Good morning,
I wasn't sure if this is the correct place for this question or not. If not,
please let me know where I can get some assistance on this.
I'm currently on a project where we need to run Geoserver in a Kubernetes
cluster and authenticate via Key cloak. I and two other coworkers have spent a
fair amount of time trying to set this up and following the documentation
provided. But, for some reason cannot get the authentication mechanism to work
properly. We have set up the client in Key cloak and configured the security
filters per the documentation in Geoserver.
We also have scoured stack overflow and the gis stack exchange pages to no
avail. I understand the community extensions are experimental in nature, but it
seems these plugins should work.
After trying to key cloak plugin with no luck , we switched to testing out the
OIDC connect plugin.
The Issue:
At first, everything works as expected when attempting to login. I can see the
OIDC button displayed on the home page next to the username and password boxes.
I click the OIDC button, it redirects to the key cloak sign in page. I enter
the user credentials, and the user is redirected to the same login page and not
able to enter the UI. When checking the logs, I can see we get the Auth token
and ID token but doesn't seem like it is making it to Getting the Roles.
DEBUG [security.oauth2] - OIDC: SCOPES=openid geocat
DEBUG [security.oauth2] - OIDC: ACCESS TOKEN: ....
DEBUG [security.oauth2] - OIDC: ID TOKEN: ...
DEBUG [security.oauth2] - OIDC: Getting Roles from UserGroupService,
location=null <----- does not make it here for us.
My questions: Is this a known issue?
If so, is there a workaround for this?
Or, is there another solution to get GeoServer to authenticate via Key cloak?
ADAPTER-CONFIG:
{
"realm": "shared-services",
"auth-server-url": https://O4-keycloak/,
"ssl-required": "none",
"resource": "geoserver-client",
"verify-token-audience": true,
"credentials": {
"secret": "************"
},
"use-resource-role-mappings": true,
"confidential-port": 0,
"policy-enforcer": {
"credentials": {}
}
}
Geoserver Version: 2.24.1
Keycloak Version: 21.1.2
Plugins used: sec-keycloak-plugin / sec-oauth2-openid-connect-plugin.
Docs followed: OpenID connect authentication - GeoServer 2.24.x User
Manual<https://docs.geoserver.org/stable/en/user/community/oauth2/oidc.html>
https://docs.geoserver.org/2.24.1/en/user/community/keycloak/index.html
Respectfully,
Michael Carrillo
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
