Implementing Transaction API and Auth

[ranchodeluxe]

For CDK and K8s what are the auth workflows we can use to wrap the transaction API for ingestion

AC:

• [x] implement transaction api
• [ ] figure out how to authorize

[ranchodeluxe]

Let's wait until we have a bulk API ingest in STAC

[batpad]

Going to try and enliven this issue. Ref https://github.com/developmentseed/labs/issues/346 .

I think we have a decent implementation thanks to @alukach and @edkeeble of handling OAuth2, and then connecting to an authorization system to implement some authorization rules.

Relevant repos:

• Authentication: https://github.com/developmentseed/jupyterhub-fastapi-auth-demo
• Authorization: https://github.com/edkeeble/fastapi_authorization_gateway

I'd love to see if this could be added to the eoapi-k8s setup and maybe we figure out some basic configurability that's possible via supplying some values. So maybe to start with, something like:

• add an enable_authentication option in values that users can set to true
• this some-how enables the authentication and authorization bits in the FastAPI app (I'm a bit fuzzy about how exactly we implement this)
• to start with, provide simple default presets for authorization schemes:
  • Everyone can read, people in an admins group can write
  • No public read access. People in group members can read, admins can write

We can document how you could write code to implement more complex auth scenarios, but this would allow us to have authentication and authorization out-of-the-box with an eoapi-k8s install.

@ranchodeluxe does this sound reasonable? Would you have the time / interest to try and help?

[pantierra]

Updating here the approach for authentication we are taking:

1. https://github.com/EOEPCA/data-access/issues/109
2. Include eoapi-auth-utils
3. Connect it with EOEPCA's Keycloak
4. https://github.com/EOEPCA/resource-discovery/issues/99