Support Auth extension

[MattFerraro]

I have a dynamic STAC catalog that requires me to specify my auth token as a header, like:

curl https://api.me.com/my-catalog.json -H 'accept: application/json' -H 'authorization: Bearer my.jwt.token'

The JWT is required because the catalog is dynamic and it shows different data to different users, depending on what you are authorized to view.

Now, to get a token in the first place I have to do something like:

curl --header "Content-Type: application/json" --request POST --data '{"email":"my@email.com","password":"my-password"}' https://api.me.com/auth/public/authenticate

Which returns back something like:

{
  "token": "my.jwt.token"
}

So I think what I'd want is something like a local .stac-browserrc file where I can put my username, password, the fact that I want to use token based auth, the URL to hit to get a token, and then have the server just recognize this on startup, adding the required token header to every request on my behalf.

The token has a limited lifetime, so I would prefer if the server could be configured with a timeout to re-fetch a new token, but that's just a nice-to-have. I can restart the server over manually when running locally.

[MattFerraro]

Auth in general is a huge topic. I could imagine use cases for support basic auth as well, and probably others.

[m-mohr]

As there are a lot of different authentication flows, I don't think this will be supported anytime soon, but I'm happy to accept and review PRs. Also, there are some security concerns. We need to ensure people don't deploy public catalogs with such credentials in them - the credentials are public then. There are request interceptors in STAC Browser 3 though so that could be a chance for some custom code that you could implement to support some of the individual authentication flows. So my recommendation would be to wait for a beta of STAC Browser 3 and start on top of that.

[m-mohr]

It would be interesting to know what authentication methods providers implement so that we can make informed decisions on which authentication methods to support.

The most commonly used I've seen is just a token in a query parameter, which is supported since today.

May help for OAuth: https://github.com/dgrubelic/vue-authenticate

[m-mohr]

There's now a configurable UI that can handle token/API key based authentication for query parameters and headers. See issue https://github.com/radiantearth/stac-browser/issues/210#issuecomment-1210871360 and the authConfig documentation for details: https://github.com/radiantearth/stac-browser/blob/main/docs/options.md#authconfig

[simonff]

For future reference, the link above is now https://github.com/radiantearth/stac-browser/tree/dev2#authconfig

[m-mohr]

@simonff That's a temporary and outdated branch, the actual URL is https://github.com/radiantearth/stac-browser/blob/main/docs/options.md#authconfig

[m-mohr]

There's no also the Authentication extension, which is not supported in STAC Browser yet: https://github.com/stac-extensions/authentication

[m-mohr]

• [x] HTTP Basic
• [ ] HTTP Bearer
• [ ] HTTP Digest
• [x] HTTP (others) - NOT PLANNED
• [x] S3 - NOT PLANNED
• [ ] Signed URL
• [ ] OAuth 2
• [x] API Key (Header & Query Parameters, no cookie support planned)
• [x] OpenID Connect