-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GEOS-10646] OAuth access tokens #6167
Conversation
...2/oauth2-core/src/main/java/org/geoserver/security/oauth2/GeoServerAccessTokenConverter.java
Show resolved
Hide resolved
...h2-openid-connect-core/src/main/java/org/geoserver/security/oauth2/MSGraphRolesResolver.java
Outdated
Show resolved
Hide resolved
...nect-core/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationFilter.java
Show resolved
Hide resolved
// LOGGER.log(Level.FINE, "ID token: " + (String) | ||
// request.getAttribute(ID_TOKEN_VALUE)); | ||
// } catch (Exception e) { | ||
// } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comments; this is the rare case where keeping commented out code in the codebase may be worthwhile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One trick I do is to do an:
private static boolean DEBUGGING = false;
if (DEBUGGING) {
// some stuff that would otherwise be commented out
}
May have to do a PMD ignore to get that passed QA checks but at least the debugging code will still be compiled.
...ct-core/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationProvider.java
Show resolved
Hide resolved
import org.geoserver.security.oauth2.OpenIdConnectFilterConfig; | ||
|
||
/** | ||
* This is a simple token validator that runs a list of TokenValidators. This doesn't do any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* This is a simple token validator that runs a list of TokenValidators. This doesn't do any | |
* This is a token validator that runs a list of TokenValidators. This doesn't do any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I appreciate the TokenValidator interface and classes. I would like one of the other teams using OAuth to review (but I understand they may not be interested in bearer tokens at this time).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, tests passed running them locally. I've done some tests and it works fine.
I've added some minor comments.
try { | ||
memberOfEndpoint = new URL("https://graph.microsoft.com/v1.0/me/memberOf"); | ||
} catch (MalformedURLException e) { | ||
e.printStackTrace(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e.printStackTrace(); | |
e.printStackTrace(); |
please remove printStackTrace();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
made it log (shouldn't throw unless someone makes a type on the above line)
|
||
List<GeoServerRole> result = new ArrayList<>(); | ||
if (o instanceof String) { | ||
result.add(new GeoServerRole((String) o)); | ||
} else if (o instanceof List) { | ||
((List) o).stream().forEach(v -> result.add(new GeoServerRole((String) v))); | ||
} else { | ||
LOGGER.log( | ||
Level.FINE, | ||
"Did not find " | ||
+ rolesAttributePath | ||
+ " in the token, returning an empty role list"); | ||
} | ||
if (!result.isEmpty()) { | ||
enrichWithRoleCalculator(result); | ||
} | ||
return result; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this piece of code seems equal to the one in the getRolesFromToken method. Maybe extracting common parts in a separate method would be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored
|
||
String rolesAttributePath = | ||
((OpenIdConnectFilterConfig) this.filterConfig).getTokenRolesClaim(); | ||
Object o = JsonPath.read(userinfoMap, rolesAttributePath); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would catch this since if the attribute is not present this will throw exception blocking the user to be authenticated ( it will not throw an IOException catched in the OAuth2Filter superclass). It should be fine to just reuse the extracFromJSON static method above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created another extractFromJSON(), based on Map (instead of a JSON string).
@@ -19,11 +19,14 @@ public class OpenIdConnectFilterConfig extends GeoServerOAuth2FilterConfig { | |||
String tokenRolesClaim; | |||
String responseMode; | |||
boolean sendClientSecret = false; | |||
boolean allowBearerTokens = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since bearer authentication was already working although without validation of the token, maybe this flag could be kept as true by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed it to true. I was a bit worried leaving bearer tokens as the default.
@taba90 - thanks for the review! |
Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
…nect-core/src/main/java/org/geoserver/security/oauth2/MSGraphRolesResolver.java Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
…nect-core/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationFilter.java Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
…nect-core/src/main/java/org/geoserver/security/oauth2/OpenIdConnectAuthenticationProvider.java Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
a78467c
to
4a6a5be
Compare
FYI - rebased due to test case failure (not to do with this pr) |
@taba90 - ready to merge? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me, merging...
This PR is improving the support for Bearer Tokens. See the updated GS OpenID documentation for setup and usage.
Issue: https://osgeo-org.atlassian.net/browse/GEOS-10646
Summary: attach an Access Token to your HTTP requests - useful for automated (i.e. desktop/remote web) access of the REST api.
There was already some partial support for Bearer tokens. This PR improves it.
a) from the "userinfo" endpoint (recommended for KeyCloak)
b) from the MS Graph API (only for MS Azure AD)
Checklist
main
branch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOS-XYZWV] Title of the Jira ticket
.