Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Authentication via OAuth/OIDC #82

Closed
m-mohr opened this issue Jan 18, 2024 · 3 comments · Fixed by #84
Closed

Implement Authentication via OAuth/OIDC #82

m-mohr opened this issue Jan 18, 2024 · 3 comments · Fixed by #84
Assignees
@m-mohr
Labels
auth enhancement New feature or request
Milestone
v1.0 / OSPD

Comments

@m-mohr
Copy link
Member

m-mohr commented Jan 18, 2024
edited

Users should be able to connect with their own accounts, not with our service account.
@m-mohr m-mohr added enhancement New feature or request auth labels Jan 18, 2024
@m-mohr m-mohr added this to the v1.0 / OSPD milestone Jan 18, 2024
@m-mohr m-mohr self-assigned this Jan 18, 2024
@m-mohr m-mohr mentioned this issue Jan 19, 2024
Merged
@edzer
Copy link
Member

edzer commented Jan 19, 2024

Users should be able to connect with their own accounts, not with out service account.

Did you mean "with our service account", or "without service account"?

@m-mohr
Copy link
Member Author

m-mohr commented Jan 19, 2024

Oh, "with our". Working on it right now :-)

@m-mohr m-mohr linked a pull request Jan 19, 2024 that will close this issue
Implement Authentication via Google #84
Merged
@m-mohr
Copy link
Member Author

m-mohr commented Jan 19, 2024
edited

A basic implementation is available in the repository. It generally works, but has some drawbacks:

  1. A refresh_token is not available to the openEO proxy -> The access_token may expire for longer running requests, but that may only lead to issues with the job status, I guess. => Request a refresh token from Google #87
  2. The only flow that is supported by Google and doesn't require a client secret seems to be implicit. That means only the Web Editor can connect easily, all other clients will need client secret that users obtain from the Google API Console.
  3. Each request to the openEO proxy issues a new request to the ID token endpoint. That's pretty excessive, I guess I should cache that and only request the ID token again once the access token changes. For now, I'll live with it as it's not a service that is used by a couple of people.

Keeping these points open for now as they are lower priority for me for now. I might be able to weaken the effects for (1) and (3) through additional code and (2) needs to wait for improvements on Googles side, which I heard are at least planned.

@m-mohr m-mohr removed the prio: high label Jan 19, 2024
@m-mohr m-mohr removed their assignment Jan 19, 2024
@m-mohr m-mohr closed this as completed May 26, 2024
@m-mohr m-mohr self-assigned this May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@m-mohr m-mohr

Labels
auth enhancement New feature or request
Projects
None yet
Milestone
v1.0 / OSPD
Development

Successfully merging a pull request may close this issue.

Implement Authentication via Google Open-EO/openeo-earthengine-driver
2 participants
@edzer @m-mohr