search

EIDA / userfeedback

This repository is meant to collect feedback from EIDA users by means of its Issue Tracker
10 stars 4 forks source link

[EIDA token] authentication service not working #147

Closed luvec closed 1 year ago

luvec commented 1 year ago

I am not able to create ObsPy Client with EIDA token authentication for several EIDA nodes: ODC, BGR, KOERI, LMU, ICGC. I tested it for all combinations of Client parameters __discoverservices and _forceredirect. I'm sure that it worked for the LMU node months ago (for _discover_services=False).

code:

from obspy.clients.fdsn import Client

eida_token = './eidatoken'
ds = [True, False, False, True]
fr = [False, True, False, True]

print('{:18s} {:d} {:d} {:d} {:d}'.format('_discover_services', *ds))
print('{:18s} {:d} {:d} {:d} {:d}\n'.format('force_redirect', *fr))

for node in ['ODC','GFZ','RESIF','INGV','ETH','BGR','NIEP','KOERI','LMU','NOA','UIB-NORSAR','ICGC']:
    sss = '{:18s}'.format(node)
    for _discover_services, force_redirect in zip(ds, fr):
        try:
            client = Client(base_url=node, eida_token=eida_token, 
                        _discover_services=_discover_services, force_redirect=force_redirect)
            sss += ' +'
        except Exception as e:
            sss += ' -'
            se = str(e)
    print(sss)
print('\n', se)

result:

_discover_services 1 0 0 1
force_redirect     0 1 0 1

ODC                - - - -
GFZ                + - - +
RESIF              + - - +
INGV               + - - +
ETH                + - - +
BGR                - - - -
NIEP               + - - +
KOERI              - - - -
LMU                - - - -
NOA                + - - +
UIB-NORSAR         + - - +
ICGC               - - - -

 EIDA token authentication requested but service at 'http://ws.icgc.cat' does not specify /dataselect/auth in the dataselect/application.wadl.

EIDA token:

{"valid_until": "2023-07-07T19:50:48.389301Z", "cn": "Lud\u011bk Vecsey", "memberof": "/epos/Y0HBP;/;/epos/alparray;/epos", "sn": "Vecsey", "issued": "2023-06-07T19:50:48.389305Z", "mail": XXX, "givenName": "Lud\u011bk", "expiration": "1m"}

ObsPy 1.4.0

javiquinte commented 1 year ago

Hi @luvec ! The nodes you show there with '-' are the nodes that decided not to have authentication enabled, because they don't have restricted data. From the Obspy documentation you have:

Token for EIDA authentication mechanism, see http://geofon.gfz-potsdam.de/waveform/archive/auth/index.php. If a token is provided, options user and password must not be used. This mechanism is only available on select EIDA nodes. The token can be provided in form of the PGP message as a string, or the filename of a local file with the PGP message in it.

There it's clear that it is only available on certain nodes. If you try the same with ODC you will get the same error.

>>> client = Client(base_url="ODC", eida_token='/Users/javier/.eidatoken')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/obspy/clients/fdsn/client.py", line 281, in __init__
    self.set_eida_token(eida_token)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/obspy/clients/fdsn/client.py", line 324, in set_eida_token
    user, password = self._resolve_eida_token(token, validate=validate)
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/obspy/clients/fdsn/client.py", line 356, in _resolve_eida_token
    raise FDSNException(msg)
obspy.clients.fdsn.header.FDSNException: EIDA token authentication requested but service at 'http://www.orfeus-eu.org' does not specify /dataselect/auth in the dataselect/application.wadl.

That's why the preferred method for accessing data is what is suggested in https://github.com/EIDA/userfeedback#obspy There you use the credentials using the routing service and it will use the token only in the nodes that support it.

But if you still need to use the "Client" object, you should declare it without the token and then use the "set_eida_token" method inside a "try" statement to catch the error of the nodes not supporting authentication.

I hope this helps you with your problem.

Cheers,

luvec commented 1 year ago

Hi @javiquinte,

thank you very much for your explanation. Meanwhile, the situation with the LMU node changed today, now it is possible to connect there also with token authentication. So I guess LMU does not belong to the group of fully opened nodes yet, which is fine, because we are sending there our embargoed Z6 data. Probably it was only some technical issue at LMU.

Best regards, Luděk

megies commented 1 year ago

I believe there was indeed some issue here at LMU after the node update that was announced on the EIDA mailing list but I believe the issue should be fixed now.