Skip to content

Instantly share code, notes, and snippets.

@Sherex

Sherex/wikijs-keycloak-config-guide.md

Last active March 10, 2026 11:44
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Sherex/283d1e4ef07b2bf0a930417dc0117238 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Sherex/283d1e4ef07b2bf0a930417dc0117238 to your computer and use it in GitHub Desktop.
Download ZIP
A guide for configuring Keycloak as a authentication provider in WikiJS | https://wiki.js.org | Feature request for adding this to the docs: https://requarks.canny.io/wiki/p/keycloak-auth-docs-proposal-for-a-guide-written
Raw
wikijs-keycloak-config-guide.md

Feature request for adding this to the docs on requarks.canny.io

Keycloak

Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services.

Relevant information

Setup

Create Keycloak strategy instance on WikiJS

  1. In the Administration area of your wiki, click on Authentication in the left navigation menu
  2. Click on + ADD STRATEGY, scroll down and select Keycloak
  3. Click Apply (Just to make sure the instance ID will not be regenerated if the page is reloaded. This produces an error in the logs, so it might display an error on the frontend too in the future. If so just skip this step and double check the ID when setting it up)
  4. Go to the bottom of the page and copy/note the Callback URL / Redirect URI
  5. We will fill out the rest after setting up the Keycloak client

Creating a Keycloak client

  1. At the Keycloak administration page, go to the Clients menu, and click Create button on the right
  2. Enter a Client ID, for example wikijs (You wil need the Client ID later)
  3. Select openid-connect as Client Protocol
  4. And Root URL is the base URL to Wikijs (for example https://wiki.example.com)
  5. Click Save
  6. Change Access Type to confidential
  7. Enter the Valid Redirect URIs, which is the Callback URL / Redirect URI from WikiJS (ex. https://wiki.example.com/login/d03f689b-0dd0-44d6-90ca-6386ec41d799/callback, or just the path /login/{GUID}/callback)
  8. Set Base URL to the same as Root URL
  9. Set Web Origins to +, which means to use the URIs in the Valid Redirect URIs entry.
  10. Now click Save at the bottom of the page
  11. Go to the Credentials tab and copy the Secret (You will need this one later too)

Configure the Keycloak strategy in Wiki.js

  1. If you're not already there. Go to the Administration area of your wiki, click on Authentication in the left navigation menu
  2. Click on Keycloak
  3. Enter the Host, which is the domain (incl. the scheme) of your Keycloak server (Example: https://keycloak.example.com)
  4. Enter the Realm, which is the realm you are using in Keycloak (Default is: master)
  5. Enter the Client Id, which is the Client ID from Keycloak
  6. Enter the Client Secret, which is the Secret from Keycloak
  7. Enter the Authorization Endpoint URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth
  8. Enter the Token URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/token
  9. Enter the User Info URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/userinfo
  10. If you want the user to be logged out of Keycloak when logging out of WikiJS, enable Logout from Keycloak on Logout
  11. Enter the Logout Endpoint URL, which is https://keycloak.example.com/auth/realms/master/protocol/openid-connect/logout
  12. Check Allow self-registration to enable the Keycloak login button, and auto create users as they login for the first time.
  13. Remember to add a group with at least read permissions in the Assign to group list
  14. Click Apply in the top-left corner and try to login

Seamless login

If the login worked, you can enable Bypass Login Screen under the Security tab in the left navigation menu.
Make sure the Keycloak provider is at the top of the list in the Authentication tab.

@sverkera
Copy link

sverkera commented Mar 10, 2026

The Keycloak strategy lacks support for group mappings which is a requirement for my usecase. There is another Generic OpenID Connect / OAuth2 strategy which have that and it appears to be more modern.

I have the keycloak strategt working and I set up the generic to test. Keycloak creates a session for the user so that part appears to work fine but then when redirected to wiki.js I get the message "Oops, something went wrong... Invalid email / username or password.". Nothing in the log that shows what went wrong.

I assume that as a user when created in wiki.js is connected to the authentication strategy so I am testing with a different user.

There is a suggestion to remove the Keycloak strategy here which indicates that user was able to make the generic strategy work: https://js.wiki/feedback/p/removedeprecate-the-keycloak-authentication-provider

How to get logs or anything that indicates what goes wrong when using the generic oidc strategy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment