Authentication using JWT with Keycloak

TorbenPetersen · May 15, 2025, 2:01pm

Hi I need to authenticate HTTP(s) requests using JWT tokens issued by Keycloak.
I’m trying to decide between two community modules: sec-keycloak and sec-oauth2-openid-connect.
My main concern is which module has best chance of long-term maintenance and community support.

Regards
Torben

davidblasby · May 15, 2025, 2:34pm

Hi, Torben,

I would recommend the “JWT Headers” Authentication.

This is a shared module with GeoServer.

If you don’t want to use that, you can use the Bearer token support in the OIDC security module.

The Keycloak module is working, however, the underlying library is now un-supported so I would not use it.

TorbenPetersen · May 16, 2025, 5:48am

Thans for the update. on the keycloak module.
I briefly looked at the JWT token extension,
but I was hesitant to proceed with it since the module isn’t available in any of the prebuilt folders.
The absence of a prebuilt version raises concerns about its reliability and adoption.
Having to compile it myself suggests it may not be well-maintained or widely supported.

Regards Torben

jive · May 16, 2025, 6:18am

Torben and welcome to the user forum.

We have had difficult attracting funding for these security integration; this is why the two implementations mentioned are not available in the prebuilt folders. They need to have sufficient documentation and test coverage to be included as extensions.

I will caution that the GeoServer 3 roadmap includes a spring security 6 upgrade. As a consequence both OIDC and keycloak security integrations will be marked as end-of-life in GeoServer 2.28.x.

So the module David recommends is very much worth considering; and ideally it could attract support to be made into an extension.

TorbenPetersen · May 16, 2025, 7:23am

Thanx

Looking at ie.Index of /geoserver/2.27.x/community-latest/ i find both geoserver-2.27-SNAPSHOT-sec-oauth2-openid-connect-plugin.zip and geoserver-2.27-SNAPSHOT-sec-keycloak-plugin.zip but no not a SNAPSHOT of the JWT extension.
in fact the Installing JWT Headers — GeoServer 2.27.x User Manual page points to a Zip file but the file doesnt exist (404)

so i hope you understand my cofusion when i’m told that JWT-headers plugin is the way to go ?

jive · May 16, 2025, 1:41pm

Please download the source code for the version of GeoServer you deployed and compile that module.

That said we should talk to David about including it in nightly build for wider feedback.

TorbenPetersen · May 26, 2025, 7:54am

I appreciate your suggestion, - but unfortunately i’m currently not in a position to build geoserver myself. I may get back to it at a later point.
In the meantime im giving sec-oauth2-openid-connect a try.
Thanx for your reply.