[GeoNode-devel] Working on GeoServer OAuth2 authentication

Alessio Fabiani alessio.fabiani at geo-solutions.it
Tue Aug 30 04:07:38 PDT 2016

Dear all,
working on a refactoring of the GeoNode-GeoServer Auth subsystem, the idea
would be to use the OAuth2 Protocol to allow GeoServer grab the
Authorizations from GeoNode (or from a common OAuth2 Provider).

The first step is to allow GeoServer to authenticate through the OAuth2

I just finished (almost) a new GeoServer extension allowing users to do

Here [1] you can find a community module allowing GeoServer to authenticate
through the OAuth2 protocol.

The basic "oauth2" module contains the general infrastructure.

The "oauth2-google" module is an extension showing how is possible to use
Google OAuth2 Provider to authenticate and validate the "access_token".

Moreover the Security Filter also "simulates" an SSO based on OAuth2 by
injecting a provided "access_token" (which is then validated against the
configured OAuth2 Provider) similar to the GeoServer "AuthKey" module.

How the OAuth2 Filter works

1. The GeoServer GUI allows to configure the OAuth2 Service connection
parameters and select the GeoServer UserRoleService to use


2. The new filter may be added to the standard GeoServer Filter Chain

3. If not authenticated, GeoServer redirects the user automatically to the
Google Login Page

​4. The OAuth2 Protocol asks for Authorizations

​5. Accepting the authorization, the user is redirected to the GeoServer


Best Regards,
Alessio Fabiani.

[1] - https://github.com/geosolutions-it/geoserver/tree/oauth2-filter

GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686




Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20160830/6e9ac8e1/attachment.html>

More information about the geonode-devel mailing list