Skip to content

DEV-683 Implement OIDC for GeoServer#27

Draft
jason-raitz wants to merge 3 commits into
mainfrom
DEV-683_OIDC
Draft

DEV-683 Implement OIDC for GeoServer#27
jason-raitz wants to merge 3 commits into
mainfrom
DEV-683_OIDC

Conversation

@jason-raitz

@jason-raitz jason-raitz commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Purpose

Since we've done away with the local geoserver repo, this is a way to do development on geoserver and geoserver-secure locally.

This repo uses keycloak to mimic CalNet OIDC. There are also some changes to the README to reflect one time adding of oidc configuration to the geoserver container.

Discussion

  • Are we doing away with geoserver-secure? If so, do we need to add the local oidc configuration for that container as well?
  • Is there a preferable way to seed the oidc configuration files to the geoserver container?
  • I've removed the basic admin login for geoserver when keycloak/oidc is configured. Instead, you are redirected to the keycloak login. Does this sound good?
  • IMPORTANT local auth with keycloak keys off of the testadmin user preferred name returned from keycloak oidc. This should probably be updated to an SPA account name once we have it, right?

@jason-raitz jason-raitz self-assigned this Jul 6, 2026

@anarchivist anarchivist left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good; i have some questions about whether we can incorporate the oidc config for geoserver into something called through the compose file.

also, maybe out of scope for this PR, but i'n now wondering about whether we should be building our own keycloak image.

<msGraphAppRoleAssignments>false</msGraphAppRoleAssignments>
<roleConverterString>testadmin=ADMIN</roleConverterString>
<onlyExternalListedRoles>false</onlyExternalListedRoles>
</oauth2LoginAuthentication> No newline at end of file

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: missing newline at end of file

<string>127.0.0.1</string>
</whitelistedMasks>
</bruteForcePrevention>
</security> No newline at end of file

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: missing newline at end of file

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking at the README, i understand that this script is supposed to be run on the host after running docker compose up. would it be possible to have a geoserver-oidc-config service that runs similarly to keycloak-config here as a one-off after geoserver, postgres, and keycloak are healthy, and after keycloak-config run?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've tried a number of different ways to do this, but I think the only way to have this work as a one-off docker service, would be to grant the service the host's docker.sock. Is that considered a security risk?

Ideally, I would be able to push those two xml files and then POST a reset/reload request to the geoserver rest api. Unfortunately, the reset/reload does not pick up the changes. I've found that the only way for geoserver to reload those xml files is on a container restart.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how have you tried doing the reset/reload? would it be possible to restart tomcat? (cc @danschmidt5189 since he might have some ideas)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants