-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request OAPIF: support for API-keys via query for API implementing OGC API - Features #38436
Comments
@heidivanparys seems more like a bug(?). |
I guess it could be categorised as a bug as well, yes. I'm not sure what the rules are, recently I created issue #38382 and categorised it as a bug and it was changed to a feature request 😃 . I haven't been able to find documentation on what security schemes QGIS supports (server nor client side), but if QGIS doesn't claim to support API keys in the query it is a feature request, if QGIS does claim to support API keys it is a bug. |
@heidivanparys |
@gioman Thanks for the link. I meant (but didn't write, sorry) specifically in relation to OGC API - Features. From http://spec.openapis.org/oas/v3.0.3#security-scheme-object:
So when putting that next to I think the situation is like this (please correct me if I'm wrong!):
|
Feature description.
When adding a service that implements OGC API - Features and that needs an API key for authorization of retrieving anything below /collections, the API key is stripped of the URL when the provider looks for a specific collection, resulting in a 403 error when that collection is secured. It would be great if the API key parameter would not be stripped off.
Additional context
OGC API - Features service with an API that could look like this (API key needed for all the paths that go deeper than /collections).
(see also http://spec.openapis.org/oas/v3.0.3#securitySchemeObject and http://spec.openapis.org/oas/v3.0.3#non-oauth2-security-requirement)
Even when adding ?api-key=myApiKey to the landing page URL, trying to add the features of a collection like that results in
WARNING Download of collection description failed: Error transferring https://link.to.com/v2/data/collections/collectionId - server replied: Forbidden
The log that appears in the Debugging/Development Tools:
So the API key parameter is still present when retrieving the API description but it stripped off for the next request, to /collections/station.
QGIS version
The text was updated successfully, but these errors were encountered: