search

Open-EO / openeo-earthengine-driver

openEO back-end driver for Google Earth Engine.
Apache License 2.0
21 stars 7 forks source link

Implement Authentication via OAuth/OIDC #82

Closed m-mohr closed 4 months ago

m-mohr commented 8 months ago

Users should be able to connect with their own accounts, not with our service account.

edzer commented 8 months ago

Users should be able to connect with their own accounts, not with out service account.

Did you mean "with our service account", or "without service account"?

m-mohr commented 8 months ago

Oh, "with our". Working on it right now :-)

m-mohr commented 8 months ago

A basic implementation is available in the repository. It generally works, but has some drawbacks:

  1. A refresh_token is not available to the openEO proxy -> The access_token may expire for longer running requests, but that may only lead to issues with the job status, I guess. => #87
  2. The only flow that is supported by Google and doesn't require a client secret seems to be implicit. That means only the Web Editor can connect easily, all other clients will need client secret that users obtain from the Google API Console.
  3. Each request to the openEO proxy issues a new request to the ID token endpoint. That's pretty excessive, I guess I should cache that and only request the ID token again once the access token changes. For now, I'll live with it as it's not a service that is used by a couple of people.

Keeping these points open for now as they are lower priority for me for now. I might be able to weaken the effects for (1) and (3) through additional code and (2) needs to wait for improvements on Googles side, which I heard are at least planned.