This project demonstrates a cluster-level authentication architecture using OpenID Connect (OIDC). It's designed to work with GeoNetwork 5, providing a centralized login system while allowing unauthenticated access to public resources.
The setup consists of several interconnected components managed by Docker Compose:
- Traefik: Acts as the "front door" (Ingress) and handles routing based on hostnames.
- Keycloak: The OIDC provider, pre-configured with a realm (
GeoNetwork5-Auth), a client, and several sample users. It can also act as a proxy translator for larger external identity providers (like Azure OIDC). - OAuth2 Proxy: Handles OIDC login flows and manages session tokens, using Redis for session storage.
- PyProxy: A custom Python proxy that wraps OAuth2 Proxy. It ensures that even unauthenticated requests can reach the backend application (returning a
202 Accepted) while still attaching security headers for logged-in users. - Redis: Used by OAuth2 Proxy to store session information, keeping browser cookies small.
- Python App: A simple web application that displays the HTTP headers it receives. This serves as a placeholder for GeoNetwork 5.
Add the following entries to your /etc/hosts file to enable local routing:
127.0.0.1 keycloak.traefik
127.0.0.1 webapp.traefik
-
Launch the stack:
docker-compose up -d
-
Access the applications:
- Sample Web App: http://webapp.traefik
- Initially, you will see raw headers from the Python app without security information.
- Start Login: http://webapp.traefik/oauth2/start
- This redirects you to the Keycloak sign-in portal (branded as "GEONETWORK5-AUTH").
- Logout: http://webapp.traefik/oauth2/sign_out
- This clears the session and strips authentication tokens from the headers.
- Keycloak Admin Console: http://keycloak.traefik
- Sample Web App: http://webapp.traefik
Once authenticated, the python-app will display the headers injected by the proxy layer. You should see:
Authorization: Bearer token for API access.X-Auth-Request-Access-Token: The raw OAuth2 access token.X-Auth-Request-Id-Token: The OIDC ID token containing user profile data.X-Auth-Request-User&X-Auth-Request-Email: Basic identity information.
To inspect the claims and roles:
- Copy the value of the
X-Auth-Request-Id-TokenorX-Auth-Request-Access-Tokenfrom the web app page. - Paste it into jwt.io.
- Observe the claims section to see user roles, profile information, and group mappings (e.g.,
group: sample1).
- URL: http://keycloak.traefik
- Username:
geocat - Password:
geocat - Realm:
GeoNetwork5-Auth
Once you initiate a login via http://webapp.traefik/oauth2/start, use any of the following:
| Username | Password | Groups |
|---|---|---|
admin |
admin |
Admin rights |
user_sample1 |
user_sample1 |
sample1 |
user_sample2 |
user_sample2 |
sample2 |
user_sample3 |
user_sample3 |
sample3 |
- A user visits
webapp.traefik. - Traefik routes the request to the
python-app. - The
oauth-verifymiddleware (ForwardAuth) intercepts the request and sends it topyproxy. pyproxyqueriesoauth2-proxyto check for a valid session.- Regardless of the session status,
pyproxyreturns a202to Traefik, allowing the request through. - If the user is logged in,
pyproxyextracts security headers (ID token, Access token, User, Email) fromoauth2-proxyand passes them back to Traefik, which forwards them to thepython-app.
- Client ID:
geonetwork5-auth - Client Secret:
CNwDTAKypmFhkzdfx25r7syg56VfdHuH - OIDC Issuer:
http://keycloak.traefik/realms/GeoNetwork5-Auth