Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce "service account" or user group concept #523

Closed
soxofaan opened this issue Dec 1, 2023 · 3 comments
Closed

Introduce "service account" or user group concept #523

soxofaan opened this issue Dec 1, 2023 · 3 comments
Labels
feedback required

Comments

@soxofaan
Copy link
Member

soxofaan commented Dec 1, 2023
edited
Loading

This comes out of discussions about "machine-to-machine" auth, like https://github.com/openEOPlatform/architecture-docs/issues/134 . The question/request is still a bit vague to be honest, but I just wanted to plant a seed here.

The openeo API currently has a user concept, and because of how OIDC works (the recommended auth mechanism in openEO) this pretty much corresponds 1-on-1 to a real person that interacts with a computer or other device.

Often in use cases however we see the need for a less strict "user" definition, for example:

  • (as discussed before) automated, "machine-to-machine" workflows
  • multiple persons acting "interchangeably" in a group on the same project

As noted before, this might be primarily an authentication problem that has to be solved on the level of OIDC.
Still, I'm wondering if there are some places in the openEO API where we might want to eliminate or avoid implicit "user==real person" assumptions.
@m-mohr
Copy link
Member

m-mohr commented Jun 19, 2024

Can you point me to where the openEO API assume a real person? I don't see specific action items to work on right now.

@soxofaan
Copy link
Member Author

soxofaan commented Jul 1, 2024

This is not per se about real vs non-real persons, but more about the disconnect between "normal" users and client credential based service accounts in OIDC. For example, user Alice also uses a service account through client credentials auth for machine-to-machine workflows. There is no standardized way to express the connection between Alice and that service account, so Alice has to log in separately with the service account, e.g. to list batch jobs and inspect their status/results. And on the web editor there is even no way to authenticate with client credentials.

But regardless, I don't see quick wins or concrete action items at the moment. Instead of more advanced user management at API level, we're seem to be growing to a consensus of sharing through signed URLs and STAC,
So I'm fine to close this one due to lack of concrete problem and plan

@soxofaan soxofaan closed this as not planned Won't fix, can't repro, duplicate, stale Jul 1, 2024
@m-mohr
Copy link
Member

m-mohr commented Jul 1, 2024

I believe this issue is actually not something we would need to solve on the openEO API level. Isn't this something to solve in the implementation? Connecting client credentials with users and sharing resources between these "accounts"...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feedback required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@soxofaan @m-mohr