Authentication Eurac - Githubissues

Open-EO / openeo-r-client

R client package for working with openEO backends

https://open-eo.github.io/openeo-r-client

Apache License 2.0

61 stars 17 forks source link

Authentication Eurac #116

Closed przell closed 2 years ago

przell commented 2 years ago

I tried cross device login at our eurac backend. But it doesn't seem to work. I don't know where the problem is. With the python client it works. For openeo.cloud it works also with the R-client. openeo package version: 1.2.0.

eurac r-client: --> this site can't be reached. local host refused to connect.

library(openeo)
euracHost = "https://openeo.eurac.edu"
eurac = connect(euracHost)
conf = list(client_id = "openEO_PKCE", grant_type = "authorization_code+pkce")
prov = list_oidc_providers()
login(provider = prov$Eurac_EDP_Keycloak, 
      config = conf, con = eurac)

eurac python-client -> works

import openeo
openeoHost = "https://openeo.eurac.edu"
eurac = openeo.connect(openeoHost).authenticate_oidc(client_id="openEO_PKCE")

openeo.cloud r-client -> works

host = "https://openeo.cloud"
con = connect(host, provider = "egi")

flahn commented 2 years ago

The exact same code refers me to the EURAC login and RStudio starts the Authorization Code PKCE workflow as you request it in grant_type = "authorization_code+pkce". How do you run it? Is your R/RStudio on your local machine or is it remote?

Just to make sure, you really want to use authorization_code+pkce as authentication method and not the device_code+pkce login, right?

flahn commented 2 years ago

To summarize the externally held discussion:

a device_code authentication should have been used: login() should have taken care about that
"authorization_code+pkce" was always selected as a default, also after the login with login()
the underlying problem was that "urn:ietf:params:oauth:grant-type:device_code+pkce" is not supported by the EURAC authentication provider
we now should implement the corresponding device code workflow without using pkce, which corresponds to the grant type: urn:ietf:params:oauth:grant-type:device_code

flahn commented 2 years ago

I have implemented the device code authentication without PKCE and it is the preferred grant_type after device_code+pkce, given the authentication provider supports it. Please have a look at this feature in the develop branch.

library(openeo)
euracHost = "https://openeo.eurac.edu"
eurac = connect(euracHost)
login()

That code should suffice. If you want a different authentication you can use the grant_type, client_id and secret as always.

przell commented 2 years ago

@flahn, thanks for the fix! I tried your snippet above and it worked! :) Two open points:

The snippet above delivers a code to the R console... I didn't have to use that anywhere in the authentication, it worked without... sounds like a bug on our side?
could you provide the conf info that is used for this short login version. I mean updating this code so that it represents what happens now in the background:

conf = list(client_id = "openEO_PKCE", grant_type = "authorization_code+pkce")
prov = list_oidc_providers()
login(provider = prov$Eurac_EDP_Keycloak, 
      config = conf, con = eurac)

To me it is not clear what can be put into this conf list... is there a general docu somewhere? I know that it takes client_id, grant_type and secret. But that's all I know.

flahn commented 2 years ago

Usually the device code flow with or without PKCE is chosen automatically, if provided by the backend. To select this authenication method manually you can use the following to align it with your code segment:

conf = list(grant_type="urn:ietf:params:oauth:grant-type:device_code")
...

Regarding the configuration options, there is a documentation about it in ?login. But I can see that it is not that obvious what to use. I will adapt the documentation for this.