Open-EO / openeo-r-client

R client package for working with openEO backends
https://open-eo.github.io/openeo-r-client
Apache License 2.0
61 stars 17 forks source link

Authentication Eurac #116

Closed przell closed 2 years ago

przell commented 2 years ago

I tried cross device login at our eurac backend. But it doesn't seem to work. I don't know where the problem is. With the python client it works. For openeo.cloud it works also with the R-client. openeo package version: 1.2.0.

eurac r-client: --> this site can't be reached. local host refused to connect.

library(openeo)
euracHost = "https://openeo.eurac.edu"
eurac = connect(euracHost)
conf = list(client_id = "openEO_PKCE", grant_type = "authorization_code+pkce")
prov = list_oidc_providers()
login(provider = prov$Eurac_EDP_Keycloak, 
      config = conf, con = eurac)

eurac python-client -> works

import openeo
openeoHost = "https://openeo.eurac.edu"
eurac = openeo.connect(openeoHost).authenticate_oidc(client_id="openEO_PKCE")

openeo.cloud r-client -> works

host = "https://openeo.cloud"
con = connect(host, provider = "egi")
flahn commented 2 years ago

The exact same code refers me to the EURAC login and RStudio starts the Authorization Code PKCE workflow as you request it in grant_type = "authorization_code+pkce". How do you run it? Is your R/RStudio on your local machine or is it remote?

Just to make sure, you really want to use authorization_code+pkce as authentication method and not the device_code+pkce login, right?

flahn commented 2 years ago

To summarize the externally held discussion:

flahn commented 2 years ago

I have implemented the device code authentication without PKCE and it is the preferred grant_type after device_code+pkce, given the authentication provider supports it. Please have a look at this feature in the develop branch.

library(openeo)
euracHost = "https://openeo.eurac.edu"
eurac = connect(euracHost)
login()

That code should suffice. If you want a different authentication you can use the grant_type, client_id and secret as always.

przell commented 2 years ago

@flahn, thanks for the fix! I tried your snippet above and it worked! :) Two open points:

conf = list(client_id = "openEO_PKCE", grant_type = "authorization_code+pkce")
prov = list_oidc_providers()
login(provider = prov$Eurac_EDP_Keycloak, 
      config = conf, con = eurac)
flahn commented 2 years ago

Usually the device code flow with or without PKCE is chosen automatically, if provided by the backend. To select this authenication method manually you can use the following to align it with your code segment:

conf = list(grant_type="urn:ietf:params:oauth:grant-type:device_code")
...

Regarding the configuration options, there is a documentation about it in ?login. But I can see that it is not that obvious what to use. I will adapt the documentation for this.