[GEOS-11330] OAuth2 kid verification should be optional #7470
Conversation
afabiani
changed the title
| if (jwkUri != null) this.store = new JwkTokenStore(jwkUri); | ||
| if (jwkUri != null) { | ||
| this.store = new JwkTokenStore(jwkUri); | ||
| } |
There was a problem hiding this comment.
This is actually the fix, the KID verification is optional
| @@ -78,7 +78,7 @@ public static void beforeClass() throws Exception { | |||
| .withStatus(200) | |||
| .withHeader( | |||
| "Content-Type", MediaType.APPLICATION_JSON_VALUE) | |||
| .withBodyFile("jkws.json"))); | |||
| .withBodyFile("jwks.json"))); | |||
There was a problem hiding this comment.
Corrects the name here but the test resource modified is still named jkws.json? Is it used?
There was a problem hiding this comment.
The resource has been renamed as well and added a test case.
| try { | ||
| store.readAuthentication(idToken); | ||
| } catch (InvalidTokenException e) { | ||
| LOGGER.warning("Failed to validate ID token: " + e.getMessage()); | ||
| } |
There was a problem hiding this comment.
What if the validation failed for something other than the kid verification? This seems to be ignoring all other sorts of validity issues?
There was a problem hiding this comment.
This is actually the fix, the KID verification is optional
There was a problem hiding this comment.
Is KID verification the only possible reason to get an InvalidTokenException? Or will we ignore also verification failures that should be considered?
There was a problem hiding this comment.
Most likely this is the reason, other reasons might be related to the impossibility to decrypt due to cypher algorythm. In any case the verification is optional for the protocol.
In order to intercept the specific one what we can do is to inspect the exception message probably even if, generally speaking, that shouldn't be a blocking error at all.
What about having an option on the GUI in order to enforce the velidation or not instead?
There was a problem hiding this comment.
I agree that sounds like a safer approach (let the admin decide whether to verify or not)
…make this available by the Admin
...-web/src/test/java/org/geoserver/web/security/oauth2/OpenIdConnectAuthProviderPanelTest.java
Show resolved
Hide resolved
aaime
added
backport 2.24.x
|
Thanks! |
|
The backport to stderrstdoutTo backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.24.x 2.24.x
# Navigate to the new working tree
cd .worktrees/backport-2.24.x
# Create a new branch
git switch --create backport-7470-to-2.24.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick ecb4184a5065be3bec7be8cbc043f3f5f37b7b4f,d985ca9ba08c43780ad270faee4584b42085d279,4d89ccee81959cbc375b5578d3758de2ab13e28a,91ded7c5685e2154a53b25e5b7bdc1c0871107d4
# Push it to GitHub
git push --set-upstream origin backport-7470-to-2.24.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.24.xThen, create a pull request where the |
|
The backport to stderrstdoutTo backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.25.x 2.25.x
# Navigate to the new working tree
cd .worktrees/backport-2.25.x
# Create a new branch
git switch --create backport-7470-to-2.25.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick ecb4184a5065be3bec7be8cbc043f3f5f37b7b4f,d985ca9ba08c43780ad270faee4584b42085d279,4d89ccee81959cbc375b5578d3758de2ab13e28a,91ded7c5685e2154a53b25e5b7bdc1c0871107d4
# Push it to GitHub
git push --set-upstream origin backport-7470-to-2.25.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.25.xThen, create a pull request where the |
* [GEOS-11330] kid verification should be optional * - Introducing the Enforce Token Validation panel option in order to make this available by the Admin * - Fixing OpenIdConnectAuthProviderPanelTest
* [GEOS-11330] kid verification should be optional * - Introducing the Enforce Token Validation panel option in order to make this available by the Admin * - Fixing OpenIdConnectAuthProviderPanelTest
* [GEOS-11330] kid verification should be optional * - Introducing the Enforce Token Validation panel option in order to make this available by the Admin * - Fixing OpenIdConnectAuthProviderPanelTest
* [GEOS-11330] kid verification should be optional * - Introducing the Enforce Token Validation panel option in order to make this available by the Admin * - Fixing OpenIdConnectAuthProviderPanelTest
References: https://osgeo-org.atlassian.net/browse/GEOS-11330
Checklist
mainbranch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOS-XYZWV] Title of the Jira ticket.