Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GEOS-11272: spring-security-oauth replacement, with spring-security 5.8 #7968

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

GEOS-11272: spring-security-oauth replacement, with spring-security 5.8 #7968

wants to merge 2 commits into from

Conversation

awaterme
Copy link
Contributor

@awaterme awaterme commented Oct 21, 2024
edited by jodygarnett
Loading

GEOS-11272 Powered by Pull Request Badge

Hi community,

this is a pull request for https://osgeo-org.atlassian.net/browse/GEOS-11272.

This is currently work in progress and not ready to be merged.
PR is intended for sharing the current state of the implementation.

Checklist

For core and extension modules:

  • New unit tests have been added covering the changes.
  • Documentation has been updated (if change is visible to end users).
  • The REST API docs have been updated (when changing configuration objects or the REST controllers).
  • There is an issue in the GeoServer Jira (except for changes that do not affect administrators or end users in any way).
  • Commit message(s) must be in the form [GEOS-XYZWV] Title of the Jira ticket.
  • Bug fixes and small new features are presented as a single commit.
  • Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).

Current status

  • compiling and running
  • Working with Auth Providers Google, Github, Microsoft and one custom OIDC provider
  • compared to the previous impl it is not yet feature complete
  • also contains code for "Ressource Server" use case, which turned out to be covered by other community module (~ gs-sec-jwt) . might be removed here.

Installation

  • contains assembly project, put jars into WEB-INF/lib

Configuration

  • Requires setup with Auth Provider (Google, Github, Microsoft, custom OIDC provider), as usual and as before
  • use configuration in Filter UI in GeoServer Web UI

Open Tasks (incomplete list)

  • codebase is WIP and needs refactoring, especially in the configuration Web-UI
  • complete configuration UI and support or remove remaining config options from previous impl
  • review automatic redirect to auth provider if not authenticated
  • support environment configuration?
  • support token verification?
  • Oauth logout
  • cleanup i18n ressources
  • unit tests
  • integration tests
  • Simplify newly introduced RoleResolver in gs-main
  • compare with prior code base to find open issues/tasks
  • have to look at resolved issues for prior implementation and check if current might be affected
  • check keycloak extension
  • check geonode integration
  • offer new overview class diagrams for publication (draw.io)

@aaime
Copy link
Member

aaime commented Nov 22, 2024

Hi, I've tried to take this one for a spin. Some feedback.

The GUI is organized now in panels that can be enabled and disabled... this can be confusing, one would not enable more than one:

image

I'd suggest to have a drop-down selection at the top, which allows to choose the one configuration desired. And then the associated panel would appear.

Working on the custom connection, I've noticed that the discovery does not seem to work... actually it works code wise, but it does not appear inside the browser. I could not figure out why thought.
I've manually filled the entries, and saved without issues... but then when trying to put the filter in a chain, it failed... turns out the configuration is not validated when pressing save, but when trying to use it: it should be done when hitting save on the configuration panel instead, so that one can act directly, and not just get a stack trace in the UI.

Also, the misconfiguration in my case turned out the scopes, which are supposed to be comma separate... but the OIDC world separates scopes by spaces, why change that? The old UI also had them space-separated.

Finally, I've managed to configure the filter in the web chain, and pressing on the OIDC button, I'm redirected to "http://localhost:8080/geoserver/oauth2/authorization/oidc?"... but this path has no handler, so nothing happens.
Maybe this part has not been fleshed out yet?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@awaterme @aaime