Security & OAuth Configuration
GeoServer implements industry-standard authentication and authorization protocols to protect your geospatial data, API endpoints, and user sessions. This guide covers OAuth 2.0 / OIDC integration, token management, data encryption, and security best practices for production deployments.
All GeoServer cloud instances enforce TLS 1.3 in transit and AES-256 encryption at rest. OAuth 2.1 and OpenID Connect Core 1.0 are supported out-of-the-box.
OAuth 2.0 & OpenID Connect Support
GeoServer supports the Authorization Code Flow with PKCE for public clients and the standard Authorization Code Flow for confidential clients. We support major OIDC providers including Auth0, Okta, Azure AD, Keycloak, and Cognito.
Authentication Flow
- Client redirects user to GeoServer authorization endpoint with requested scopes.
- User authenticates via configured IdP or SSO provider.
- IdP returns an authorization code to the redirect URI.
- Client exchanges the code for an
access_tokenandrefresh_token. - Subsequent API/WMS/WFS requests include the token in the
Authorization: Bearerheader.
# Token Request
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
redirect_uri=https://your-app.com/callback&
client_id=geo_client_8f3a&
client_secret=***&
code_verifier=dGhlIHNhbXBsZSB2Z...
Supported Scopes
| Scope | Access Level | Description |
|---|---|---|
geo:layers:read |
Standard | Read-only access to WMS/WFS layers and metadata |
geo:layers:write |
Admin | Create, update, or delete spatial layers |
geo:analytics:run |
Standard | Execute spatial queries and aggregation jobs |
geo:admin:manage |
Admin | Full API, user management, and system configuration |
Data Protection & Encryption
đ TLS 1.3 Enforcement
All external endpoints require HTTPS. HSTS headers are automatically configured for cloud deployments.
đī¸ At-Rest Encryption
Vector data, raster tiles, and PostgreSQL/PostGIS backups are encrypted using AES-256-GCM.
đ API Key Rotation
Automatic key rotation policies with configurable expiry windows and usage-based revocation.
đ Immutable Audit Logs
Every auth attempt, layer access, and configuration change is logged to tamper-proof storage.
Configuration Example
Configure your GeoServer instance to use an external OIDC provider by updating your geoserver-config.yaml:
# geoserver-config.yaml
authentication:
provider: oidc
issuer_url: https://auth.yourcompany.com/realms/geospatial
client_id: geoserver_app
scopes:
- openid
- profile
- geo:layers:read
session_timeout: 3600s
enforce_pkce: true
security:
cors_origins:
- https://maps.yourcompany.com
rate_limit: 100 # req/min per IP
audit_logging: true
Never expose client_secret in frontend code or public repositories. Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.).
Best Practices for Production
- Enforce PKCE for all SPA and mobile clients to prevent authorization code interception attacks.
- Scope Minimization: Request only the permissions your application actually needs.
- Token Validation: Always verify JWT signatures and
audclaims server-side before processing requests. - Geofencing & IP Allowlisting: Restrict WMS/WFS endpoints to known CDN IPs or internal VPC ranges.
- Regular Rotation: Schedule quarterly credential rotation and enable alerting on anomalous auth patterns.
Need Help Securing Your Deployment?
Our security engineering team can conduct a penetration test, configure custom RBAC policies, or assist with compliance certifications.