[Geoserver-devel] [JIRA] (GEOS-9788) Keycloak-plugin wrong role mapping

Paul Biskup created an issue

GeoServer / BugGEOS-9788

Keycloak-plugin wrong role mapping

Issue Type:

BugBug

Affects Versions:

2.17.2

Assignee:

Unassigned

Components:

Community modules, Security

Created:

06/Nov/20 1:11 PM

Priority:

LowLow

Reporter:

Paul Biskup

This issue is referencing to this GeoServer-dev-mailing-list-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-plugin-wrong-role-mapping-td5449169.html

I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html
I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example.

But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html
Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer:
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper

This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak:

public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper,
InitializingBean {
private GrantedAuthority defaultAuthority;
private String prefix = "ROLE
";_

This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html).

To get it working you had to add the prefix „ROLE_“ to the GeoServer-roles.
Example:
Keycloak-role: „KC_GEOSERVER“
the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“

This is not the expected behaviour. Usually you want to use exactly the same rolenames in GeoServer and Keycloak.

I have found the place in the GeoServer-Keycloak-plugin-code to fix this:
https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63

old code:
public GeoServerKeycloakFilter()

{ this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); }

new code:
public GeoServerKeycloakFilter()

{ this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper(); simpleAuthMapper.setPrefix(“”); authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper); }

Additionally also the Keycloak-documentation should be updated.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100149-sha1:a9f85c2)

Atlassian logo