From e32e4d3522888919058fb0a7a4ae6dec4c574723 Mon Sep 17 00:00:00 2001
From: Felix Delattre <felix@developmentseed.org>
Date: Thu, 4 Dec 2025 15:42:26 +0100
Subject: [PATCH] Added auth for stac browser.

---
 CHANGELOG.md                                      |  1 +
 .../templates/services/browser/deployment.yaml    | 15 +++++++++++++--
 charts/eoapi/values.yaml                          |  1 +
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 020be593..fbcf9c2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Added documentation for cloud-native bucket access [#364](https://github.com/developmentseed/eoapi-k8s/pull/364)
 - Removed unused testing variable and unused deploy script [#369](https://github.com/developmentseed/eoapi-k8s/pull/369)
+- Added auth support to STAC Browser [#376](https://github.com/developmentseed/eoapi-k8s/pull/376)
 
 ### Added
 
diff --git a/charts/eoapi/templates/services/browser/deployment.yaml b/charts/eoapi/templates/services/browser/deployment.yaml
index 08e143a3..a4973795 100644
--- a/charts/eoapi/templates/services/browser/deployment.yaml
+++ b/charts/eoapi/templates/services/browser/deployment.yaml
@@ -7,7 +7,7 @@ metadata:
     app: {{ .Release.Name }}-browser
     gitsha: {{ .Values.gitSha }}
 spec:
-  replicas: {{.Values.browser.replicaCount}}
+  replicas: {{ .Values.browser.replicaCount }}
   selector:
     matchLabels:
       app: {{ .Release.Name }}-browser
@@ -23,5 +23,16 @@ spec:
           - containerPort: 8080
           env:
             - name: SB_catalogUrl
-              value: "{{ .Values.stac.ingress.path }}"
+              value: "http://{{ .Values.ingress.host }}{{ .Values.stac.ingress.path }}"
+            {{- if index .Values "stac-auth-proxy" "enabled" }}
+            - name: SB_authConfig
+              value: |
+                {
+                  "type": "openIdConnect",
+                  "openIdConnectUrl": "http://{{ .Values.ingress.host }}{{ .Values.mockOidcServer.ingress.path }}/.well-known/openid-configuration",
+                  "oidcOptions": {
+                    "client_id": "{{ .Values.browser.oidcClientId | default "test-client" }}"
+                  }
+                }
+            {{- end }}
 {{- end }}
diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml
index 582301a5..73bb6520 100644
--- a/charts/eoapi/values.yaml
+++ b/charts/eoapi/values.yaml
@@ -488,6 +488,7 @@ browser:
     tag: 3.3.4
   ingress:
     enabled: true  # Control ingress specifically for browser service
+  oidcClientId: "some-client-id"
 
 docServer:
   enabled: true