Keycloak OpenID connect redirect not working

[leonidas-o]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

It was running without issues, one if the updates must have broken it. OIDC Login wasn't tested after the updates, just if nextcloud is available and the nextcloud desktop client is working. This is still working, just the web based Login with Keycloak not. Another Service (not nextcloud), which is on the same server, also with keycloak oidc is working without any issues. So it's not Keycloak and nothing in between.

Steps to reproduce

1. Using OpenID Connect user backend Version 8.1.0
2. On Nextcloud Hub 10 (31.0.11), registered Providers, add keycloak
3. On login page, click on "Login with Keycloak"
4. See broken redirect, as it ends up on a nextcloud error page:

Page not found
The page could not be found on the server or you may not be allowed to view it.

Expected behaviour

Should redirect to keycloak and showing the keycloak login form.

Actual behaviour

Ends up on a nextcloud page:

Page not found
The page could not be found on the server or you may not be allowed to view it.

Server configuration

Web server: Nginx stable docker image ("org.opencontainers.image.version": "1.28.0")

Database: PostgreSQL (postgres 17.5 docker image)

PHP version: 8.2/8.3/8.4
"org.opencontainers.image.base.name": "php:8.3-fpm-trixie"

Nextcloud version: (see Nextcloud admin page)
nextcloud stable-fpm docker image ("org.opencontainers.image.version": "31.0.11-fpm")

List of activated apps

Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contactsinteraction: 1.12.1
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.2
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.2
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_oidc: 8.1.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0

Nextcloud configuration

{
    "system": {
        "skeletondirectory": "",
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud1:8080",
            "nextcloud.my-domain.com",
            "nextcloud1.my-domain.com",
            "keycloak.my-domain.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.11.2",
        "overwrite.cli.url": "https:\/\/nextcloud.my-domain.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpport": "587",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 0,
        "maintenance": false,
        "default_phone_region": "DE",
        "allow_local_remote_servers": "true",
        "debug": false,
        "overwriteprotocol": "https",
        "maintenance_window_start": 1,
        "upgrade.disable-web": true
    }
}

Browser

Browser name:
Safari
Firefox

Browser version:
Safari Version 26.1 (21622.2.11.11.9)
Firefox 145.0.2 (aarch64)

Operating system: Mac

Browser log

https://keycloak.my-domain.com/realms/my-domain/protocol/openid-connect/auth?client_id=my-client-id&response_type=code&scope=openid+email+profile+groups&redirect_uri=https%3A%2F%2Fnextcloud.my-domain.com%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&state=G10...&nonce=VJ...&code_challenge=XU...&code_challenge_method=S256
Failed to load resource: the server responded with a status of 404 ()

[julien-nc]

Hi. From your browser logs it seems like your Keycloak instance is not reachable or the specific page we are redirecting to is gone.
The login flow logic didn't change, user_oidc takes the authorization_endpoint from the provider's discovery and redirects the user to it (with a bunch of parameters).
Are you sure nothing else changed in your setup? Did you upgrade Keycloak? Which version of Keycloak are you using?

[leonidas-o]

I am pretty sure, yes.
When I had that issue, I haven't updated keycloak. Afterwards I updated it (docker based Keycloak 26.4 according to the labels "version": "26.4.7") and tried again. The behavior is the same before and after the update.
I think my setup should be good because, I have several other services using keycloak oidc. I tested every single one in a private browser and the login was working without any issues every time. I have a hypervisor cluster, so to give a little overview, Keycloak runs in a VM on node 1, nextcloud runs in a VM on node 1 and another service also runs on node 1. Then I do have other VM's running on node 2 and node 3.
So I've tested the login from the VM sitting right next to nextcloud on the same node -> works fine. I've tested the login from VMs on node 2 and node 3 -> works fine too. All of them can redirect without any issues and the login works. I've double checked the /etc/hosts, /etc/resolve.conf, the dns servers. Everything looks good. SELinux does now show any audit log entries, I've even set it to permissive just to be sure.
A Ping and curl -L https://keycloak.my-domain... works from the nextcloud VM, the curl command shows me the following, so it can reach keycloak:

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <link rel="icon" type="image/svg+xml" href="/resources/t0a3x/admin/keycloak.v2/favicon.svg">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="color-scheme" content="light dark">
    <meta name="description" content="The Keycloak Administration Console is a web-based interface for managing Keycloak.">
    <title>Keycloak Administration Console</title>
...

As the haproxy config files hasn't changed at all, and all other VM's on node 1, 2 and 3 work and nextclouds VM is the only one which does not, to me nextcloud seems the culprit here. I don't know what else I could do or what to test.

[julien-nc]

In the browser log you have included, the redirection URL is

https://keycloak.my-domain.com/realms/my-domain/protocol/openid-connect/auth?client_id=nextcloud&response_type=code&scope=openid+email+profile+groups&redirect_uri=https%3A%2F%2Fnextcloud.my-domain.com%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&state=G10...&nonce=VJ...&code_challenge=XU...&code_challenge_method=S256

I guess you obfuscated the domain name. If the redirect URL pointing to the correct Keycloak domain name in reality?
On your side, the browser does not seems to be able to access it.

[julien-nc]

Could you provide the output of this occ command?
occ user_oidc:provider PROVIDER_IDENTIFIER --output json_pretty
You can obfuscate the clientId and change the discovery endpoint domain name.

[leonidas-o]

yes I changed the domain name, the real url is still pointing to the correct one (it wasn't changed).

podman exec --user www-data nextcloud php occ user_oidc:provider Keycloak --output json_pretty

{
    "id": 1,
    "identifier": "Keycloak",
    "clientId": "my-client-id",
    "discoveryEndpoint": "https:\/\/keycloak.my-domain.com\/realms\/my-domain\/.well-known\/openid-configuration",
    "endSessionEndpoint": null,
    "postLogoutUri": null,
    "scope": "openid email profile groups",
    "settings": {
        "mappingDisplayName": "",
        "mappingEmail": "email",
        "mappingQuota": "",
        "mappingUid": "preferred_username",
        "mappingGroups": "",
        "mappingLanguage": "",
        "mappingLocale": "",
        "mappingAddress": "",
        "mappingStreetaddress": "",
        "mappingPostalcode": "",
        "mappingLocality": "",
        "mappingRegion": "",
        "mappingCountry": "",
        "mappingWebsite": "",
        "mappingAvatar": "",
        "mappingTwitter": "",
        "mappingFediverse": "",
        "mappingOrganisation": "",
        "mappingRole": "",
        "mappingHeadline": "",
        "mappingBiography": "",
        "mappingPhonenumber": "",
        "mappingGender": "",
        "mappingPronouns": "",
        "mappingBirthdate": "",
        "uniqueUid": false,
        "checkBearer": false,
        "sendIdTokenHint": true,
        "bearerProvisioning": false,
        "extraClaims": "",
        "providerBasedId": false,
        "groupProvisioning": false,
        "groupWhitelistRegex": "\/nextcloud-.*$\/",
        "restrictLoginToGroups": true,
        "nestedAndFallbackClaims": false
    }
}

[julien-nc]

What's the URL in the address bar when you face the NC error page?

[leonidas-o]

the address bar shows the same URL as in the browser log:

https://keycloak.my-domain.com/realms/my-domain/protocol/openid-connect/auth?client_id=my-client-id&response_type=code&scope=openid+email+profile+groups&redirect_uri=https%3A%2F%2Fnextcloud.my-domain.com%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&state=...

When I copy the url from the address bar and paste it into another freshly opened private tab, it redirects me to the keycloak login form.

[julien-nc]

I don't get how it's possible that your browser seems to make an attempt (and fail) to load the keycloak login page (according to the address bar and the logs) while the content you are seeing is a Nextcloud error page.
It's confusing that you see a NC page while the address bar contains a Keycloak URL.

Could you share the content of the browser tool's network tab?

• Access NC's login page
• Clear the tool's network tab
• Click on "Login with Keycloak"

Btw I can't reproduce on NC 31 with user_oidc v8.1.0.

[leonidas-o]

You mean the whole log from the browser tool or just the first one which is failing or the screenshot?

The whole log is huge, I can do that if you want.

The link behind the "Login with Keycloak" is https://nextcloud.my-domain.com/apps/user_oidc/login/1
So after clicking on the Login button, the first entry "auth" is failing:

URL: https://keycloak.my-domain.com/realms/my-domain/protocol/openid-connect/auth?client_id=my-client-id&response_type=code&scope=openid+email+profile+groups&redirect_uri=https%3A%2F%2Fnextcloud.my-domain.com%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%2C%22preferred_username%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&state=JC...&nonce=2...&code_challenge=n8...&code_challenge_method=S256
Status: 404
Source: Network
Address: ...

Hmm, I looked into the network tab on another service and tried to log=in, "auth" is successful, the url however is way shorter there. I wonder if maybe the length of the url here somehow messes something up?