qgis-stac-plugin icon indicating copy to clipboard operation
qgis-stac-plugin copied to clipboard

Published 20 hours ago verified publisher icon stac-utils

Support authentication of STAC Catalogs

Open Samweli opened this issue 3 years ago • 13 comments

The QGIS application provides an authentication framework for different data providers. We need to integrate the plugin so that it works with all types of authentication that are supported by QGIS authentication system. The UI for this is already in place and it was intended to work from the last release plugin version.

See https://github.com/stac-utils/qgis-stac-plugin/issues/124 and https://github.com/stac-utils/qgis-stac-plugin/issues/206

Samweli avatar Aug 12 '22 14:08 Samweli

I've having auth error with using the default Microsoft service either when trying to download an asset (adding the asset also cause an error but unsure if they have the same root cause). Is it due to lack of auth for this service or for another reason?

Error in downloading file, Download failed: Error transferring https://sentinel2l2a01.blob.core.windows.net/sentinel2-l2/20/T/LT/2022/08/16/S2A_MSIL2A_20220816T151701_N0400_R025_T20TLT_20220817T074117.SAFE/GRANULE/L2A_T20TLT_A037345_20220816T151703/IMG_DATA/R10m/T20TLT_20220816T151701_B08_10m.tif?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D - server replied: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Used in QGIS 3.27 in windows 10.

roya0045 avatar Aug 17 '22 17:08 roya0045

I've having auth error with using the default Microsoft service either when trying to download an asset (adding the asset also cause an error but unsure if they have the same root cause). Is it due to lack of auth for this service or for another reason?

Error in downloading file, Download failed: Error transferring https://sentinel2l2a01.blob.core.windows.net/sentinel2-l2/20/T/LT/2022/08/16/S2A_MSIL2A_20220816T151701_N0400_R025_T20TLT_20220817T074117.SAFE/GRANULE/L2A_T20TLT_A037345_20220816T151703/IMG_DATA/R10m/T20TLT_20220816T151701_B08_10m.tif?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D - server replied: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Used in QGIS 3.27 in windows 10.

@roya0045 no this is not related to the lack of authenication support. Can you share the steps and name of the item you wanted to download. thanks

Samweli avatar Aug 23 '22 08:08 Samweli

I did some testing with 2 installs, one was with the official 3.24.2 version of QGIS and the other was with 3.27.0 build of master with some of my additions as the mingw64 artefact.

For both I did the following:

  1. Load a basemap to view the extent and set the project in web mercator
  2. Zoom to Menorca (as it's easily identifiable)
  3. open the plugin from the web menu
  4. Use the default Microsfot and Sentinel 2 level 2 dataset image
  5. Set the date to cover august 2022
  6. Use the map extent to set boundaries
  7. Search
  8. In the result, select view assests (in this case either of the two starting with S2B_MSIL2A_20220820T103629_R008_)
  9. Select a band to display
  10. Select the same band to download

The results:

  • QGIS 3.24.2
  1. Got an error downloading the image
  2. The image displayed fine when adding it to the canvas, but adding any new images meant that no image displayed anymore (the latter may not be related to the plugin)
  • QGIS mingw64 3.27.0 (homebrew)
  1. Got an error downloading the image
  2. Got an error adding it to the canvas.

As a sidenote, the command to view the download folder throws an error. Using subprocess.check_call with explorer always seems to return 1, even if the file explorer is opened properly. This throws an error in QGIS. Might be worth silencing the error or just using subprocess.call directly and taking the 1.

roya0045 avatar Aug 23 '22 12:08 roya0045

hi @Samweli ,

Do you know if QGIS authentication system supports GDAL's /vsicurl handler now?

It looks like QGIS auths are restricted to specific remote resources (below is from the QGIS doc... but not sure if it's up-to-date) from qgis doc

If not, we should still be able to use the framework to get token and put the authorization bearer somewhere GDAL can find it ...

remicres avatar Oct 25 '22 08:10 remicres

Hi, @Samweli! Do we need to pass the authentication parameters here? https://github.com/stac-utils/qgis-stac-plugin/blob/main/src/qgis_stac/api/network.py#L100

update for clarity I believe we need to pass the authentication credentials into pystac_client.Client.open. I have a STAC where I can use the headers arg in pystac_client.Client.open to authenticate my connection e.g.

pystac_client.Client.open(
    <CATALOG_URL>,
    headers={"x-functions-key": <TOKEN>}
)

From what I can tell, the plugin is not passing any credentials to pystac_client.

hrodmn avatar Oct 27 '22 21:10 hrodmn

@hrodmn I believe that's the STAC endpoint.

You have to pass the parameters from here: image

Unfortunately for now I am still not able to use OAuth2

remicres avatar Oct 28 '22 07:10 remicres

I opened a fork and made a change that enables API header authentication via the QGIS authentication manager: https://github.com/stac-utils/qgis-stac-plugin/commit/fd446f68bba400fddd04390e0bd60fc5ab201dab

Right now it would only work for an API Header type of authentication so it's not a complete solution.

hrodmn avatar Oct 28 '22 17:10 hrodmn

Okay, thanks for clarifications!

remicres avatar Oct 28 '22 19:10 remicres

Do you know if QGIS authentication system supports GDAL's /vsicurl handler now?

Hi @remicres it currently doesn't supports the handler there is no entry for it in the list of the supported auth methods.

Samweli avatar Oct 28 '22 19:10 Samweli

Hi, @Samweli! Do we need to pass the authentication parameters here? https://github.com/stac-utils/qgis-stac-plugin/blob/main/src/qgis_stac/api/network.py#L100

Hi @hrodmn, as you mentioned at the moment the plugin doesn't support passing authentication parameters to the pystac_client library, the intention is to use the QGIS authentication system to achieve authentication in the plugin.

Samweli avatar Oct 28 '22 19:10 Samweli

Hi @remicres it currently doesn't supports the handler there is no entry for it in the list of the supported auth methods.

Hi @Samweli thanks for the info.

I guess accessing secured assets files is another thing. I am starting to think that this could be done nicely with a secured (i.e. with auth. required) dynamic STAC endpoint returning signed assets URIs.

remicres avatar Oct 28 '22 19:10 remicres