Dear all, that option in GeoServer OIDC allows the latter to validate the provided access tokens without the user intervention (no login challenge or redirection).
That said, by the meaning of "Resource Server" in the OAuth 2.0 and OpenID Connect frameworks, yes, it makes sense to define GeoServer acting as a Resource Server in this case. On Wed, Sep 18, 2024 at 8:48 AM Watermeyer, Andreas < andreas.waterme...@its-digital.de> wrote: > This part of the GS documentation sounds like this resource server use > case (from > https://docs.geoserver.org/latest/en/user/community/oauth2/oidc.html#openid-connect-with-attached-access-bearer-tokens): > > > *OpenID Connect With Attached Access Bearer Tokens* > > The OpenID Connect plugin allows the use of Attached Bearer Access Tokens. > This is typically used by automated (i.e. desktop or external Web Service) > to access the Geoserver REST API. > > Bearer Tokens > The setup process is as follows: > 1. Setup your OAuth2 OpenID Connect configuration as normal > 2. On the OpenID Connect configuration screen (bottom), makes sure “Allow > Attached Bearer Tokens” is checked > 3. You cannot use ID Tokens as a Role Source for the attached Bearer > Tokens (see below) > > To Use: > 1. Obtain an Access Token from the underlying IDP > 2. Attach the access token to your HTTP request headers > > Authorization: Bearer <token> > > The Access Token (JWT) is validated; > 1. The Access Token is used to get the “userinfo” endpoint. The underlying > IDP will verify the token (i.e. signature and expiry) > 2. The Audience of the Token is checked that it contains the GeoServer > configured Client Id. This make sure an Access Token for another > application is not being inappropriately reused in GeoServer (cf. > AudienceAccessTokenValidator.java). > 3. The Subject of the userinfo and Access Token are verified to be about > the same person. The OpenID specification recommends checking this (cf. > SubjectTokenValidator.java). > > > > Von: Jody Garnett <jody.garn...@gmail.com> > Gesendet: Dienstag, 17. September 2024 21:05 > An: Watermeyer, Andreas <andreas.waterme...@its-digital.de> > Cc: geoserver-devel@lists.sourceforge.net > Betreff: Re: [Geoserver-devel] Spring Security Upgrade > > [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful > when opening links and attachments. > I do not believe that resource server use is supported by the existing > security module. > > I have personally used this to integrate with login with other credentials > (keycloak or azure), so this is the only workflow I am sure of. > > - - > Jody Garnett > > > On Sep 17, 2024 at 7:57:30 AM, "Watermeyer, Andreas" <mailto: > andreas.waterme...@its-digital.de> wrote: > Hi Jody, > > I’m just writing to confirm that I’ve started working on this task. > > Did I understand correctly that, for now, the focus is on gs-sec-oidc > providing “Login” with OpenID Connect rather than enabling GeoServer to act > as a resource server in the OAuth2 sense? > > Best regards, > Andreas > > Von: Jody Garnett <mailto:jody.garn...@gmail.com> > Gesendet: Dienstag, 20. August 2024 18:21 > An: Watermeyer, Andreas <mailto:andreas.waterme...@its-digital.de> > Cc: mailto:geoserver-devel@lists.sourceforge.net > Betreff: Re: [Geoserver-devel] Spring Security Upgrade > > [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful > when opening links and attachments. > Welcome back Andreas, > > GeoCat is very much focused on OIDC and brining up such an extension to > supported status. > What does that mean for the existing OIDC extension in the community > section? > > Here is my mad plan: > > 1. leave the existing gs-sec-oauth2-openid-connect community module in > place - it can continue to operate for the 2.26 release cycle ... and be > removed for 2.27.x when the spring-framework-6 update happens > 2. make a copy as a new gs-sec-oidc module and adapt the > spring-security-framework OAuth2 client ... to be developed during the 2.27 > release cycle in September > 3. folks can migrate to the new implementation while we use > spring-security 5.8 and both are operational > 4. when the spring-security 6.3 update happens > gs-sec-oauth2-openid-connect is removed, and gs-sec-oidc remains available > 5. once it meets the graduation requirements GeoCat would like to propose > the new module as an extension. It may be a bit challenging (setting up > some kind of online testing with GitHub workflow to achieve test coverage > for example) > > BTW: I will also be on holiday now until 2024-08-13. > > I am speaking with my boss tomorrow, everyone has been away on vacation! > > I made a > https://geoserver.org/behind%20the%20scenes/2024/07/22/developer-update.html > and > GeoServer project steering committee has picked up one new silver sponsor > ($3000/annual). I am still hoping for more interested parties (specificly > for the github / google / geonode modules). > - - > Jody Garnett > > > On Aug 13, 2024 at 8:41:34 AM, "Watermeyer, Andreas" <mailto: > andreas.waterme...@its-digital.de> wrote: > Hi Jody, > > I am back now. Please let me know when we can discuss how to continue with > this. I will pause the task in the meantime. > > Best regards, > Andreas > > Von: Jody Garnett <mailto:jody.garn...@gmail.com> > Gesendet: Donnerstag, 25. Juli 2024 18:12 > An: Watermeyer, Andreas <mailto:andreas.waterme...@its-digital.de> > Cc: mailto:geoserver-devel@lists.sourceforge.net > Betreff: Re: [Geoserver-devel] Spring Security Upgrade > > [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful > when opening links and attachments. > Enjoy you vacation, I will be away for some weeks also. Lets catch up when > we return (and hopefully some other parties will of stepped forward as > interested by then). > > -- > Jody Garnett > > > On Jul 25, 2024 at 3:42:13 AM, "Watermeyer, Andreas" <mailto: > andreas.waterme...@its-digital.de> wrote: > Hi Jody, > > > GeoCat is very much focused on OIDC and brining up such an extension to > supported status. > What does that mean for the existing OIDC extension in the community > section? > > BTW: I will also be on holiday now until 2024-08-13. > > Best regards, > Andreas Watermeyer > > Von: Jody Garnett <mailto:jody.garn...@gmail.com> > Gesendet: Montag, 22. Juli 2024 18:52 > An: Watermeyer, Andreas <mailto:andreas.waterme...@its-digital.de> > Cc: mailto:geoserver-devel@lists.sourceforge.net > Betreff: Re: [Geoserver-devel] Spring Security Upgrade > > [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful > when opening links and attachments. > Hi Andreas, > > Thanks for replying I will update and publish the blog post. > > GEOS-11271 > > That is great news that it is going smoothly. > > GEOS-11272 > > GeoCat is very much focused on OIDC and brining up such an extension to > supported status. The blog post is in part to see if anyone has capacity > (or budget) to take on the generic OAauth2 functionality. Our developer > who did the upgrade is on vacation presently, and may or may not be > available to work on this when they return. Automated tests would be > amazing - and test coverage is one of the tasks to hit to make this into a > supported extension. > > If you are in position to start on this activity please go ahead, or we > can talk about approach now. > -- > Jody Garnett > > > On Mon, Jul 22, 2024 at 1:44 AM Watermeyer, Andreas <mailto: > andreas.waterme...@its-digital.de> wrote: > Hi Jody, > > regarding GEOS-11271- Upgrade spring-security to 5.8: > > I started to work on this now. The upgrade itself seems to be limited to > adjusting the pom only. I am now about to do some integration testing, also > to become familiar with the GS functionality in that area. > > Regarding GEOS-11272 spring-security-oauth replacement, with > spring-security 5.8: > > Considering GeoCat has done the same upgrade for the GeoNetwork codebase, > GeoCat is probably in a much better position to work on this. Therefor I > suggest that GeoCat takes over this task. > We could either provide further support on this task, for example in > testing (manual or automated). I suppose automated integration tests are > not yet existing. I suppose it would be possible to setup some integration > tests with a dockerized OIDC server, for example Spring Authorization > Server. Also, something else would be Ok to work on, for example “Refactor > inline JavaScript in the OGC API modules” seems possible. > > What do you think? > > Best regards, > Andreas > > Von: Jody Garnett <mailto:jody.garn...@gmail.com> > Gesendet: Freitag, 19. Juli 2024 08:01 > An: Watermeyer, Andreas <mailto:andreas.waterme...@its-digital.de> > Cc: mailto:geoserver-devel@lists.sourceforge.net > Betreff: Re: [Geoserver-devel] Spring Security Upgrade > > [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful > when opening links and attachments. > Here is the blog post for review: > https://github.com/geoserver/geoserver.github.io/pull/205 > > I had a couple thoughts on how to approach the GEOS-11272 and have > capacity to assist in this work. > > > > -- > Jody Garnett > > > On Thu, Jul 18, 2024 at 9:23 AM Jody Garnett <mailto: > jody.garn...@gmail.com> wrote: > That would be great, and fit very well with our roadmap planning. > > I am writing a blog post update about GEOS-11272 and other activities that > are ready to be worked on. > Can I list you and your employer as a party working in this blog post? > -- > Jody Garnett > > > On Jul 18, 2024 at 3:37:57 AM, "Watermeyer, Andreas" <mailto: > andreas.waterme...@its-digital.de> wrote: > Hi community, > > I am now starting to work on: > > GEOS-11271 : Upgrade spring-security to 5.8 > GEOS-11272 : spring-security-oauth replacement, with spring-security 5.8 > > As far as I know no activities have taken place in this area so far. > Otherwise please let me know. > > Regards, > Andreas > > > _______________________________________________ > Geoserver-devel mailing list > mailto:Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Alessio Fabiani == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Alessio Fabiani @alfa7691 Founder/Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 331 6233686 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
