index.rst 2.2 KB

1234567891011121314151617181920212223242526272829303132333435363738
  1. .. _community_jwtheaders:
  2. JWT Headers
  3. ===========
  4. The JWT Headers module provides a security module for header based security. This provides much more advanced functionality than the HTTP Header Authentication Module (see :ref:`security_tutorials_httpheaderproxy`).
  5. This module allows `JSON-based <https://en.wikipedia.org/wiki/JSON>`_ headers (for username and roles) as well as `JWT-based <https://en.wikipedia.org/wiki/JSON_Web_Token>`_ headers (for username and roles). It also allows for validating JWT-Based AccessTokens (i.e. via `OAUTH2 <https://en.wikipedia.org/wiki/OAuth>`_/`OpenID Connect <https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)>`_).
  6. If you are using something like `Apache's mod_auth_openidc <https://github.com/OpenIDC/mod_auth_openidc>`_, then this module will allow you to;
  7. #. Get the username from an Apache-provided `OIDC_*` header (either as simple-strings or as a component of a JSON object).
  8. #. Get the user's roles from an Apache-provided `OIDC_*` header (as a component of a JSON object).
  9. #. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
  10. If you are using `OAUTH2/OIDC Access Tokens <https://www.oauth.com/oauth2-servers/access-tokens/>`_:
  11. #. Get the username from the attached JWT Access Token (via a path into the `Access Token's JSON Claims <https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens/>`_).
  12. #. Get the user's roles from the JWT Access Token (via a path into the Token's JSON Claims).
  13. #. Validate the Access Token
  14. * Validate its Signature
  15. * Validate that it hasn't expired
  16. * Validate the token against a token verifier URL ("userinfo_endpoint") and check that subjects match
  17. * Validate components of the Access Token (like `aud (audience) <https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims>`_)
  18. #. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
  19. #. You can also extract roles from the JWT Access Token (via a JSON path).
  20. .. toctree::
  21. :maxdepth: 2
  22. installing
  23. configuration