Home Explore Help
Register Sign In
siwei
/
web-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
web-server
/
doc
/
en
/
user
/
source
/
community
/
jwt-headers
/
index.rst

index.rst 2.2 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738 
  1. .. _community_jwtheaders:
    2. 

  2. 

  3. JWT Headers
    4. 

  4. ===========
    5. 

  5.  
    6. 

  6. The JWT Headers module provides a security module for header based security.  This provides much more advanced functionality than the HTTP Header Authentication Module (see :ref:`security_tutorials_httpheaderproxy`).
    7. 

  7. 

  8. This module allows  `JSON-based  <https://en.wikipedia.org/wiki/JSON>`_ headers (for username and roles) as well as `JWT-based  <https://en.wikipedia.org/wiki/JSON_Web_Token>`_ headers (for username and roles).  It also allows for validating JWT-Based AccessTokens (i.e. via `OAUTH2  <https://en.wikipedia.org/wiki/OAuth>`_/`OpenID Connect  <https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)>`_).
    9. 

  9. 

  10. 

  11. If you are using something like `Apache's mod_auth_openidc  <https://github.com/OpenIDC/mod_auth_openidc>`_, then this module will allow you to;
    12. 

  12. 

  13. #. Get the username from an Apache-provided `OIDC_*` header (either as simple-strings or as a component of a JSON object).
    14. 

  14. #. Get the user's roles from an Apache-provided `OIDC_*` header (as a component of a JSON object).
    15. 

  15. #. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
    16. 

  16. 

  17. If you are using `OAUTH2/OIDC Access Tokens  <https://www.oauth.com/oauth2-servers/access-tokens/>`_:
    18. 

  18. 

  19. #. Get the username from the attached JWT Access Token (via a path into the `Access Token's JSON Claims  <https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens/>`_).
    20. 

  20. #. Get the user's roles from the JWT Access Token (via a path into the Token's JSON Claims).
    21. 

  21. #. Validate the Access Token
    22. 

  22. 

  23.    * Validate its Signature
    24. 

  24.    * Validate that it hasn't expired
    25. 

  25.    * Validate the token against a token verifier URL ("userinfo_endpoint") and check that subjects match
    26. 

  26.    * Validate components of the Access Token (like `aud (audience)  <https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims>`_) 
    27. 

  27.    
    28. 

  28. #. The user's roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).
    29. 

  29. #. You can also extract roles from the JWT Access Token (via a JSON path).
    30. 

  30. 

  31. 

  32.  
    33. 

  33. .. toctree::
    34. 

  34.    :maxdepth: 2
    35. 

  35. 

  36.    installing
    37. 

  37.    configuration
    38. 

  38.