Keycloak deployment example

1,5 yrs later and now at ocis 4.x, I am reopening this thread:

I have a running ocis 4.0.3 installation with haproxy as rev. proxy in front (for ssl termination), both installations are containered (lxc on proxmox). Next step is to connect the instance with an already running keycloak IDP for OIDC/SSO login.
The knowledge base at

has no example for the keycloak setup. Are there any example setups around from which I could learn from? I already have a productive OC 10x OIDC setup.

Thx, Thommie

There is a deployment example linked in the IDP documentation. All deployment examples can be found in the ocis repository.

Hello Thommie,
I hope you will find the answers by the links below.

@rkaussow and @2403905 - thanks for these links. I will start the config work for my test instance at ocis.netzwissen.de and return on you if I have questions

I am still not successful with my OCIS 4.x deployment and would need some debugging assistance from folks running a similar setup. The docs at

and elsewhere were not helpful in my case. My general setup/environment:

1. haproxy as reverse proxy
2. running IDP (current keycloak)
3. productive OC 10 is already linked to the IDP
4. haproxy, IDP and OC 10 are running as “virtualized bare metal” in separate lxc containers (Proxmox VE)
5. ocis 4. in separate lxc container

Attached ocis.env (renamed to txt) is loaded within systemd’s ocis.service file:
ocis.txt (1,3 KB)

Logfile:

{"level":"debug","service":"proxy","jwks":"https://login.netzwissen.de/realms/netzwissen/protocol/openid-connect/certs","time":"2024-03-15T18:45:00.671954679Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/oidc/client.go:156","message":"discovered jwks endpoint"}
{"level":"debug","service":"proxy","access token":{"sid":"436e899f-d212-4cf4-9a56-284f46adf144","iss":"https://login.netzwissen.de/realms/netzwissen","sub":"baacc53c-937d-4256-8b1d-c2f301bba374","aud":["realm-management","account"],"exp":1710557090,"iat":1710528291,"jti":"238a6cb3-8317-4f69-94bf-87e7781b5208"},"time":"2024-03-15T18:45:00.676651025Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/oidc/client.go:305","message":"parsed access token"}
{"level":"debug","service":"proxy","claims":{"allowed-origins":["https://ocis.netzwissen.de"],"aud":["realm-management","account"],"auth_time":1710528290,"azp":"ocis-web","email":"admin@netzwissen.de","email_verified":true,"exp":1710557090,"family_name":"realm admin","given_name":"admin netzwissen","iat":1710528291,"iss":"https://login.netzwissen.de/realms/netzwissen","jti":"238a6cb3-8317-4f69-94bf-87e7781b5208","locale":"de","name":"admin netzwissen realm admin","preferred_username":"admin","realm_access":{"roles":["ocisSpaceAdmin","default-roles-netzwissen","offline_access","uma_authorization","ocisUser","ocisAdmin"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]},"realm-management":{"roles":["manage-events"]}},"scope":"openid profile email","session_state":"436e899f-d212-4cf4-9a56-284f46adf144","sid":"436e899f-d212-4cf4-9a56-284f46adf144","sub":"baacc53c-937d-4256-8b1d-c2f301bba374","typ":"Bearer"},"time":"2024-03-15T18:45:00.680883609Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:123","message":"extracted claims"}
{"level":"info","service":"auth-machine","pkg":"rgrpc","traceid":"03f39ba194e5df6801b1214604199887","time":"2024-03-15T18:45:00.732536454Z","line":"github.com/cs3org/reva/v2@v2.16.1/internal/grpc/services/authprovider/authprovider.go:141","message":"user idp:\"https://login.netzwissen.de/realms/netzwissen\" opaque_id:\"429fe5b5-6f7e-4500-9012-b57a205d9461\" type:USER_TYPE_PRIMARY authenticated"}

The admin user in the ocis.yaml created through

sudo -u ocis ocis init --admin-password=xxxxxxxxx --insecure=false --config-path=/etc/ocis

has the same credentials like the admin user in IDP realm, its also visible in the ocis.yaml. So I would expect the login should be successful. I dont understand whats happening here …