Skip to content

Installing the OAUTH2/OIDC module

To install the OIDC module:

  1. Login, and navigate to About & Status > About GeoServer and check Build Information to determine the exact version of GeoServer you are running.

  2. Visit the website download <download> page, change the Development tab, and locate the nightly release that corresponds to the GeoServer you are running.

    Follow the Community Modules link and download sec-oidc zip archive.

    • {{ version }} example: sec-oidc

    The website lists active nightly builds to provide feedback to developers, you may also browse for earlier branches.

  3. Extract the contents of the archive into the WEB-INF/lib directory in GeoServer.

    Warning

    Verify that the version number in the filename corresponds to the version of GeoServer you are running (for example geoserver-{{ version }}-loader-plugin.zip above).

  4. Restart GeoServer.

sec-oidcInstalling the OAUTH2/OIDC module

Community modules are not yet ready for distribution with GeoServer release.

  1. To compile the OIDC module yourself download the src bundle for your GeoServer version and compile:

    bash cd src/community mvn install -PcommunityRelease -DskipTests

  2. And package (from the top level geoserver directory):

    bash cd ../.. mvn -f src/community/pom.xml clean install -B -DskipTests -PcommunityRelease,assembly -T2 -fae

  3. Place the JARs in WEB-INF/lib.

  4. Restart GeoServer.

Using with the GeoServer Docker Container

This will run GeoServer on port 9999 and install the OIDC module.

docker run -it -9999:8080 \
   --env INSTALL_EXTENSIONS=true \
   --env STABLE_EXTENSIONS="ysld,h2" \
   --env COMMUNITY_EXTENSIONS="sec-oidc-plugin" \
   docker.osgeo.org/geoserver:2.28.x

If your OIDC IDP server (i.e. keycloak) is running on localhost, then you should ensure that all requests to the IDP occur using the same hostname (this includes the local user's browser and GeoServer directly connecting to the IDP). If you are running your IDP from a real host, then you do NOT have to do this;

  1. Add this to your /etc/hosts:

    bash 127.0.0.1 host.docker.internal

  2. In your GeoServer OIDC configuration, use host.docker.internal instead of localhost

  3. Access GeoServer and Keycloak with http://host.docker.internal:PORT