A guide for configuring Keycloak as a authentication provider in WikiJS | https://wiki.js.org | Feature request for adding this to the docs: https://requarks.canny.io/wiki/p/keycloak-auth-docs-proposal-for-a-guide-written

wikijs-keycloak-config-guide.md

Feature request for adding this to the docs on requarks.canny.io

---

Keycloak

Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.

Relevant information

• Keycloak OIDC Endpoints
• Keycloak OIDC Clients

Setup

Create Keycloak strategy instance on WikiJS

1. In the Administration area of your wiki, click on Authentication in the left navigation menu
2. Click on + ADD STRATEGY, scroll down and select Keycloak
3. Click Apply (Just to make sure the instance ID will not be regenerated if the page is reloaded. This produces an error in the logs, so it might display an error on the frontend too in the future. If so just skip this step and double check the ID when setting it up)
4. Go to the bottom of the page and copy/note the Callback URL / Redirect URI
5. We will fill out the rest after setting up the Keycloak client

Creating a Keycloak client

1. At the Keycloak administration page, go to the Clients menu, and click Create button on the right
2. Enter a Client ID, for example wikijs (You wil need the Client ID later)
3. Select openid-connect as Client Protocol
4. And Root URL is the base URL to Wikijs (for example https://wiki.example.com)
5. Click Save
6. Change Access Type to confidential
7. Enter the Valid Redirect URIs, which is the Callback URL / Redirect URI from WikiJS (ex. https://wiki.example.com/login/d03f689b-0dd0-44d6-90ca-6386ec41d799/callback, or just the path /login/{GUID}/callback)
8. Set Base URL to the same as Root URL
9. Set Web Origins to +, which means to use the URIs in the Valid Redirect URIs entry.
10. Now click Save at the bottom of the page
11. Go to the Credentials tab and copy the Secret (You will need this one later too)

Configure the Keycloak strategy in Wiki.js

1. If you're not already there. Go to the Administration area of your wiki, click on Authentication in the left navigation menu
2. Click on Keycloak
3. Enter the Host, which is the domain (incl. the scheme) of your Keycloak server (Example: https://keycloak.example.com)
4. Enter the Realm, which is the realm you are using in Keycloak (Default is: master)
5. Enter the Client Id, which is the Client ID from Keycloak
6. Enter the Client Secret, which is the Secret from Keycloak
7. Enter the Authorization Endpoint URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth
8. Enter the Token URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token
9. Enter the User Info URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/userinfo
10. If you want the user to be logged out of Keycloak when logging out of WikiJS, enable Logout from Keycloak on Logout
11. Enter the Logout Endpoint URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/logout
12. Check Allow self-registration to enable the Keycloak login button, and auto create users as they login for the first time.
13. Remember to add a group with at least read permissions in the Assign to group list
14. Click Apply in the top-left corner and try to login

Seamless login

If the login worked, you can enable Bypass Login Screen under the Security tab in the left navigation menu.
Make sure the Keycloak provider is at the top of the list in the Authentication tab.

I'm observing the same problem as @Dreamerset and it isn't a host resolution problem (it's an external host, and I can curl the URL successfully). Gets "Failed to obtain access token". My configuration matches his.

I'm having the same issue. External host and using the same configuration.

I logged the error from that function which reported the message below, then it made sense.

@Sherex how were you able to do this? I am stuck. I am using an internal PKI certificate so I'm thinking the issue may be an SSL issue. Guessing actually.

Setting logLevel: debug in the config.yml does nothing. Logs still output at theinfo level.

Same problem as @mister2d
Can not get the logging to anything other than info.

@Sherex Can you tell us how to get more logging to troubleshoot?

I am using Keycloak 19 and Wiki.js 2.5 and I'm having the same issue where it will redirect and be able to get a session with keycloak.
That said, I also get the "Failed to obtain access token" message.
If anyone has figured this out, I appreciate your help!

I managed to go through this and found a solution to the "Failed to obtain access token" and invalid username / password, despite a correct configuration in both KeyCloak and Wiki.js. Wiki.js is written in node.JS and under the hood uses passport. Node will, by default, reject any self-signed SSL certificates. The problem is passport does throw this error, but as it bubbles up through wiki.js' error stack - it turns into a much more vague/incorrect "Failed to obtain access token" error.

There are 2 resolutions (only 1 is needed):

1. Tell node to ignore the self-signed cert. If you are running a self-signed certificate in this case, you'll need to use the environmental variable and value NODE_TLS_REJECT_UNAUTHORIZED=0 on your wiki.js host/docker container to tell node to stop worrying about the self-signed certificate.
2. Introduce your custom CA The other alternative is to hook up your custom/internal CA to the wiki.js host cert chain so the self-signed certificate becomes "valid" - also see NODE_EXTRA_CA_CERTS for this option if you don't want to mess with the host CA cert chains.

Hey. I am having problems on my WIKIJS Wiki.js 2.5.295 and Keycloak 20.0.3. After following above tutorial...

I tried to change log level in WIKIJS (I am using standalone version, i've changed config.yml to debug, but there is still INFO level logs). Front of the wikijs is NGINX reverse proxy + Cloudflare proxy lol. Keycloak is running on my docker (same VM) also behind NGINX reverse proxy. SSL I am using self-signed and i added trusted CA.
I also changed wiki.js config rejectUnauthorized: false but nothing helped..
would be nice to see more wikijs logs, but idk why log level attribute is not working

Wiki:

I tried in keycloak version: 16.1.1 and it works with the same settings (only difference is Access Type: confidential i don't have that in KC 20.0.3) and i've replaced API endpoints with the news ones (no /auth/). Any ideas? i am confused :)

@rkkotnik To set client to type "confidential" in KC 20+ you must enable option "Client authentication" (which you did).

@rkkotnik To set client to type "confidential" in KC 20+ you must enable option "Client authentication" (which you did).

Yes, i couldn't get Key (secret) otherway.

I tried in keycloak version: 16.1.1 and it works with the same settings (the only difference is Access Type: confidential I don't have that in KC 20.0.3) and I've replaced API endpoints with the news ones (no /auth/). Any ideas? I am confused :)

Solved my issue. On the first try I tried use Keycloak using private IP I got a different error, so I did not know it worked without self-signed SSL (that is why I never tried again with private IP). After trying on KC 16 without self-signed SSL it worked. I added reject unauthorized: false into Linux node service as ENV and it works!

Did anyone get an error after setting everything up saying "Invalid scopes: openid profile email"? I can not seem to get pass this point.

Thank you @xcojonny,

It seems that I had to activate the Allow Self-Registration even if I have that user in keycloak. I guess it does not link the existing Wiki local users with the keycloak users... thank you 👍

Thanks! It helped me too. It's interesting what is the use of disabled Self-Registration? User can authenticate but can't access wiki... What's the point?

Hello @Sherex
I did keycloak to wiki js configuration perfectly. now i want sso feature! can you help me?

I tried in keycloak version: 16.1.1 and it works with the same settings (the only difference is Access Type: confidential I don't have that in KC 20.0.3) and I've replaced API endpoints with the news ones (no /auth/). Any ideas? I am confused :)

Solved my issue. On the first try I tried use Keycloak using private IP I got a different error, so I did not know it worked without self-signed SSL (that is why I never tried again with private IP). After trying on KC 16 without self-signed SSL it worked. I added reject unauthorized: false into Linux node service as ENV and it works!

HI,
I have the same issue with Keycloak & WikiJs (last version).
It works fine in http but not in https.
Where/How do you configure "reject unauthorized:false", please ?