GeoTools / GeoServer PMC meeting - 2024-09-24
Attending
-
Torben Barsballe
-
Jody Garnett
-
Jukka Rahkonnen
-
Kevin Smith
-
Andrea Aime
Actions from prior meetings:
-
Jody: GeoServer Blog post for GeoServer 3
-
Gabriel: Outstanding PRs for 2.26.0
Regarding the OGC Specs: I also don't think there's much to be gained there in
terms of security.
Regarding 401: I'll keep that in mind, maybe it's enough to deliver a 401 when
the last filter is configured accordingly. But that certainly depends on the
project.
Von: David Blasby
Gesendet: D
Ok, I have just seen that the JWT Headers module also verifies the signatures.
I would then prioritise my activities in this area less.
Thanks to all for your feedback!
Von: Alessio Fabiani
Gesendet: Donnerstag, 26. September 2024 08:40
An: David Blasby
Cc: Francesco Bartoli ; jody.garn...@gm
Hello Dave,
If I understand you correctly, the implementation in the JWT Headers module
trusts the content of the JWTs. In many cases, behind a reverse proxy, possibly
Apache with OIDC, this is certainly OK.
In the case of OAuth2, the Resource Server checks the authenticity of the JWT
on the b
