 views
ANSWER
ANSWERS

Hello,

  • I tried with version 10.0 some months ago and it worked for me
  • at least HF28 to benefit from the fix for https://jira.nuxeo.com/browse/NXP-29170 but you'll need a valid registration to use it. I've identified another bug with https://jira.nuxeo.com/browse/NXP-29355 which will also be fixed soon
  • we need to update the documentation for the keycloak installation, it will be part of https://jira.nuxeo.com/browse/NXP-29082 : you have to use the adapters for Tomcat 9 and you must remove the duplicated libraries which are already in $NUXEO/nxserver/ib or $NUXEO/lib
  • you have to build the branch 10.10 of nuxeo-platform-login-keycloak - the version 10.10 is available in maven but this version does not include the fix mentioned above
  • I tried to put the differences I found between the README.md from GitHub and what I had to do to make it work in https://jira.nuxeo.com/browse/NXP-29082

I hope it will help you

Thierry Martins
Support Manager (6.3K)   3   4   6 		09/01/2020 ( History)
1 votes
Ghazi HAKIM
Hello, Thank you for your answer. I will try it and let you know. I am getting this error when installing the hotfixes ?

Unable to fetch remote packages list: Connect server refused authentication (returned 401)

But I think the patch is successfully installed.

Is it normal ?

09/02/2020
Ghazi HAKIM
I am still getting the same error .. https://imgur.com/VKl8gPU
09/02/2020
Follow
Tags
Linked Questions
Related Questions
Unable to call nuxeo rest api from rest client when integrated with Keycloak authentication plugin
How to configure Nuxeo with dynamic groups in OpenLDAP?
Configuring keycloak backend db which is postgreSQL with nuxeo as user/group directory
using openid for auhentication
missing service UserMapperComponent
LDAP : impossible de voir les groupes
Authentication on LDAP
configure the connexion to the LDAP to get the group
Nuxeo 7.10 ldap authentication