Keycloak + Nextcloud: Set Up Single Sign-On for Your Cloud Storage

You have Nextcloud for file storage. You have Keycloak for identity management. But your team still logs in twice — once for Keycloak, once for Nextcloud. That's one password too many, and one more place where credentials can leak.

Connecting the two with OpenID Connect takes about 20 minutes. After that, your team logs into Nextcloud with their Keycloak credentials — same session, same MFA policy, same password reset flow. Here's how to set it up.

Prerequisites

You'll need two running instances:

• Keycloak — deploy on Elestio (~$16/month, includes SSL and backups)
• Nextcloud — deploy on Elestio (~$16/month, same deal)

Both must be accessible over HTTPS. Keycloak enforces TLS for OIDC flows in production — no exceptions. On Elestio, SSL is handled automatically via Let's Encrypt.

Step 1: Create a Keycloak Client

Log into your Keycloak Admin Console and navigate to your realm (or create one — company works fine).

Go to Clients > Create client and configure:

• Client ID: nextcloud
• Client type: OpenID Connect
• Client authentication: ON (confidential client)
• Valid redirect URIs: https://cloud.example.com/apps/oidc_login/oidc
• Web origins: https://cloud.example.com

Save, then go to the Credentials tab and copy the Client secret. You'll need this for Nextcloud.

Step 2: Configure User Attribute Mappers

Still in the Keycloak Admin Console, go to your nextcloud client > Client scopes > nextcloud-dedicated > Mappers > Configure a new mapper.

Create these mappers so Nextcloud receives the right user data:

The groups mapper is optional but useful if you want Keycloak groups to sync into Nextcloud.

Step 3: Install the OIDC Login App in Nextcloud

Nextcloud needs an OpenID Connect plugin. The oidc_login app by pulsejet is the most straightforward option — single provider, clean configuration, group provisioning support.

On your Elestio Nextcloud instance:

docker exec -it nextcloud bash
php occ app:install oidc_login

Step 4: Configure Nextcloud for OIDC

Edit Nextcloud's config.php inside the container. On Elestio, the config is persisted via volume mounts:

docker exec -it nextcloud bash
nano /var/www/html/config/config.php

Add these settings before the closing );:

'oidc_login_provider_url' => 'https://keycloak.example.com/realms/company',
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'YOUR_CLIENT_SECRET_HERE',
'oidc_login_auto_redirect' => false,
'oidc_login_button_text' => 'Log in with Keycloak',
'oidc_login_hide_password_form' => false,
'oidc_login_use_id_token' => false,
'oidc_login_scope' => 'openid profile email',
'oidc_login_attributes' => array(
    'id' => 'preferred_username',
    'name' => 'name',
    'mail' => 'email',
    'groups' => 'groups',
),
'oidc_login_default_group' => 'oidc',
'oidc_login_disable_registration' => false,
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',

Key settings explained:

• oidc_login_provider_url — Your Keycloak realm URL (not the full .well-known path — the plugin discovers endpoints automatically)
• oidc_login_auto_redirect — Set to true if Keycloak is your only login method. Keep false while testing.
• oidc_login_disable_registration — Set to false to auto-create accounts on first login. Set to true if you want to pre-provision users.
• lost_password_link — Disabled because password resets should go through Keycloak, not Nextcloud.

Restart Nextcloud to apply changes:

exit
docker-compose restart nextcloud

Step 5: Test the Login Flow

1. Open your Nextcloud instance in an incognito window
2. You should see a "Log in with Keycloak" button below the normal login form
3. Click it — you'll be redirected to Keycloak's login page
4. Enter your Keycloak credentials (or use MFA if configured)
5. After authentication, you're redirected back to Nextcloud — logged in

If it works, you're done. Your team now has SSO across both platforms.

Going Further: Lock It Down

Once you've verified the login flow works, consider tightening the configuration:

• oidc_login_auto_redirect → true — Skip the Nextcloud login page entirely. Users go straight to Keycloak.
• oidc_login_hide_password_form → true — Remove the local password form. All auth goes through Keycloak.
• Enable MFA in Keycloak — Go to Authentication > Flows > Browser > Configure OTP. Every Nextcloud login now requires MFA.
• Add more services — Keycloak can be the SSO hub for your entire stack. Connect Outline, Grafana, Gitea, and more — all with the same login.

Troubleshooting

"Invalid redirect_uri" error after clicking "Log in with Keycloak" The redirect URI in Keycloak must exactly match what Nextcloud sends. Check that your Keycloak client has https://cloud.example.com/apps/oidc_login/oidc as a valid redirect URI — including the protocol, trailing path, and no trailing slash.

Login works but user has no name or email Your Keycloak mappers aren't sending the right claims. Verify each mapper is set to "Add to ID token: ON" and "Add to userinfo: ON." Test by decoding the token at jwt.io.

Redirect loop between Keycloak and Nextcloud Usually caused by oidc_login_auto_redirect being true while the OIDC configuration is broken. Set it to false, clear your browser cookies, and test the manual login flow first.

Users can't reset their password That's intentional — with lost_password_link set to disabled, password management happens in Keycloak. Direct users to your Keycloak account console at https://keycloak.example.com/realms/company/account.

Thanks for reading. See you in the next one 👋