PR - https://github.com/geoserver/geoserver/pull/7440
On Thu, Feb 22, 2024 at 7:29 PM David Blasby <david.bla...@geocat.net> wrote: > It doesn't really depend on spring - just mostly via other GS classes like > GeoServerPreAuthenticatedUserNameFilter. It uses a little spring to do > some JWT-parsing/manipulation, so it would be easy to move to another > library if the new spring doesn't support it. > > So, it shouldn't be an issue to move to a later spring framework. The > oauth2-* stuff will be a lot of work... > > Dave > > On Thu, Feb 22, 2024 at 5:10 PM Jody Garnett <jody.garn...@gmail.com> > wrote: > >> +1 although I am your co-worker, others may have questions 🙂 >> >> I know you are aware the transition to spring-framework 6 is planned; so >> the community module will need to be rewritten before becoming an >> extension; or did you just stick to spring-security core? >> >> I would like to get your PR in promptly so the docs are picked up in >> mkdocs migration. >> -- >> Jody Garnett >> >> >> On Feb 22, 2024 at 11:54:28 AM, David Blasby <dbla...@gmail.com> wrote: >> >>> Hi, >>> >>> This is a request to create a new community module. >>> >>> This is a fairly simple security module for header-based OAUTH2/OIDC >>> type authentication - for example Apache mod_auth_openid and >>> robot-base-access with JWT Access Tokens. >>> >>> New functionality: >>> >>> 1. Extract user name from a JSON header (including json path) >>> 2. Extract user name from an attached JWT token >>> 3. Extract Roles from JSON Header (including json path) >>> 4. Extract Roles from JWT Header (including json path) >>> 5. Role Translation from the external (IDP) names to internal GeoServer >>> role names >>> 6. Access Token Validation; >>> + signature validation >>> + expiry validation >>> + IDP external endpoint validation (including subject validation) >>> + audience validation >>> >>> Test coverage is about 90%. >>> >>> I will create a PR when approved. >>> >>> Code - >>> https://github.com/davidblasby/geoserver/tree/_jwtheaders/src/community/jwt-headers >>> >>> Doc - >>> https://github.com/davidblasby/geoserver/tree/_jwtheaders/doc/en/user/source/community/jwt-headers >>> >>> NOTE: I just put together the docs today - will be making them a bit >>> "nicer" next week. >>> >>> Some of the functionality is available in the very simple Headers >>> security extension and the oauth2-* community modules. This module is much >>> simpler, much more complete, and MUCH easier to maintain/test/configure. >>> >>> In fact, if you want to use OIDC and are willing to put your geoserver >>> behind apache (with mod_auth_openid), this module makes it MUCH MUCH easier >>> to setup and maintain wrt the oauth2-* community modules. If you want to >>> have GeoServer communicate DIRECTLY with your OIDC IDP, continue using the >>> oauth2-* community modules. >>> >>> NOTE: I am planning to add similar functionality to GeoNetwork. >>> >>> Thanks, >>> Dave >>> _______________________________________________ >>> Geoserver-devel mailing list >>> Geoserver-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >> _______________________________________________ >> Geoserver-devel mailing list >> Geoserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >> >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
