Fix #12504 - Migrate to GeoStore 2.6

[offtherailz]

Description

Aligns MapStore with GeoStore 2.6's new dynamic OIDC provider mechanism and documents the migration path for users and custom projects.

Changes

• Spring security XMLs (product/ and web/, both db and ldap variants): remove hardcoded keycloakConfig / googleSecurityConfiguration beans and individual filter entries; replace with OpenIdConnectProviderRegistrar + CompositeOpenIdConnectFilter.
• applicationContext.xml (framework + project template): add ignoreInvalidKeys=true to the order-10 PropertyOverrideConfigurer so oidc_providers can be set directly in mapstore-ovr.properties without causing a startup failure.
• Documentation and migration guidelines updte.

Please check if the PR fulfills these requirements

• The commit message follows our guidelines: https://github.com/geosolutions-it/MapStore2/blob/master/CONTRIBUTING.md
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

What kind of change does this PR introduce? (check one with "x", remove the others)

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Other... Please describe:

Issue

What is the current behavior?

Fix #12504

What is the new behavior?

Breaking change

Does this PR introduce a breaking change? (check one with "x", remove the other)

• Yes, and I documented them in migration notes
• No

Other useful information

[offtherailz]

here @mahesh-wor the update for 1.6 with documentation changes too

[mahesh-wor]

here @mahesh-wor the update for 1.6 with documentation changes too

Thank you will go through and and update the configuration changes on #12459 accordingly.

[tdipisa]

@offtherailz
I would like to review the structure of the OIDC paragraphs. At the moment OpenID connect, Google, Keycloak seems three different things:

Since Google, Keycloak are both examples of the same OIDC connect but for different providers they should be at the same level of the example we provided for Entra .

[mahesh-wor]

i ran a local setup with mapstore.war built from offtherailz:gs-2.6-update, Updated my local configs to support the new generic oidc system. Multiple odic providers are working well.

oidc_providers=keycloak,microsoft

keycloakOAuth2Config.enabled=true
keycloakOAuth2Config.clientId=mapstore-server
keycloakOAuth2Config.clientSecret=xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx
keycloakOAuth2Config.sendClientSecret=true
........
microsoftOAuth2Config.enabled=true
microsoftOAuth2Config.clientId=xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx
microsoftOAuth2Config.clientSecret=xxxxxxxxxxxxxxxxxxxxxxxx
microsoftOAuth2Config.sendClientSecret=true

[
  {
    "op": "add",
    "path": "/authenticationProviders",
    "value": [
      {
        "type": "openID",
        "provider": "keycloak",
        "title": "Keycloak"
      },
      {
        "type": "openID",
        "provider": "microsoft",
        "title": "Microsoft",
        "imageURL": "data:image/svg+xml;base64,PHN2ZyBhcmlhLWhpZGRlbj0idHJ1ZSIgdmlld0JveD0iMCAwIDI1IDI1IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGl0ZW1wcm9wPSJsb2dvIiBpdGVtc2NvcGU9Iml0ZW1zY29wZSI+CgkJCTxwYXRoIGQ9Ik0xMS41MjE2IDAuNUgwVjExLjkwNjdIMTEuNTIxNlYwLjVaIiBmaWxsPSIjZjI1MDIyIj48L3BhdGg+CgkJCTxwYXRoIGQ9Ik0yNC4yNDE4IDAuNUgxMi43MjAyVjExLjkwNjdIMjQuMjQxOFYwLjVaIiBmaWxsPSIjN2ZiYTAwIj48L3BhdGg+CgkJCTxwYXRoIGQ9Ik0xMS41MjE2IDEzLjA5MzNIMFYyNC41SDExLjUyMTZWMTMuMDkzM1oiIGZpbGw9IiMwMGE0ZWYiPjwvcGF0aD4KCQkJPHBhdGggZD0iTTI0LjI0MTggMTMuMDkzM0gxMi43MjAyVjI0LjVIMjQuMjQxOFYxMy4wOTMzWiIgZmlsbD0iI2ZmYjkwMCI+PC9wYXRoPgoJCTwvc3ZnPgo="
      },
      {
        "type": "basic",
        "provider": "geostore"
      }
    ]
  }
]

I tested login, role assignment and it's working well.

@offtherailz @tdipisa Once you have this PR merged, i will update #12459 and we can proceed with the implementation in dev/qa.

[tdipisa]

@offtherailz there are failing checks now. Can you please check?

[offtherailz]

The cause of this failure is unclear, it looks to be generated randomly

For this reason, to split this changes from something that looks to be more related to particular execution cases, I created

• Random failure of test #12526
• Fix chart test #12527

And going to block this on #12526

[offtherailz]

thank you @mahesh-wor We improved also di entra doc please take a look.

[mahesh-wor]

hi @offtherailz i checked the updated docs, looks comprehensive.
only thing i couldn't try out is the MS entra specific group claim, due to my active Directory plan limitations.

microsoftOAuth2Config.principalKey=email
microsoftOAuth2Config.rolesClaim=roles
microsoftOAuth2Config.roleMappings=MapStore.Admin:ADMIN,MapStore.User:USER
microsoftOAuth2Config.authenticatedDefaultRole=USER

[tdipisa]

hi @offtherailz i checked the updated docs, looks comprehensive. only thing i couldn't try out is the MS entra specific group claim, due to my active Directory plan limitations.

microsoftOAuth2Config.principalKey=email
microsoftOAuth2Config.rolesClaim=roles
microsoftOAuth2Config.roleMappings=MapStore.Admin:ADMIN,MapStore.User:USER
microsoftOAuth2Config.authenticatedDefaultRole=USER

@mahesh-wor we will have to review this once merged, I guess.

[offtherailz]

Successfully created backport PR for 2026.02.xx:

• [Backport 2026.02.xx] Fix #12504 - Migrate to GeoStore 2.6 #12534