-
-
Notifications
You must be signed in to change notification settings - Fork 489
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT Headers security module #7899
base: main
Are you sure you want to change the base?
Conversation
I GS went to v26, I need to update the dependencies and makes sure the GS PR is merged. |
core/pom.xml
Outdated
<dependency> | ||
<groupId>com.jayway.jsonpath</groupId> | ||
<artifactId>json-path</artifactId> | ||
<version>2.4.0</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see json-path
is used in services
also. Please move the dependency with the version in both modules to the root pom and remove the version in the modules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
moved
@@ -818,6 +819,233 @@ sample:RegisteredUser | |||
|
|||
A similar setup is described for geoserver in the [geoserver documentation](https://docs.geoserver.org/latest/en/user/community/keycloak/index.html). | |||
|
|||
## Configurating JWT/JSON Headers {#jwt-headers} | |||
|
|||
The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivelent). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivelent). | |
The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivalent). |
#### Role Conversion | ||
|
||
|
||
The JWT Headers module also allows for converting roles (from the external IDP) to the GeoServer internal role names. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The JWT Headers module also allows for converting roles (from the external IDP) to the GeoServer internal role names. | |
The JWT Headers module also allows for converting roles (from the external IDP) to the GeoNetwork internal role names. |
|
||
| Environment Variable | Meaning | | ||
| ------------- | ------- | | ||
|JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to Geoserver Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2`| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to Geoserver Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2`| | |
|JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to GeoNetwork Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoNetworkrRole1;ExternalRole2=GeoNetworkRole2`| |
|
||
If you are using Apache's `mod_auth_openidc` module, then you do *not* have to do JWT validation - Apache will ensure they are valid when it attaches the headers to the request. | ||
|
||
However, if you are using robot access to GeoServer, you can attach an Access Token to the request header for access. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, if you are using robot access to GeoServer, you can attach an Access Token to the request header for access. | |
However, if you are using robot access to GeoNetwork, you can attach an Access Token to the request header for access. |
|
||
1. Get the username from an Apache-provided `OIDC_*` header (either as simple-strings or as a component of a JSON object). | ||
2. Get the user's roles from an Apache-provided `OIDC_*` header (as a component of a JSON object). | ||
3. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). | |
3. The user's roles can also be from any of the standard GeoNetwork providers (i.e. User Group Service, Role Service, or Request Header). |
* Validate the token against a token verifier URL ("userinfo_endpoint") and check that subjects match | ||
* Validate components of the Access Token (like [aud (audience)](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims>)) | ||
|
||
4. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
4. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). | |
4. The user's roles can also be from any of the standard GeoNetwork providers (i.e. User Group Service, Role Service, or Request Header). |
I've made changes based on jose's review. |
WIP - in progress. Added PR for early review. Test coverage is about 90%.
This is a new Security Module - that follows the GeoServer JWT Header security module so they can be used in exactly the same manner.
See the added docs for more details.
This relies on a shared module with GS - I expect this will take a little bit to become available.
org.geoserver.community.jwt-headers jwt-headers-util 2.25-SNAPSHOTThe GeoServer module is broken into two parts - a shared part (jwt-headers-util) and a Geoserver-specific module (jwt-headers-gs).
Checklist
main
branch, backports managed with labelREADME.md
filespom.xml
dependency management. Update build documentation with intended library use and library tutorials or documentation