+1 although I am your co-worker, others may have questions 🙂 I know you are aware the transition to spring-framework 6 is planned; so the community module will need to be rewritten before becoming an extension; or did you just stick to spring-security core?
I would like to get your PR in promptly so the docs are picked up in mkdocs migration. -- Jody Garnett On Feb 22, 2024 at 11:54:28 AM, David Blasby <dbla...@gmail.com> wrote: > Hi, > > This is a request to create a new community module. > > This is a fairly simple security module for header-based OAUTH2/OIDC type > authentication - for example Apache mod_auth_openid and robot-base-access > with JWT Access Tokens. > > New functionality: > > 1. Extract user name from a JSON header (including json path) > 2. Extract user name from an attached JWT token > 3. Extract Roles from JSON Header (including json path) > 4. Extract Roles from JWT Header (including json path) > 5. Role Translation from the external (IDP) names to internal GeoServer > role names > 6. Access Token Validation; > + signature validation > + expiry validation > + IDP external endpoint validation (including subject validation) > + audience validation > > Test coverage is about 90%. > > I will create a PR when approved. > > Code - > https://github.com/davidblasby/geoserver/tree/_jwtheaders/src/community/jwt-headers > > Doc - > https://github.com/davidblasby/geoserver/tree/_jwtheaders/doc/en/user/source/community/jwt-headers > > NOTE: I just put together the docs today - will be making them a bit > "nicer" next week. > > Some of the functionality is available in the very simple Headers security > extension and the oauth2-* community modules. This module is much simpler, > much more complete, and MUCH easier to maintain/test/configure. > > In fact, if you want to use OIDC and are willing to put your geoserver > behind apache (with mod_auth_openid), this module makes it MUCH MUCH easier > to setup and maintain wrt the oauth2-* community modules. If you want to > have GeoServer communicate DIRECTLY with your OIDC IDP, continue using the > oauth2-* community modules. > > NOTE: I am planning to add similar functionality to GeoNetwork. > > Thanks, > Dave > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
