Hi all, I was trying to setup GeoServer using the Keycloak-authentication-plugin following this documentation: https://docs.geoserver.org/latest/en/user/community/keycloak/index.html I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- and AUTHENTICATED-role, as described in the example.
But when I tried to use own Keycloak-roles it wasn't working and I was facing the same problems as the user in this GeoServer-User-mailinglist-post: http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html Running the GeoServer in debug-mode I found the problem, which is caused by the used authority-mapper-class, that is trying to map the rolenames from Keycloak against the rolenames in GeoServer: org.springframework.security.core.authority.mapping.SimpleAuthorityMapper This SimpleAuthorityMapper-class is setting the default prefix "ROLE_" in front of every rolename coming from Keycloak: public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper, InitializingBean { private GrantedAuthority defaultAuthority; private String prefix = "ROLE_"; This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html). To get it working I had to add the prefix "ROLE_" to the GeoServer-Roles. Example: Keycloak-role: "KC_GEOSERVER" the role in GeoServer had to be named like this: "ROLE_KC_GEOSERVER" In my opinion this is not the expected behaviour, at least for our use-case. We want to use exactly the same rolenames in GeoServer and Keycloak. I have found the place in the GeoServer-Keycloak-plugin-code to fix this: https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63 old code: public GeoServerKeycloakFilter() { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); } new code: public GeoServerKeycloakFilter() { this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); this.authenticationMapper = new KeycloakAuthenticationProvider(); SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper(); simpleAuthMapper.setPrefix(""); authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper); } Maybe you can add this fix to the master-branch. Best regards, Paul
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
