Hi all,
I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html
I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example.
But when I tried to use own Keycloak-roles it wasn’t working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html
Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer:
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper
This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front of every rolename coming from Keycloak:
public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper,
InitializingBean {
private GrantedAuthority defaultAuthority;
private String prefix = “ROLE_”;
This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html).
To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles.
Example:
Keycloak-role: „KC_GEOSERVER“
the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“
In my opinion this is not the expected behaviour, at least for our use-case. We want to use exactly the same rolenames in GeoServer and Keycloak.
I have found the place in the GeoServer-Keycloak-plugin-code to fix this:
old code:
public GeoServerKeycloakFilter() {
this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();
this.authenticationMapper = new KeycloakAuthenticationProvider();
authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
}
new code:
public GeoServerKeycloakFilter() {
this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();
this.authenticationMapper = new KeycloakAuthenticationProvider();
SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper();
simpleAuthMapper.setPrefix(“”);
authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper);
}
Maybe you can add this fix to the master-branch.
Best regards,
Paul