Hi, I'm looking into how to authenticate against a Keycloak server. I'm using Geoserver 2.24.2 and Keycloak 23.0.6. In Geoserver I have configured a "Keycloak OpenID Authentication" filter with the config from Keycloak server and disabled the checkbox "Enable Redirect to Keycloak Login page". Then I have changed the filter chain for "web", so that it lists keycloak at the top of the list of filters. At the bottom I have "anonymous".
This doesn't work. I've turned on full logging for keycloak both in "org.geoserver.security.keycloak" and "org.keycloak". What I see is that it get's the token from the Keycloak server, so that communication is working, but fails to initiate a HTTP forwarding. When I debug the solution I see that an AnonymousAuthenticationToken is set into SecurityContextHolder.getContext().setAuthentication. And that it stays there for all the subsequent calls. That will prevail GeoserverKeycloakAuthenticationFilter to do any more tries to authenticate against the Keycloak server. I have tried without the anonymous filter, but then I can't get into the web site at all. Is AnonymousAuthenticationToken meant to be reused in subsequent calls, like maybe it comes from the Session? Or should it be cleared at the top of the filter chain? Do anyone have an example of the Authentication settings in Geoserver for a solution using Keycloak as an Authentication filter, and that is working? Best regards, Roar Brænden _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
