Single Sign-On for Wiki.js with Keycloak
Managing multiple credentials across internal tools is tedious. We’ve standardized authentication across our DevOps stack using Keycloak as the central IdP. This post covers how we integrated Wiki.js via OpenID Connect (OIDC).
Step 1: Keycloak client setup
- Created a confidential OIDC client for Wiki.js
- Enabled standard flow
- Configured redirect URI:
https://wiki.example.net/auth/oidc/callback - Added username, email, and full name mappers
Step 2: Wiki.js configuration
- Selected Keycloak strategy for OIDC
- Provided the Keycloak host, realm, client ID, and secret
- Verified authorization, token, and userinfo endpoints
- Enabled self-registration for automatic user creation
- Set default Wiki.js group for new users
Step 3: Testing
- Logged in with a Keycloak user
- Confirmed automatic account creation in Wiki.js
- User assigned to the default group and can read pages
- Verified TLS termination at HAProxy worked correctly
Conclusion:
With this setup, Wiki.js now shares the same login credentials as other internal tools (Jenkins, Grafana, GitLab), reducing friction and improving security. Self-registration ensures that new users from Keycloak can access Wiki.js immediately, and internal groups control access levels.
If you want a little more technical details, head for my wiki.
Found this post helpful? You can support me:
About The Author
