[Geoserver-users] Openid Oauth 2.0 community module issue

Ethelberg_Nicklas_Ko · June 10, 2024, 7:59am

Hey community

We have a problem with securing some layers with our JWT token.

The first problem we experience is that the Geoserver do not accept the typ header in the token. The typ header we use is “at+jwt” and not “JWT”

A other issue we might run into is that the payload of our token is encrypted.

We do get our token verified by the userinfo end point, but then it fails.

For reference, what we try to do is getting the roles from the userinfo endpoint, with the encrypted token.

Therefore it does not need to be read be the Geoserver.

Thanks in advance

Med venlig hilsen

Kind regards

···

Nicklas Kolls Ethelberg

Senior Software Developer

Informatics

M +45 27 80 97 03

WSP Danmark A/S

Linnés Allé 2

2630 Taastrup

T +45 44 85 86 87

wsp.com/da-DK

jive · June 10, 2024, 7:15pm

Which JWT security modular you using?

The main OIDC support is not published as part of GeoServer - instead shared as source code for improvements like “jt+awt”.
The existing source code is here, so you have developer capacity to build and prepare a change yourself.

Migrating this to a newer version of spring-framework-6 is also a roadmap planning topic and we are looking for interested parties to assist.

There is also an isolated module that just focuses on the headers (requiring apache or inginX to negotiation OIDC).

···

–
Jody Garnett