Hi,
This is a request to create a new community module.
This is a fairly simple security module for header-based OAUTH2/OIDC type authentication - for example Apache mod_auth_openid and robot-base-access with JWT Access Tokens.
New functionality:
- Extract user name from a JSON header (including json path)
- Extract user name from an attached JWT token
- Extract Roles from JSON Header (including json path)
- Extract Roles from JWT Header (including json path)
- Role Translation from the external (IDP) names to internal GeoServer role names
- Access Token Validation;
- signature validation
- expiry validation
- IDP external endpoint validation (including subject validation)
- audience validation
Test coverage is about 90%.
I will create a PR when approved.
Code - https://github.com/davidblasby/geoserver/tree/_jwtheaders/src/community/jwt-headers
Doc - https://github.com/davidblasby/geoserver/tree/_jwtheaders/doc/en/user/source/community/jwt-headers
NOTE: I just put together the docs today - will be making them a bit “nicer” next week.
Some of the functionality is available in the very simple Headers security extension and the oauth2-* community modules. This module is much simpler, much more complete, and MUCH easier to maintain/test/configure.
In fact, if you want to use OIDC and are willing to put your geoserver behind apache (with mod_auth_openid), this module makes it MUCH MUCH easier to setup and maintain wrt the oauth2-* community modules. If you want to have GeoServer communicate DIRECTLY with your OIDC IDP, continue using the oauth2-* community modules.
NOTE: I am planning to add similar functionality to GeoNetwork.
Thanks,
Dave
