Hi,

I'm looking into how to authenticate against a Keycloak server. I'm using 
Geoserver 2.24.2 and Keycloak 23.0.6. In Geoserver I have configured a 
"Keycloak OpenID Authentication" filter with the config from Keycloak server 
and disabled the checkbox "Enable Redirect to Keycloak Login page". Then I have 
changed the filter chain for "web", so that it lists keycloak at the top of the 
list of filters. At the bottom I have "anonymous".


This doesn't work. I've turned on full logging for keycloak both in 
"org.geoserver.security.keycloak" and "org.keycloak". What I see is that it 
get's the token from the Keycloak server, so that communication is working, but 
fails to initiate a HTTP forwarding.

When I debug the solution I see that an AnonymousAuthenticationToken is set 
into SecurityContextHolder.getContext().setAuthentication. And that it stays 
there for all the subsequent calls. That will prevail 
GeoserverKeycloakAuthenticationFilter to do any more tries to authenticate 
against the Keycloak server. I have tried without the anonymous filter, but 
then I can't get into the web site at all.

Is AnonymousAuthenticationToken meant to be reused in subsequent calls, like 
maybe it comes from the Session? Or should it be cleared at the top of the 
filter chain?

Do anyone have an example of the Authentication settings in Geoserver for a 
solution using Keycloak as an Authentication filter, and that is working?

Best regards,

Roar Brænden

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to