Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accesstokens #1

Open
wants to merge 79 commits into
base: master
Choose a base branch
from
Open

Accesstokens #1

wants to merge 79 commits into from

Conversation

davidblasby
Copy link
Owner

@davidblasby davidblasby commented Jul 27, 2022
edited
Loading

This PR is improving the support for Bearer Tokens. See the updated GS OpenID documentation for setup and usage.

Summary: attach an Access Token to your HTTP requests - useful for automated (i.e. desktop/remote web) access of the REST api.

There was already some partial support for Bearer tokens. This PR improves it.

  1. There is now better token validation (see GS doc + OIDC specification). This improves security.
  2. Since you cannot use ID Tokens with attached access tokens, I added two new ways to get user groups:
    a) from the "userinfo" endpoint (recommended for KeyCloak)
    b) from the MS Graph API (only for MS Azure AD)
  3. There is a configuration on the OIDC web page to turn on/off bearer tokens
  4. I added some minor validation to the OIDC web page
  5. Added a few test cases
  6. Updated documentation for Attached Bearer Tokens
  7. Tested with Keycloak and Azure AD
  8. I attach the "userinfo" results to the incomming request (in the same manner as the ID/Access tokens + other spring stuff)
  9. I attach a flag to the incomming request indicating if the authentication is BEARER or USER (in the same manner as the ID/Access tokens + other spring stuff)

Checklist

For core and extension modules:

  • New unit tests have been added covering the changes.
  • Documentation has been updated (if change is visible to end users).
  • [n/a] The REST API docs have been updated (when changing configuration objects or the REST controllers).
  • There is an issue in the GeoServer Jira (except for changes that do not affect administrators or end users in any way).
  • Commit message(s) must be in the form [GEOS-XYZWV] Title of the Jira ticket.
  • Bug fixes and small new features are presented as a single commit.
  • Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).

fernandor777 and others added 30 commits July 29, 2022 10:51
@fernandor777 @aaime
[GEOS-10591] XML view params format implementation (geoserver#6074)
cf57b56 
* [GEOS-10591] XML view params format implementation

* Update doc/en/user/source/data/database/sqlview.rst

Co-authored-by: Andrea Aime <[email protected]>

* Update doc/en/user/source/data/database/sqlview.rst

Co-authored-by: Andrea Aime <[email protected]>

* Update doc/en/user/source/data/database/sqlview.rst

Co-authored-by: Andrea Aime <[email protected]>

* [GEOS-10591] review fixes

* Fix case insensitive viewParamsFormat handling

Co-authored-by: Andrea Aime <[email protected]>
@sebastianfrey
[GEOS-10569] Features API support sortby query parameter (geoserver#6076
ede744f 
)

* [GEOS-10569] Features API support sortby query parameter

* [GEOS-10569] Fix format violations

* [GEOS-10569] Replace List.of with ImmutableList.copyOf
@sgavathe
Update documentation on WMTS Store & WMTS Layer
5623579 
Documentation on Adding an external WMTS & Configuring external WMTS layers via REST for this reference
https://docs.geoserver.org/stable/en/user/data/cascaded/wmts.html
@petersmythe
Update seed.rst (geoserver#6079)
84454eb 
* Update seed.rst

* Update seed.rst

Corrected the third field by referencing the code: https://github.com/GeoWebCache/geowebcache/blob/main/geowebcache/core/src/main/java/org/geowebcache/seed/TileBreeder.java#L450
@aaime
[GEOS-10585] Follow up, update start.jar
3742fcb
@jodygarnett @aaime
[GEOS-10585] Download start.sh as maven dependency and include in bin…
49633c0 
… assembly
@aaime
[GEOS-10603] STAC datastore nightly build packaging (geoserver#6082)
568ba2b
@NatEvatt
typo: a identifier to an identifier (geoserver#6081)
a945fad
@dromagnoli @aaime
[GEOS-10608]:Stop flooding logs with InvalidDate (and similar) at Severe
74d887a
@dependabot @aaime
Bump postgresql from 42.3.3 to 42.4.1 in /src
3e9fe80 
Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.3.3 to 42.4.1.
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](pgjdbc/pgjdbc@REL42.3.3...REL42.4.1)

---
updated-dependencies:
- dependency-name: org.postgresql:postgresql
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@sgavathe
Update stores.rst
3efd989 
rm python & java section on the REST documentation
@sgavathe
Update stores.rst
62b47e8 
removed python & java admonition
@mprins
Merge pull request geoserver#6080 from sgavathe/patch-1
2b4c45c 
Update documentation on WMTS Store & WMTS Layer
@fernandor777
[GEOS-10609] Fix Issue retrieving a workspace style without prefix on…
f413c75 
… JDBCConfig (geoserver#6091)
@aaime
[GEOS-10617] STAC module will throw exception on creation of a new co…
364cb74 
…llection
@bgalartza
[GEOS-10615] Fix KML placemark template path in documentation
b84b3ec 
The workspace wide templates are stored in the same 'workspaces' folder as the layer specific templates.
@mprins
[GEOS-10620] Update oshi to 6.2.2 to support Apple M2 CPU
5055b47
@mprins
Merge pull request geoserver#6109 from geoserver/GEOS-10620_oshi-6.2.2
f5bf606 
[GEOS-10620] Update oshi to 6.2.2 to support Apple M2 CPU
@sikeoka
[GEOS-10462] Upgrade commons-httpclient 3.1 to org.apache.httpcompone…
e7808f9 
…nts:httpclient:4.5.13 (geoserver#6104)
@mbheinen @bradh
Fixing minor documentation issues (geoserver#6112)
6bc41c7 
* Fixing minor documentation issues

Fixing minor grammar, usage, and typos in the documentationl. Also,
rephrased a couple of areas for improved clarity.

* Update doc/en/user/source/tutorials/GetFeatureInfo/raster.rst

Co-authored-by: Brad Hards <[email protected]>
@mprins
Merge pull request geoserver#6108 from bgalartza/patch-1
61aaad6 
[GEOS-10615] Fix KML placemark template path in documentation
@aaime
[GEOS-10610] Selective cache reset on stores and resources, via REST API
15bc56c
@jodygarnett @aaime
[GEOS-10606] Geneate html files for assemblies
3eac847
@ahmedababnehgeo @aaime
[GEOS-10607] Links disappearing for the Admin user
c637344
@jodygarnett @aaime
[GEOS-10618] Assemble release geoserver_dir for Docker use
119e857 
Using "geoserver_dir" to match docker structure.
@aaime
[GEOS-10583] Align spring-oxm with the other Spring dependencies
41b3f9d
@davidblasby @david-blasby
[GEOS-10618] DOCS: Official GeoServer Docker Image (GSIP-192) (geoser…
edf788f 
…ver#6107)

* update docker container documentation

* minor changes

* update to jody's comments

* adding extensions

Co-authored-by: david.blasby <[email protected]>
@petersmythe @jodygarnett
Add missing swagger docs for associating users with groups. Also fixe…
dc092e1 
…d (broken) plural endpoints to (working) singular
@petersmythe @jodygarnett
Removed 2 endpoints rather than flagging as Not implemented
6735da8
@jodygarnett
[GEOS-10624] Data directory and documentation update
d6f8335
jodygarnett
jodygarnett reviewed Sep 8, 2022
View reviewed changes
...penid-connect-core/src/test/java/org/geoserver/security/oauth2/MSGraphRolesResolverTest.java
@@ -0,0 +1,133 @@
package org.geoserver.security.oauth2;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

header needed

bradh and others added 28 commits September 9, 2022 08:44
@bradh
Trivial typo fix in GeoRSS tutorial
1d6efa4
@mprins
Merge pull request geoserver#6168 from geoserver/bradh-patch-1
cf4c62b 
Trivial typo fix in GeoRSS tutorial
@etj
[GEOS-10635] GeoFence: area reprojection tests are failing (geoserver…
581c57a 
…#6134)
@etj
[GEOS-10625] GeoFence: improve filtering by role (geoserver#6131)
c2a3574
@jasminb @aaime
[GEOS-10649] Concurrent modification to GWC style parameter filter ca…
7e345e0 
…n lead to OOM (geoserver#6124)

* Fixed concurrency issue in setLayer that can lead to out of memory issues when iterating trough the available styles

* Fixed NPE in clone()

* Added unit-test that covers concurrent modification scenario

* Fixed class formatting

* Code changes to comply with code-style and PMD checks

* Added missing copyright header

Co-authored-by: Andrea Aime <[email protected]>
@jodygarnett
Remove table of now broken links to historical docs
97fe168
@aaime
[GEOS-10636] (proxied) Login is broken after upgrade to 2.22-M0 and 2…
fa5f6e6 
….21.1
@mprins
Merge pull request geoserver#6175 from aaime/proxy_migrate
151382c 
[GEOS-10636] (proxied) Login is broken after upgrade to 2.22-M0 and 2.21.1
@aaime
Follow up to GEOT-7219
bde9e37
@aaime
[GEOS-10603] STAC store, adding documentation
01ef263
@dromagnoli
[GEOS-10642]: Follow up - update zip packaging for cog community modu…
7654918 
…le (geoserver#6184)
@NielsCharlier
[GEOS-10654] app-schema GetFeature numberMatched fails with ID filter…
c61a483 
…: test
@NielsCharlier
Merge pull request geoserver#6178 from NielsCharlier/GEOT-7214
27ac654 
[GEOS-10654] app-schema GetFeature numberMatched fails with ID filter:…
@Tofull
fix copy-paste typo (shapefile --> database) (geoserver#6186)
5f0eb00
@bradh @aaime
[GEOS-10641] OGC API - Features - Failure on feature item CRS
238e661 
The method arguments were in the wrong order.
@david-blasby
WIP: bearer tokens
267818c
@david-blasby
WIP: test cases, changes to web GUI, token validation, ms graph api r…
39dd718 
…ole source
@david-blasby
update doc for oidc bearer tokens
061ce21
@david-blasby
turn off bearer tokens with config
c0d1472
@david-blasby
jody feedback + don't use hardcoded paths in json
c630b6d
@david-blasby
format changes
5fdcb37
@david-blasby
remove double header
a9d06a9
@davidblasby @jodygarnett @david-blasby
Update doc/en/user/source/community/oauth2/index.rst
55bf0e0 
Co-authored-by: Jody Garnett <[email protected]>
@davidblasby @jodygarnett @david-blasby
Update src/community/security/oauth2-openid-connect/oauth2-openid-con…
d89dfaf 
…nect-core/src/main/java/org/geoserver/security/oauth2/MSGraphRolesResolver.java

Co-authored-by: Jody Garnett <[email protected]>
@davidblasby @jodygarnett @david-blasby
Update src/community/security/oauth2-openid-connect/oauth2-openid-con…
c6f452d 
…nect-core/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationFilter.java

Co-authored-by: Jody Garnett <[email protected]>
@davidblasby @jodygarnett @david-blasby
Update src/community/security/oauth2-openid-connect/oauth2-openid-con…
6947fb8 
…nect-core/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationProvider.java

Co-authored-by: Jody Garnett <[email protected]>
@david-blasby
reformat of jody's changes
16151cf
@david-blasby
changes from taba90 review
4a6a5be
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jodygarnett jodygarnett jodygarnett left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.