Authenticating WFS from GeoServer with Keycloak in QGIS

Question

I have a Geosever with the Keycloak Community extension (https://docs.geoserver.org/latest/en/user/community/keycloak/index.html) installed.
Authentication with the Keycloak Server in the Browser works fine.
Now I need to authenticate my WFS against Keycloak out of QGIS.
Is there a way to do this?

Jure M. · Answer

I managed to get it working with these settings:

Under Settings --> Authentication create a new authentication configuration of type OAuth2 authentication, then enter:

Token URL: enter keycloak's token endpoint. You can get this URL by clicking on the OpenID Endpoint Configuration link in your keycloak's realm settings and searching for token_endpoint.
Client ID: name of your client.
Client secret: you can get it on the client configuration's Credentials tab.
Username and Password
Scope: openid

There is also an alternative method - enable basic authentication. For me, all I had to do was to set Browser Flow to http challenge in the client configuration's Settings tab:

According to this thread, your must also configure Access Type: confidential and Direct Access Grants: Enabled on your client for this to work.
With this configuration even GeoServer is now asking for creadentials using basic authentication instead of redirecting to KeyCloak's login page, which I find more user-friendly.

Authenticating WFS from GeoServer with Keycloak in QGIS

One Answer

Add your own answers!

Ask a Question