Addons

Nuxeo Keycloak

Updated: June 14, 2024

The Nuxeo Keycloak package allows you to integrate Keycloak, an Open Source Identity and Access Management solution.

See the Nuxeo Keycloak Package README.md for a complete list of required and optional configuration parameters directly contributable via nuxeo.conf.

Nuxeo/Keycloak Automation and REST API Status Code Specifications

Here are the status codes to expect depending on the plugins' order in the Automation and RestAPI specific authentication chains.

Chain order Keycloak basic auth enabled Provided credentials Response status code
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH false none 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH false KO (nuxeo basic) 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH false OK (nuxeo basic) 200 - OK
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH false KO (Keycloak bearer) 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH false OK (Keycloak bearer) 200 - OK
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true none 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true KO (nuxeo basic) 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true OK (nuxeo basic) 200 - OK
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true KO (Keycloak basic) 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true OK (Keycloak basic) 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true KO (Keycloak bearer) 401 - Unauthorized
AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH true OK (Keycloak bearer) 200 - OK
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH false none 302 - Redirect
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH false KO (nuxeo basic) 302 - Redirect
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH false OK (nuxeo basic) 200 - OK
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH false KO (Keycloak bearer) 401 - Unauthorized
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH false OK (Keycloak bearer) 200 - ok
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true none 302 - Redirect
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true KO (nuxeo basic) 401 - Unauthorized
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true OK (nuxeo basic) 200 - OK
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true KO (Keycloak basic) 401 - Unauthorized
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true OK (Keycloak basic) 200 - OK
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true KO (Keycloak bearer) 401 - Unauthorized
KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH true OK (Keycloak bearer) 200 - OK

Sample Contribution to Change the Authentication Plugins' Order, Overriding the Keycloak Package’s Contribution

Here is a sample contribution allowing to put Keycloak first in the Automation and RestAPI specific chains. This would allow you to get the same response status codes as in the second half of the above table.

<component name="org.nuxeo.ecm.platform.login.keycloak.descriptor.override">
    <require>org.nuxeo.ecm.platform.login.keycloak.descriptor</require>

    <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="specificChains">
        <specificAuthenticationChain name="RestAPI">
            <urlPatterns>
                <url>(.*)/api/v.*</url>
            </urlPatterns>
            <replacementChain>
                <plugin>KEYCLOAK_AUTH</plugin>
                <plugin>AUTOMATION_BASIC_AUTH</plugin>
            </replacementChain>
        </specificAuthenticationChain>
    </extension>

    <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="specificChains">
        <specificAuthenticationChain name="Automation">
            <urlPatterns>
                <url>(.*)/automation.*</url>
            </urlPatterns>
            <replacementChain>
                <plugin>KEYCLOAK_AUTH</plugin>
                <plugin>AUTOMATION_BASIC_AUTH</plugin>
            </replacementChain>
        </specificAuthenticationChain>
    </extension>

</component>