DEV-683 Implement OIDC for GeoServer#27
Conversation
anarchivist
left a comment
There was a problem hiding this comment.
looks good; i have some questions about whether we can incorporate the oidc config for geoserver into something called through the compose file.
also, maybe out of scope for this PR, but i'n now wondering about whether we should be building our own keycloak image.
| <msGraphAppRoleAssignments>false</msGraphAppRoleAssignments> | ||
| <roleConverterString>testadmin=ADMIN</roleConverterString> | ||
| <onlyExternalListedRoles>false</onlyExternalListedRoles> | ||
| </oauth2LoginAuthentication> No newline at end of file |
There was a problem hiding this comment.
nit: missing newline at end of file
| <string>127.0.0.1</string> | ||
| </whitelistedMasks> | ||
| </bruteForcePrevention> | ||
| </security> No newline at end of file |
There was a problem hiding this comment.
nit: missing newline at end of file
There was a problem hiding this comment.
looking at the README, i understand that this script is supposed to be run on the host after running docker compose up. would it be possible to have a geoserver-oidc-config service that runs similarly to keycloak-config here as a one-off after geoserver, postgres, and keycloak are healthy, and after keycloak-config run?
There was a problem hiding this comment.
I've tried a number of different ways to do this, but I think the only way to have this work as a one-off docker service, would be to grant the service the host's docker.sock. Is that considered a security risk?
Ideally, I would be able to push those two xml files and then POST a reset/reload request to the geoserver rest api. Unfortunately, the reset/reload does not pick up the changes. I've found that the only way for geoserver to reload those xml files is on a container restart.
There was a problem hiding this comment.
how have you tried doing the reset/reload? would it be possible to restart tomcat? (cc @danschmidt5189 since he might have some ideas)
Purpose
Since we've done away with the local geoserver repo, this is a way to do development on geoserver and geoserver-secure locally.
This repo uses keycloak to mimic CalNet OIDC. There are also some changes to the README to reflect one time adding of oidc configuration to the geoserver container.
Discussion
adminlogin for geoserver when keycloak/oidc is configured. Instead, you are redirected to the keycloak login. Does this sound good?