Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT Headers security module #7899

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

davidblasby
Copy link
Contributor

WIP - in progress. Added PR for early review. Test coverage is about 90%.

This is a new Security Module - that follows the GeoServer JWT Header security module so they can be used in exactly the same manner.

See the added docs for more details.

This relies on a shared module with GS - I expect this will take a little bit to become available.

org.geoserver.community.jwt-headers jwt-headers-util 2.25-SNAPSHOT

The GeoServer module is broken into two parts - a shared part (jwt-headers-util) and a Geoserver-specific module (jwt-headers-gs).

Checklist

  • I have read the contribution guidelines
  • Pull request provided for main branch, backports managed with label
  • Good housekeeping of code, cleaning up comments, tests, and documentation
  • Clean commit history broken into understandable chucks, avoiding big commits with hundreds of files, cautious of reformatting and whitespace changes
  • Clean commit messages, longer verbose messages are encouraged
  • API Changes are identified in commit messages
  • Testing provided for features or enhancements using automatic tests
  • User documentation provided for new features or enhancements in manual
  • Build documentation provided for development instructions in README.md files
  • Library management using pom.xml dependency management. Update build documentation with intended library use and library tutorials or documentation

@davidblasby
Copy link
Contributor Author

I GS went to v26, I need to update the dependencies and makes sure the GS PR is merged.

core/pom.xml Outdated
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
<version>2.4.0</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see json-path is used in services also. Please move the dependency with the version in both modules to the root pom and remove the version in the modules.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved

@@ -818,6 +819,233 @@ sample:RegisteredUser

A similar setup is described for geoserver in the [geoserver documentation](https://docs.geoserver.org/latest/en/user/community/keycloak/index.html).

## Configurating JWT/JSON Headers {#jwt-headers}

The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivelent).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivelent).
The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivalent).

#### Role Conversion


The JWT Headers module also allows for converting roles (from the external IDP) to the GeoServer internal role names.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The JWT Headers module also allows for converting roles (from the external IDP) to the GeoServer internal role names.
The JWT Headers module also allows for converting roles (from the external IDP) to the GeoNetwork internal role names.


| Environment Variable | Meaning |
| ------------- | ------- |
|JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to Geoserver Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2`|
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
|JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to Geoserver Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2`|
|JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to GeoNetwork Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoNetworkrRole1;ExternalRole2=GeoNetworkRole2`|


If you are using Apache's `mod_auth_openidc` module, then you do *not* have to do JWT validation - Apache will ensure they are valid when it attaches the headers to the request.

However, if you are using robot access to GeoServer, you can attach an Access Token to the request header for access.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
However, if you are using robot access to GeoServer, you can attach an Access Token to the request header for access.
However, if you are using robot access to GeoNetwork, you can attach an Access Token to the request header for access.


1. Get the username from an Apache-provided `OIDC_*` header (either as simple-strings or as a component of a JSON object).
2. Get the user's roles from an Apache-provided `OIDC_*` header (as a component of a JSON object).
3. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
3. The user's roles can also be from any of the standard GeoNetwork providers (i.e. User Group Service, Role Service, or Request Header).

* Validate the token against a token verifier URL ("userinfo_endpoint") and check that subjects match
* Validate components of the Access Token (like [aud (audience)](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims>))

4. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
4. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
4. The user's roles can also be from any of the standard GeoNetwork providers (i.e. User Group Service, Role Service, or Request Header).

@davidblasby
Copy link
Contributor Author

I've made changes based on jose's review.
This will not build until a GS PR is merged (geoserver/geoserver#7512).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants