JWT Headers¶

The JWT Headers module provides a security module for header based security. This provides much more advanced functionality than the HTTP Header Authentication Module (see Configuring HTTP Header Proxy Authentication).

This module allows JSON-based headers (for username and roles) as well as JWT-based headers (for username and roles). It also allows for validating JWT-Based AccessTokens (i.e. via OAUTH2/OpenID Connect).

If you are using something like Apache’s mod_auth_openidc, then this module will allow you to;

1. Get the username from an Apache-provided OIDC_* header (either as simple-strings or as a component of a JSON object).

2. Get the user’s roles from an Apache-provided OIDC_* header (as a component of a JSON object).

3. The user’s roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).

If you are using OAUTH2/OIDC Access Tokens:

1. Get the username from the attached JWT Access Token (via a path into the Access Token’s JSON Claims).

2. Get the user’s roles from the JWT Access Token (via a path into the Token’s JSON Claims).

3. Validate the Access Token

   • Validate its Signature

   • Validate that it hasn’t expired

   • Validate the token against a token verifier URL (“userinfo_endpoint”) and check that subjects match

   • Validate components of the Access Token (like aud (audience))

4. The user’s roles can also be from any of the standard GeoServer providers (i.e. User Group Service, Role Service, or Request Header).

5. You can also extract roles from the JWT Access Token (via a JSON path).