## Keycloak Authentication
# enables the keycloak OpenID Connect filter
keycloakOAuth2Config.enabled=true
# Configuration: <copy-here-the-json-config-from-keycloak-removing-all-the-spaces>
keycloakOAuth2Config.jsonConfig={"realm":"Omgeving","auth-server-url":"https://my-keycloak/auth/","proxy-url":"http://my-forward-proxy","ssl-required":"external","resource":"my-keycloak-client","credentials":{"secret":"***"},"use-resource-role-mappings":true,"confidential-port":443}
# Redirect URLs
# - Redirect URL: need to be configured to point to your application at the path <base-app-url>/rest/geostore/openid/keycloak/callback
# e.g. `https://my.mapstore.site.com/mapstore/mapstore/rest/geostore/openid/keycloak/callback`
keycloakOAuth2Config.redirectUri=http://localhost:8080/mapstore/rest/geostore/openid/keycloak/callback
# - Internal redirect URL when logged in (typically the home page of MapStore, can be relative)
keycloakOAuth2Config.internalRedirectUri=../../rest/users/user/details
# Create user (if you are using local database, this should be set to true)
# true if you want MapStore to insert a Keycloak authenticated user on the DB.
# UserGroups will be inserted as well and kept in synch with the roles defined for the user in Keycloak.
# The option must be set to false if MapStore is using a read-only external service for users and groups (i.e. Keycloak or LDAP).
keycloakOAuth2Config.autoCreateUser=true
# optional, if true, forces the redirect URI for callback to be equal to teh redirect URI.
# This is useful if you have problems logging in behind a proxy, or in dev mode.
keycloakOAuth2Config.forceConfiguredRedirectURI=true
keycloakOAuth2Config.authenticatedDefaultRole=GUEST
# Comma separated list of <keycloak-role>:<geostore-role>
keycloakOAuth2Config.roleMappings=*****
# Comma separated list of <keycloak-role>:<geostore-group>
keycloakOAuth2Config.groupMappings=*****
# when set to false, MapStore will drop Keycloak roles that are not matched by any mapping role and group mapping.
# When set to true all the unmatched Keycloak roles will be added as MapStore UserGroups.
keycloakOAuth2Config.dropUnmapped=true
# Session timeout in seconds
restSessionService.sessionTimeout=300
restSessionService.autorefresh=false
context: We would like to deploy mapstore 1.8.2 /geostore 2.2.1 in an environment where it needs to use a forward proxy (outgoing proxy) to connect with Keycloak. To make this work, we have used the
proxy-urlproperty in the keycloak adapter JSON config (see below).problem: The user can log in via Keycloak OIDC, but unfortunately the user is logged out once the refreshToken call is made. This means that mapstore/geostore successfully uses he forward-proxy to retrieve the initial access token from Keycloak, but does NOT use the forward-proxy to make the token refresh call. We tried setting the
http.proxyHostandhttp.proxyPortenvironment variables via Tomcat setenv.sh, but this dit not work either.solution: It seems that the KeycloakHelper Class needs modification to make it use the forward proxy setting (if one is set).