Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support OIDC client credentials auth? #324

Open
soxofaan opened this issue Jun 3, 2024 · 4 comments
Open

support OIDC client credentials auth? #324

soxofaan opened this issue Jun 3, 2024 · 4 comments
Labels
enhancement New feature or request
Milestone
future

Comments

@soxofaan
Copy link
Member

soxofaan commented Jun 3, 2024

I'm not sure if this is even remotely feasible, but we recently had several users asking about this, so just putting this here for future reference:

Is it possible to use the openEO web editor with service accounts (which only support the OIDC "client credentials" grant)?
@m-mohr m-mohr added the question Further information is requested label Jun 10, 2024
@m-mohr
Copy link
Member

m-mohr commented Jun 10, 2024

This is not really feasible for web apps as client credentials need a client secret, i.e. you'd need to enter client_id and client_secret for every login and then keep the browser open.

What's the usecase for a browser app? Usually a refresh token should cover a long enough time span...

@soxofaan
Copy link
Member Author

The typical use case is users that use client credentials based machine-to-machine auth for non-interactive workflows, but still want to be able to follow up e.g. batch job progress through the web editor.

@m-mohr
Copy link
Member

m-mohr commented Jun 11, 2024

So effectively this would be implemented similar to a username (client ID)/password (client secret) login workflow?
This is effectively more an openeo-js-client issue as the underlying OIDC library is the limiting factor.

At some point we need to upgrade from the deprecated oidc-client-js to oidc-client-ts anyway, but it doesn't support client credentials either: https://github.com/authts/oidc-client-ts

So it would need a whole new library and I'm not sure which one would cover all our use cases. So this is a major effort.

@m-mohr m-mohr added enhancement New feature or request and removed question Further information is requested labels Jun 11, 2024
@m-mohr m-mohr added this to the future milestone Jun 11, 2024
@soxofaan
Copy link
Member Author

I'm fine with the current assessment that the effort outweighs the added value at the moment.

To the user interested in a feature like this:
I'd like to point out that it is already possible to approximate this feature through Jupyter notebooks and the openEO python client:

  • authenticate with client credentials, e.g. connection.authenticate_oidc_client_credentials() (make sure to properly handle your credentials, don't accidentally store them in git, if possible, leverage environment variable support)
  • list your batch jobs with connection.list_jobs(), which will render a table overview that closely resembles the batch job overview from the web editor

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
future
Development

No branches or pull requests
2 participants
@soxofaan @m-mohr