Hi I need to authenticate HTTP(s) requests using JWT tokens issued by Keycloak.
I’m trying to decide between two community modules: sec-keycloak and sec-oauth2-openid-connect.
My main concern is which module has best chance of long-term maintenance and community support.
Regards
Torben
Hi, Torben,
I would recommend the “JWT Headers” Authentication.
This is a shared module with GeoServer.
If you don’t want to use that, you can use the Bearer token support in the OIDC security module.
The Keycloak module is working, however, the underlying library is now un-supported so I would not use it.
Thans for the update. on the keycloak module.
I briefly looked at the JWT token extension,
but I was hesitant to proceed with it since the module isn’t available in any of the prebuilt folders.
The absence of a prebuilt version raises concerns about its reliability and adoption.
Having to compile it myself suggests it may not be well-maintained or widely supported.
Regards Torben
Torben and welcome to the user forum.
We have had difficult attracting funding for these security integration; this is why the two implementations mentioned are not available in the prebuilt folders. They need to have sufficient documentation and test coverage to be included as extensions.
I will caution that the GeoServer 3 roadmap includes a spring security 6 upgrade. As a consequence both OIDC and keycloak security integrations will be marked as end-of-life in GeoServer 2.28.x.
So the module David recommends is very much worth considering; and ideally it could attract support to be made into an extension.
Thanx
Looking at ie.Index of /geoserver/2.27.x/community-latest/ i find both geoserver-2.27-SNAPSHOT-sec-oauth2-openid-connect-plugin.zip and geoserver-2.27-SNAPSHOT-sec-keycloak-plugin.zip but no not a SNAPSHOT of the JWT extension.
in fact the Installing JWT Headers — GeoServer 2.27.x User Manual page points to a Zip file but the file doesnt exist (404)
so i hope you understand my cofusion when i’m told that JWT-headers plugin is the way to go ?
Please download the source code for the version of GeoServer you deployed and compile that module.
That said we should talk to David about including it in nightly build for wider feedback.
I appreciate your suggestion, - but unfortunately i’m currently not in a position to build geoserver myself. I may get back to it at a later point.
In the meantime im giving sec-oauth2-openid-connect a try.
Thanx for your reply.
Just for the record. - i switched to the JWT header extension ( building it myself).
Once you get all the external dependencies, it works quite smooth.
The logging and documentation though still could use some rework.
That’s great feedback, thanks @TorbenPetersen . Regarding the documentation, how do you think it could be improved? Could you copy the text into Docs/Word, for example, and add comments or changes that you feel would improve it?
Ideally, being an open source project, you should submit a PR with your input, but you can also just provide it to me as a document and I’ll do the final step.
Peter