Hi,

This is a request to create a new community module.

This is a fairly simple security module for header-based OAUTH2/OIDC type
authentication - for example Apache mod_auth_openid and robot-base-access
with JWT Access Tokens.

New functionality:

1. Extract user name from a JSON header (including json path)
2. Extract user name from an attached JWT token
3. Extract Roles from JSON Header (including json path)
4. Extract Roles from JWT Header (including json path)
5. Role Translation from the external (IDP) names to internal GeoServer
role names
6. Access Token Validation;
     + signature validation
     + expiry validation
     + IDP external endpoint validation (including subject validation)
     + audience validation

Test coverage is about 90%.

I will create a PR when approved.

Code -
https://github.com/davidblasby/geoserver/tree/_jwtheaders/src/community/jwt-headers

Doc -
https://github.com/davidblasby/geoserver/tree/_jwtheaders/doc/en/user/source/community/jwt-headers

NOTE: I just put together the docs today - will be making them a bit
"nicer" next week.

Some of the functionality is available in the very simple Headers security
extension and the oauth2-* community modules.  This module is much simpler,
much more complete, and MUCH easier to maintain/test/configure.

In fact, if you want to use OIDC and are willing to put your geoserver
behind apache (with mod_auth_openid), this module makes it MUCH MUCH easier
to setup and maintain wrt the oauth2-* community modules.  If you want to
have GeoServer communicate DIRECTLY with your OIDC IDP, continue using the
oauth2-* community modules.

NOTE: I am planning to add similar functionality to GeoNetwork.

Thanks,
Dave
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to