DEV-683 Implement OIDC for GeoServer#27
Conversation
anarchivist
left a comment
There was a problem hiding this comment.
looks good; i have some questions about whether we can incorporate the oidc config for geoserver into something called through the compose file.
also, maybe out of scope for this PR, but i'n now wondering about whether we should be building our own keycloak image.
awilfox
left a comment
There was a problem hiding this comment.
Some feedback and suggestions.
- also volume mount fix for postgres 18 image
awilfox
left a comment
There was a problem hiding this comment.
Looks good to me, but I don't have the cycles to spin it up locally for testing so I don't want to explicitly approve it.
|
When entering the restricted GeoServer URL |
anarchivist
left a comment
There was a problem hiding this comment.
i'm seeing the same thing as @yzhoubk - i think we might need separate client configs and geoserver OIDC configs for each geoserver instance.
| claim.name: groups | ||
| jsonType.label: String | ||
|
|
||
| clients: |
There was a problem hiding this comment.
relating to @yzhoubk's feedback, this only sets one client. do we need separate client configs for the public vs. restricted geoserver instances?
| --request POST \ | ||
| --url "${GEOSERVER_REST}/security/authfilters" \ | ||
| --user "${GEOSERVER_AUTH}" \ | ||
| --header 'Content-Type: application/xml; charset=utf-8' \ |
There was a problem hiding this comment.
this would be the other location to change configs depending on geoserver instance.
Purpose
Since we've done away with the local geoserver repo, this is a way to do development on geoserver and geoserver-secure locally.
This repo uses keycloak to mimic CalNet OIDC. There are also some changes to the README to reflect one time adding of oidc configuration to the geoserver and geoserver-secure containers.