Hi everyone,
we are using the Keycloak plugin as a role service as described in the GeoServer documentation which works well for the most part. Thanks for that!
We have one requirement, though, which isn’t covered yet. When assigning roles to users through groups in Keycloak, they won’t be picked up by GeoServer (and thus authorization will fail for the respective workspaces or layers).
As far as I can see, this is due to the fact that the KeycloakRoleService fetches role mappings through the …/users/<user-id>/role-mappings/clients/<client-id> endpoint while roles assigned through groups will only be available on the …/users/<user-id>/role-mappings/clients/<client-id>/composite endpoint.
What would you think about adding the request for composite roles to the extension? I believe it should still behave correctly in existing use-cases.
Thanks again and best regards
André
1 Like
Hello,
unfortunately the keycloak plugin won’t be supported anymore since it is using deprecated classes and libraries. You should plan to switch to OIDC instead. GeoServer 3 will benefit from a brand new upgraded plugin.
Hi Alessio,
thank you for following up on our issue so quickly! We have been evaluating a switch to the OIDC plugin these last days. Being up-to-date with Geoserver versions and using sustainable dependencies is important to us, of course.
The OIDC integration with Keycloak is working great and it seems like a promising solution to me. There is one thing from the Keycloak plugin, though, that we would be missing in the future, which is synchronizing all available roles from Keycloak to Geoserver via the Keycloak role service for Geoserver administrators to assign to workspaces and layers efficiently.
Do you see a chance of continuing support for the role service part of the Keycloak plugin or am I missing a different solution for synchronizing roles with Keycloak maybe?
Thanks so much
André