Open soxofaan opened 4 months ago
m-mohr
commented
3 months ago This is not really feasible for web apps as client credentials need a client secret, i.e. you'd need to enter client_id and client_secret for every login and then keep the browser open.
What's the usecase for a browser app? Usually a refresh token should cover a long enough time span...
soxofaan
commented
3 months ago The typical use case is users that use client credentials based machine-to-machine auth for non-interactive workflows, but still want to be able to follow up e.g. batch job progress through the web editor.
m-mohr
commented
3 months ago So effectively this would be implemented similar to a username (client ID)/password (client secret) login workflow? This is effectively more an openeo-js-client issue as the underlying OIDC library is the limiting factor.
At some point we need to upgrade from the deprecated oidc-client-js to oidc-client-ts anyway, but it doesn't support client credentials either: https://github.com/authts/oidc-client-ts
So it would need a whole new library and I'm not sure which one would cover all our use cases. So this is a major effort.
soxofaan
commented
3 months ago I'm fine with the current assessment that the effort outweighs the added value at the moment.
To the user interested in a feature like this: I'd like to point out that it is already possible to approximate this feature through Jupyter notebooks and the openEO python client:
connection.authenticate_oidc_client_credentials() (make sure to properly handle your credentials, don't accidentally store them in git, if possible, leverage environment variable support)connection.list_jobs(), which will render a table overview that closely resembles the batch job overview from the web editor
I'm not sure if this is even remotely feasible, but we recently had several users asking about this, so just putting this here for future reference:
Is it possible to use the openEO web editor with service accounts (which only support the OIDC "client credentials" grant)?