Tried to configure keycloak with neo4j

dhineshkumar.viswana · May 9, 2025, 5:14am

i tried to configure keycloak to neo4j database during which redirected from neo4j login page to keycloak there keycloak authenticates user details and then redirected to neo4j login page but there no user is authorised by keycloak to access neo4j. Help me out to solve the issue

joshcornejo · May 9, 2025, 8:24am

Neo4J enterprise? You don't mention it, otherwise it doesn't work.

I assume you created an OIDC client in Keycloak ...

Did you edit your neo4j.conf appropriately?

# Enable OIDC authentication
dbms.security.authentication_providers=oidc

# OIDC settings
dbms.security.oidc.enabled=true
dbms.security.oidc.issuer_uri=https://<your-keycloak-domain>/realms/<your-realm>
dbms.security.oidc.audience=neo4j-client
dbms.security.oidc.client_id=neo4j-client
dbms.security.oidc.client_secret=<your-client-secret>

# Optionally configure HTTPS if needed
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=certificates/https
dbms.ssl.policy.https.private_key=private.key
dbms.ssl.policy.https.public_certificate=public.crt

dhineshkumar.viswana · May 9, 2025, 9:59am

[quote="joshcornejo, post:2, topic:73796"]
dbms.security.authentication_providers
This is my neo4j configuration in helm values.yaml file
dbms.security.authentication_providers: "oidc-keycloak,native"
dbms.security.authorization_providers: "oidc-keycloak,native"
dbms.security.oidc.keycloak.display_name: "Keycloak"
dbms.security.oidc.keycloak.auth_flow: "pkce"
dbms.security.oidc.keycloak.well_known_discovery_uri: "https://keycloak.techavi.in/auth/realms/myCorp/.well-known/openid-configuration"
dbms.security.oidc.keycloak.params: "client_id=neo4j-client;response_type=code;scope=openid email roles"
dbms.security.oidc.keycloak.audience: "account,neo4j-client"
dbms.security.oidc.keycloak.issuer: "https://keycloak.techavi.in/auth/realms/myCorp"
dbms.security.oidc.keycloak.claims.username: "preferred_username"
dbms.security.oidc.keycloak.claims.groups: "realm_access.roles"
dbms.security.oidc.keycloak.authorization.group_to_role_mapping: "/admin=admin;/analyst=analyst;/reader=reader"
dbms.security.oidc.keycloak.config: "principal=preferred_username;token_type_principal=access_token;token_type_authentication=access_token"
And also enabled enterprise edition please let me know where i made mistake

dhineshkumar.viswana · May 9, 2025, 10:00am

dbms.security.oidc.keycloak.auth_endpoint: "https://keycloak.techavidity.in/auth/realms/myCorp/protocol/openid-connect/auth"
dbms.security.oidc.keycloak.token_endpoint: "https://keycloak.techavidity.in/auth/realms/myCorp/protocol/openid-connect/token"

joshcornejo · May 9, 2025, 10:04am

Hi,

Unfortunately, I can't tell you what's wrong as you seem to have too many variables going at the same time ... I would suggest to start one-by-one from the manual:

dhineshkumar.viswana · May 9, 2025, 10:20am

in this article i have not found specific one for keycloak integration with neo4j. followed this one but not works well

thank you. please let me know is there any other documentation related to integration

joshcornejo · May 9, 2025, 10:23am

Your file had extra stuff compared to this one - i would suggest just starting with the URL parameters and make sure they are reachable from the server hosting Neo4J

dbms.security.authentication_providers=oidc-keycloak,native
dbms.security.authorization_providers=oidc-keycloak,native
dbms.security.oidc.keycloak.display_name=keycloak
dbms.security.oidc.keycloak.auth_flow =pkce
dbms.security.oidc.keycloak.well_known_discovery_uri=http://127.0.0.1:8080/realms/myCorp/.well-known/openid-configuration
dbms.security.oidc.keycloak.params=client_id=neo4j-client;response_type=code;scope=openid email roles
dbms.security.oidc.keycloak.audience=account
dbms.security.oidc.keycloak.issuer=http://127.0.0.1:8080/realms/myCorp
dbms.security.oidc.keycloak.claims.username=preferred_username
# The claim to use for the database roles.
dbms.security.oidc.keycloak.claims.groups=groups
dbms.security.oidc.keycloak.authorization.group_to_role_mapping="/admin"=admin; "/analyst"=analyst;"/reader"=reader
dbms.security.oidc.keycloak.config=principal=preferred_username;token_type_principal=access_token;token_type_authentication=access_token
dbms.security.oidc.keycloak.auth_endpoint=http://127.0.0.1:8080/realms/myCorp/protocol/openid-connect/auth
dbms.security.oidc.keycloak.token_endpoint=http://127.0.0.1:8080/realms/myCorp/protocol/openid-connect/token
# The Client Secret (If needed)
dbms.security.oidc.keycloak.token_params=client_secret=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

dhineshkumar.viswana · May 9, 2025, 10:40am

Hi,
the given configuration is for accessing neo4j using nodeport. But the recent versions of neo4j not support the usage of nodeport when integrating with keycloak. Thats why i am using ingress with tls for both keycloak and neo4j.
thank you

Topic		Replies	Views
Singe Sign-On for Neo4j with Keycloak Community Content & Blogs	0	433	November 17, 2020
OIDC connection for AWS Cognito Drivers & Stacks migrated	0	170	August 26, 2022
Connect with secure protocol from neo4j browser to Kubernetes Orchestration & Kubernetes	2	290	March 14, 2022
SSL config with helm installation Neo4j Graph Platform migrated , installation-tagged	1	554	February 3, 2023
OAuth2/JWT Drivers & Stacks security	3	1675	May 13, 2019

July Summer Fun!

Tried to configure keycloak with neo4j

Related topics