I'm working with integrating my work's oauth service with geoserver. Upon testing the github extension as well as the oauth2 core, I think I may of found a bug.
When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is eventually called. The filter checks the request parameter for an access token and if it doesn't exist it checks the request for a bearer token in the Authorization header. If the token exists in one of those two places, doAuthenticate is called and it in turn calls getPreAuthenticatedPrincipal. The function getPreAuthenticatedPrincipal attempts to get the token from the query parameter but doesn't try to get it from the Authorization Header. According to the RFC for OAuth 2 Bearer Token usage, the resource server (Geoserver), should support this. A link and a snippet from this page is below. This causes an issue for our web client which sends the token in the Authorization Header. It looks like I could just extend the class GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems it would be more beneficial to submit a pull request. The changes would be about 3 lines. Is there any issue with me doing this? I realize the oauth2 and other community extensions aren't really maintained unless a volunteer does it. https://tools.ietf.org/html/rfc6750 section 2.1 Authorization Request Header Field says Clients SHOULD make authenticated requests with a bearer token using the "Authorization" request header field with the "Bearer" HTTP authorization scheme. Resource servers MUST support this method.
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
