[Geoserver-devel] Keycloak authentication not working

Hi,

I'm looking into how to authenticate against a Keycloak server. I'm using Geoserver 2.24.2 and Keycloak 23.0.6. In Geoserver I have configured a "Keycloak OpenID Authentication" filter with the config from Keycloak server and disabled the checkbox "Enable Redirect to Keycloak Login page". Then I have changed the filter chain for "web", so that it lists keycloak at the top of the list of filters. At the bottom I have "anonymous".

This doesn't work. I've turned on full logging for keycloak both in "org.geoserver.security.keycloak" and "org.keycloak". What I see is that it get's the token from the Keycloak server, so that communication is working, but fails to initiate a HTTP forwarding.

When I debug the solution I see that an AnonymousAuthenticationToken is set into SecurityContextHolder.getContext().setAuthentication. And that it stays there for all the subsequent calls. That will prevail GeoserverKeycloakAuthenticationFilter to do any more tries to authenticate against the Keycloak server. I have tried without the anonymous filter, but then I can't get into the web site at all.

Is AnonymousAuthenticationToken meant to be reused in subsequent calls, like maybe it comes from the Session? Or should it be cleared at the top of the filter chain?

Do anyone have an example of the Authentication settings in Geoserver for a solution using Keycloak as an Authentication filter, and that is working?

Best regards,

Roar Brænden

Hi Roar,

we are using Keyloak in one of our environments as an authentication provider. We are using it in combination with Geofence, which is working fine. Here are my settings:

For “web” = geoserver-admin-access (you have to disable “anonymous”; and we have additionally added “basic” because this was a requirement):

For “default” = GeoServer OGC-service access (Keycloak has to be on top):

One thing you have to check to get it working:
You have to create a “ROLE_ADMINISTRATOR” and “ROLE_AUTHENTICATED” role in Keycloak and assign them to your user:

And as far as I remember I had to manually add the roles from Keycloak to the GeoServer-roles to be able to differentiate layer-authorization.

Best regards,

Paul

(attachments)

fit-logo_9d0d811d-abcd-4536-a433-04858830642f.png
fichtner_blog_389ff092-469e-470d-9cb1-066d7d4e2166.jpg
linkedin_32x32_4e77146f-2109-4428-80bb-afc3282e5cc8.png
fichtner_kununu_25f94c20-6622-4cbc-ba79-b1afececac05.jpg

··· **Paul Biskup** Head of Business Geo Intelligence BGI

Fichtner IT Consulting GmbH
Sarweystraße 3
70191 Stuttgart
Germany

Fichtner GmbH & Co. KG

Telefon

+49 (711) 8995 1453

Mobil

+49 (151) 1623 1453

E-Mail

Paul.Biskup@anonymised.com

**Fichtner IT Consult****ing GmbH** Sarweystr. 3, 70191 Stuttgart, Germany Amtsgericht Stuttgart HRB 761846

Board of Directors
Andreas Höfler (Chairman),
Dr. Albrecht Reuter,
David Plodek

www.fit.fichtner.de

Erklärungen der Fichtner IT Consulting GmbH, die per E-Mail übermittelt werden, sind nur im Falle schriftlicher Bestätigung rechtsverbindlich.
Bitte achten Sie auf die Umwelt, drucken Sie nur bei Bedarf.

-----Ursprüngliche Nachricht-----
Von: Roar Brænden roar.brenden.no@anonymised.com
Gesendet: Mittwoch, 13. März 2024 19:18
An: geoserver-devel geoserver-devel@lists.sourceforge.net
Betreff: [Geoserver-devel] Keycloak authentication not working

WARNING: Sender of this email could not be verified. Please do not open or click anything in this message ! Contact the Helpdesk.

Hi,

I’m looking into how to authenticate against a Keycloak server. I’m using Geoserver 2.24.2 and Keycloak 23.0.6. In Geoserver I have configured a “Keycloak OpenID Authentication” filter with the config from Keycloak server and disabled the checkbox “Enable Redirect to Keycloak Login page”. Then I have changed the filter chain for “web”, so that it lists keycloak at the top of the list of filters. At the bottom I have “anonymous”.

This doesn’t work. I’ve turned on full logging for keycloak both in “org.geoserver.security.keycloak” and “org.keycloak”. What I see is that it get’s the token from the Keycloak server, so that communication is working, but fails to initiate a HTTP forwarding.

When I debug the solution I see that an AnonymousAuthenticationToken is set into SecurityContextHolder.getContext().setAuthentication. And that it stays there for all the subsequent calls. That will prevail GeoserverKeycloakAuthenticationFilter to do any more tries to authenticate against the Keycloak server. I have tried without the anonymous filter, but then I can’t get into the web site at all.

Is AnonymousAuthenticationToken meant to be reused in subsequent calls, like maybe it comes from the Session? Or should it be cleared at the top of the filter chain?

Do anyone have an example of the Authentication settings in Geoserver for a solution using Keycloak as an Authentication filter, and that is working?

Best regards,

Roar Brænden


Geoserver-devel mailing list

Geoserver-devel@lists.sourceforge.net

https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fgeoserver-devel&data=05%7C02%7C%7Ca83c9f9098db4b7aebfd08dc438a4b7b%7Cb43430ce7d754158ab7b1f39e6fe6b3f%7C0%7C0%7C638459508449613532%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gaqT1swuwH%2Fo0q1bMyCCVKMzwGOICuguyXdm0%2FCXpTM%3D&reserved=0