+1 although I am your co-worker, others may have questions 🙂

I know you are aware the transition to spring-framework 6 is planned; so
the community module will need to be rewritten before becoming an
extension; or did you just stick to spring-security core?

I would like to get your PR in promptly so the docs are picked up in mkdocs
migration.
--
Jody Garnett


On Feb 22, 2024 at 11:54:28 AM, David Blasby <dbla...@gmail.com> wrote:

> Hi,
>
> This is a request to create a new community module.
>
> This is a fairly simple security module for header-based OAUTH2/OIDC type
> authentication - for example Apache mod_auth_openid and robot-base-access
> with JWT Access Tokens.
>
> New functionality:
>
> 1. Extract user name from a JSON header (including json path)
> 2. Extract user name from an attached JWT token
> 3. Extract Roles from JSON Header (including json path)
> 4. Extract Roles from JWT Header (including json path)
> 5. Role Translation from the external (IDP) names to internal GeoServer
> role names
> 6. Access Token Validation;
>      + signature validation
>      + expiry validation
>      + IDP external endpoint validation (including subject validation)
>      + audience validation
>
> Test coverage is about 90%.
>
> I will create a PR when approved.
>
> Code -
> https://github.com/davidblasby/geoserver/tree/_jwtheaders/src/community/jwt-headers
>
> Doc -
> https://github.com/davidblasby/geoserver/tree/_jwtheaders/doc/en/user/source/community/jwt-headers
>
> NOTE: I just put together the docs today - will be making them a bit
> "nicer" next week.
>
> Some of the functionality is available in the very simple Headers security
> extension and the oauth2-* community modules.  This module is much simpler,
> much more complete, and MUCH easier to maintain/test/configure.
>
> In fact, if you want to use OIDC and are willing to put your geoserver
> behind apache (with mod_auth_openid), this module makes it MUCH MUCH easier
> to setup and maintain wrt the oauth2-* community modules.  If you want to
> have GeoServer communicate DIRECTLY with your OIDC IDP, continue using the
> oauth2-* community modules.
>
> NOTE: I am planning to add similar functionality to GeoNetwork.
>
> Thanks,
> Dave
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to