stac-browser icon indicating copy to clipboard operation
stac-browser copied to clipboard

Published 20 hours ago verified publisher icon radiantearth

Support Auth extension

Open MattFerraro opened this issue 4 years ago • 8 comments

I have a dynamic STAC catalog that requires me to specify my auth token as a header, like:

curl https://api.me.com/my-catalog.json -H 'accept: application/json' -H 'authorization: Bearer my.jwt.token'

The JWT is required because the catalog is dynamic and it shows different data to different users, depending on what you are authorized to view.

Now, to get a token in the first place I have to do something like:

curl --header "Content-Type: application/json" --request POST --data '{"email":"[email protected]","password":"my-password"}' https://api.me.com/auth/public/authenticate

Which returns back something like:

{
  "token": "my.jwt.token"
}

So I think what I'd want is something like a local .stac-browserrc file where I can put my username, password, the fact that I want to use token based auth, the URL to hit to get a token, and then have the server just recognize this on startup, adding the required token header to every request on my behalf.

The token has a limited lifetime, so I would prefer if the server could be configured with a timeout to re-fetch a new token, but that's just a nice-to-have. I can restart the server over manually when running locally.

MattFerraro avatar Jul 15 '21 22:07 MattFerraro

Auth in general is a huge topic. I could imagine use cases for support basic auth as well, and probably others.

MattFerraro avatar Jul 15 '21 22:07 MattFerraro

As there are a lot of different authentication flows, I don't think this will be supported anytime soon, but I'm happy to accept and review PRs. Also, there are some security concerns. We need to ensure people don't deploy public catalogs with such credentials in them - the credentials are public then. There are request interceptors in STAC Browser 3 though so that could be a chance for some custom code that you could implement to support some of the individual authentication flows. So my recommendation would be to wait for a beta of STAC Browser 3 and start on top of that.

m-mohr avatar Jul 16 '21 08:07 m-mohr

It would be interesting to know what authentication methods providers implement so that we can make informed decisions on which authentication methods to support.

The most commonly used I've seen is just a token in a query parameter, which is supported since today.

May help for OAuth: https://github.com/dgrubelic/vue-authenticate

m-mohr avatar Feb 26 '22 11:02 m-mohr

There's now a configurable UI that can handle token/API key based authentication for query parameters and headers. See issue https://github.com/radiantearth/stac-browser/issues/210#issuecomment-1210871360 and the authConfig documentation for details: https://github.com/radiantearth/stac-browser/blob/main/docs/options.md#authconfig

m-mohr avatar Aug 10 '22 15:08 m-mohr

For future reference, the link above is now https://github.com/radiantearth/stac-browser/tree/dev2#authconfig

simonff avatar Jul 15 '23 17:07 simonff

@simonff That's a temporary and outdated branch, the actual URL is https://github.com/radiantearth/stac-browser/blob/main/docs/options.md#authconfig

m-mohr avatar Jul 15 '23 20:07 m-mohr

There's no also the Authentication extension, which is not supported in STAC Browser yet: https://github.com/stac-extensions/authentication

m-mohr avatar Mar 04 '24 20:03 m-mohr