In the coming weeks, we will freeze this site and direct you to our new platform, Hyland Connect. This new platform will deliver an improved collaborative experience where you engage with experts, connect with peers and access blogs and forums. Prepare to access this new platform by creating a Hyland ID today. More information can be found on Hyland Community.

nuxeo authentication using keycloak

Hello,

I want to configure my Nuxeo in order to allow authentication using Keycloak. I started by configuring my Nuxeo with LDAP. The particularity of my LDAP is that I dont have “member” attribute in my group object, I have a custom attribute to get members dynamically (it contains an url which is the request to get the members). Nuxeo works fine witch this configuration and I succeeded to login in to my Nuxeo with different users of my LDAP and I am also able to get the groups of each user !

Now, I configured my Keycloak. I also used the same LDAP to configure Keycloak, and It was more diffucult than Nuxeo. Keycloak does not support dynamic members attribute, so I succeeded to import both users and groups to my Keycloak but separated.

Then, I wanted to configure Nuxeo in order to allow authentication using Keycloak. I used the documentation in github : https://github.com/nuxeo/nuxeo/tree/release-10.10/nuxeo-services/login/nuxeo-platform-login-keycloak But it doesn't work .. When I go to http://localhost:8080/nuxeo I am redirected to Keycloak login page, I enter my username and password and click ok, it redirect me back to nuxeo but an error page with no messages in logs ..

I want to ask you if you have any advice :

  • which version of Keycloak should I use with Nuxeo 10.10 ?
  • is there a hotfix fix to install to my Nuxeo ?
  • which version of tomcat adapter jars should I use ?
  • which branch of nuxeo-platform-login-keycloak should I build ? does maven version count ?
  • is there any special additional configuration in keycloak ?

Best Regards.

0 votes

1 answers

2117 views

ANSWER



Hello,

  • I tried with version 10.0 some months ago and it worked for me
  • at least HF28 to benefit from the fix for https://jira.nuxeo.com/browse/NXP-29170 but you'll need a valid registration to use it. I've identified another bug with https://jira.nuxeo.com/browse/NXP-29355 which will also be fixed soon
  • we need to update the documentation for the keycloak installation, it will be part of https://jira.nuxeo.com/browse/NXP-29082 : you have to use the adapters for Tomcat 9 and you must remove the duplicated libraries which are already in $NUXEO/nxserver/ib or $NUXEO/lib
  • you have to build the branch 10.10 of nuxeo-platform-login-keycloak - the version 10.10 is available in maven but this version does not include the fix mentioned above
  • I tried to put the differences I found between the README.md from GitHub and what I had to do to make it work in https://jira.nuxeo.com/browse/NXP-29082

I hope it will help you

1 votes



Hello, Thank you for your answer. I will try it and let you know. I am getting this error when installing the hotfixes ?

Unable to fetch remote packages list: Connect server refused authentication (returned 401)

But I think the patch is successfully installed.

Is it normal ?

09/02/2020

I am still getting the same error .. https://imgur.com/VKl8gPU
09/02/2020