JWT Headers security module #7899
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I GS went to v26, I need to update the dependencies and makes sure the GS PR is merged. |
josegar74
reviewed
Mar 26, 2024
core/pom.xml
Outdated
| <dependency> | ||
| <groupId>com.jayway.jsonpath</groupId> | ||
| <artifactId>json-path</artifactId> | ||
| <version>2.4.0</version> |
There was a problem hiding this comment.
I see json-path is used in services also. Please move the dependency with the version in both modules to the root pom and remove the version in the modules.
| @@ -818,6 +819,233 @@ sample:RegisteredUser | |||
|
|
|||
| A similar setup is described for geoserver in the [geoserver documentation](https://docs.geoserver.org/latest/en/user/community/keycloak/index.html). | |||
|
|
|||
| ## Configurating JWT/JSON Headers {#jwt-headers} | |||
|
|
|||
| The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivelent). | |||
There was a problem hiding this comment.
Suggested change
| The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivelent). | |
| The JWT Headers module provides a security module for header based security. It is equivalent to GeoServer's JWT Headers Module (both GeoServer and GeoNetwork share a code library to make them equivalent). |
| #### Role Conversion | ||
|
|
||
|
|
||
| The JWT Headers module also allows for converting roles (from the external IDP) to the GeoServer internal role names. |
There was a problem hiding this comment.
Suggested change
| The JWT Headers module also allows for converting roles (from the external IDP) to the GeoServer internal role names. | |
| The JWT Headers module also allows for converting roles (from the external IDP) to the GeoNetwork internal role names. |
|
|
||
| | Environment Variable | Meaning | | ||
| | ------------- | ------- | | ||
| |JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to Geoserver Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2`| |
There was a problem hiding this comment.
Suggested change
| |JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to Geoserver Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoServerRole1;ExternalRole2=GeoServerRole2`| | |
| |JWTHEADERS_RoleConverterString| Role Converter Map from External Roles to GeoNetwork Roles. <br> This is a ";" delimited map in the form of: <br> `ExternalRole1=GeoNetworkrRole1;ExternalRole2=GeoNetworkRole2`| |
|
|
||
| If you are using Apache's `mod_auth_openidc` module, then you do *not* have to do JWT validation - Apache will ensure they are valid when it attaches the headers to the request. | ||
|
|
||
| However, if you are using robot access to GeoServer, you can attach an Access Token to the request header for access. |
There was a problem hiding this comment.
Suggested change
| However, if you are using robot access to GeoServer, you can attach an Access Token to the request header for access. | |
| However, if you are using robot access to GeoNetwork, you can attach an Access Token to the request header for access. |
|
|
||
| 1. Get the username from an Apache-provided `OIDC_*` header (either as simple-strings or as a component of a JSON object). | ||
| 2. Get the user's roles from an Apache-provided `OIDC_*` header (as a component of a JSON object). | ||
| 3. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). |
There was a problem hiding this comment.
Suggested change
| 3. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). | |
| 3. The user's roles can also be from any of the standard GeoNetwork providers (i.e. User Group Service, Role Service, or Request Header). |
| * Validate the token against a token verifier URL ("userinfo_endpoint") and check that subjects match | ||
| * Validate components of the Access Token (like [aud (audience)](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims>)) | ||
|
|
||
| 4. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). |
There was a problem hiding this comment.
Suggested change
| 4. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header). | |
| 4. The user's roles can also be from any of the standard GeoNetwork providers (i.e. User Group Service, Role Service, or Request Header). |
|
I've made changes based on jose's review. |
|
|
|
Works fine with GeoNetwork 5 geonetwork/geonetwork#77 |
fxprunayre
added a commit
that referenced
this pull request
Dec 12, 2024
Security configuration for GeoNetwork 4 deployed behing GeoNetwork 5 prototype using simple mode (ie. GN4 MUST not be exposed to intranet and internet). Authentication is managed by version 5 which check user credentials and create user in the database if needed. Then a JWT token is added to a header that version 4 checks. Related to: * JWT headers support #7899 * GeoNetwork 5 auth geonetwork/geonetwork#77 To enable the configuration, use: ```sh mvn jetty:run -Dgeonetwork.security.type=gn5 ```
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WIP - in progress. Added PR for early review. Test coverage is about 90%.
This is a new Security Module - that follows the GeoServer JWT Header security module so they can be used in exactly the same manner.
See the added docs for more details.
This relies on a shared module with GS - I expect this will take a little bit to become available.
org.geoserver.community.jwt-headers jwt-headers-util 2.25-SNAPSHOTThe GeoServer module is broken into two parts - a shared part (jwt-headers-util) and a Geoserver-specific module (jwt-headers-gs).
Checklist
mainbranch, backports managed with labelREADME.mdfilespom.xmldependency management. Update build documentation with intended library use and library tutorials or documentation