nuxeo authentication using keycloak


I want to configure my Nuxeo in order to allow authentication using Keycloak. I started by configuring my Nuxeo with LDAP. The particularity of my LDAP is that I dont have “member” attribute in my group object, I have a custom attribute to get members dynamically (it contains an url which is the request to get the members). Nuxeo works fine witch this configuration and I succeeded to login in to my Nuxeo with different users of my LDAP and I am also able to get the groups of each user !

Now, I configured my Keycloak. I also used the same LDAP to configure Keycloak, and It was more diffucult than Nuxeo. Keycloak does not support dynamic members attribute, so I succeeded to import both users and groups to my Keycloak but separated.

Then, I wanted to configure Nuxeo in order to allow authentication using Keycloak. I used the documentation in github : But it doesn't work .. When I go to http://localhost:8080/nuxeo I am redirected to Keycloak login page, I enter my username and password and click ok, it redirect me back to nuxeo but an error page with no messages in logs ..

I want to ask you if you have any advice :

  • which version of Keycloak should I use with Nuxeo 10.10 ?
  • is there a hotfix fix to install to my Nuxeo ?
  • which version of tomcat adapter jars should I use ?
  • which branch of nuxeo-platform-login-keycloak should I build ? does maven version count ?
  • is there any special additional configuration in keycloak ?

Best Regards.

0 votes

1 answers




  • I tried with version 10.0 some months ago and it worked for me
  • at least HF28 to benefit from the fix for but you'll need a valid registration to use it. I've identified another bug with which will also be fixed soon
  • we need to update the documentation for the keycloak installation, it will be part of : you have to use the adapters for Tomcat 9 and you must remove the duplicated libraries which are already in $NUXEO/nxserver/ib or $NUXEO/lib
  • you have to build the branch 10.10 of nuxeo-platform-login-keycloak - the version 10.10 is available in maven but this version does not include the fix mentioned above
  • I tried to put the differences I found between the from GitHub and what I had to do to make it work in

I hope it will help you

1 votes

Hello, Thank you for your answer. I will try it and let you know. I am getting this error when installing the hotfixes ?

Unable to fetch remote packages list: Connect server refused authentication (returned 401)

But I think the patch is successfully installed.

Is it normal ?


I am still getting the same error ..