search

stac-utils / qgis-stac-plugin

QGIS plugin for reading STAC APIs
GNU General Public License v3.0
71 stars 25 forks source link

Support authentication of STAC Catalogs #207

Open Samweli opened 2 years ago

Samweli commented 2 years ago

The QGIS application provides an authentication framework for different data providers. We need to integrate the plugin so that it works with all types of authentication that are supported by QGIS authentication system. The UI for this is already in place and it was intended to work from the last release plugin version.

See https://github.com/stac-utils/qgis-stac-plugin/issues/124 and https://github.com/stac-utils/qgis-stac-plugin/issues/206

roya0045 commented 2 years ago

I've having auth error with using the default Microsoft service either when trying to download an asset (adding the asset also cause an error but unsure if they have the same root cause). Is it due to lack of auth for this service or for another reason?

Error in downloading file, Download failed: Error transferring https://sentinel2l2a01.blob.core.windows.net/sentinel2-l2/20/T/LT/2022/08/16/S2A_MSIL2A_20220816T151701_N0400_R025_T20TLT_20220817T074117.SAFE/GRANULE/L2A_T20TLT_A037345_20220816T151703/IMG_DATA/R10m/T20TLT_20220816T151701_B08_10m.tif?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D - server replied: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Used in QGIS 3.27 in windows 10.

Samweli commented 2 years ago

I've having auth error with using the default Microsoft service either when trying to download an asset (adding the asset also cause an error but unsure if they have the same root cause). Is it due to lack of auth for this service or for another reason?

Error in downloading file, Download failed: Error transferring https://sentinel2l2a01.blob.core.windows.net/sentinel2-l2/20/T/LT/2022/08/16/S2A_MSIL2A_20220816T151701_N0400_R025_T20TLT_20220817T074117.SAFE/GRANULE/L2A_T20TLT_A037345_20220816T151703/IMG_DATA/R10m/T20TLT_20220816T151701_B08_10m.tif?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D - server replied: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Used in QGIS 3.27 in windows 10.

@roya0045 no this is not related to the lack of authenication support. Can you share the steps and name of the item you wanted to download. thanks

roya0045 commented 2 years ago

I did some testing with 2 installs, one was with the official 3.24.2 version of QGIS and the other was with 3.27.0 build of master with some of my additions as the mingw64 artefact.

For both I did the following:

  1. Load a basemap to view the extent and set the project in web mercator
  2. Zoom to Menorca (as it's easily identifiable)
  3. open the plugin from the web menu
  4. Use the default Microsfot and Sentinel 2 level 2 dataset image
  5. Set the date to cover august 2022
  6. Use the map extent to set boundaries
  7. Search
  8. In the result, select view assests (in this case either of the two starting with S2B_MSIL2A_20220820T103629R008)
  9. Select a band to display
  10. Select the same band to download

The results:

  1. Got an error downloading the image
  2. The image displayed fine when adding it to the canvas, but adding any new images meant that no image displayed anymore (the latter may not be related to the plugin)
  1. Got an error downloading the image
  2. Got an error adding it to the canvas.

As a sidenote, the command to view the download folder throws an error. Using subprocess.check_call with explorer always seems to return 1, even if the file explorer is opened properly. This throws an error in QGIS. Might be worth silencing the error or just using subprocess.call directly and taking the 1.

remicres commented 1 year ago

hi @Samweli ,

Do you know if QGIS authentication system supports GDAL's /vsicurl handler now?

It looks like QGIS auths are restricted to specific remote resources (below is from the QGIS doc... but not sure if it's up-to-date) from qgis doc

If not, we should still be able to use the framework to get token and put the authorization bearer somewhere GDAL can find it ...

hrodmn commented 1 year ago

Hi, @Samweli! Do we need to pass the authentication parameters here? https://github.com/stac-utils/qgis-stac-plugin/blob/main/src/qgis_stac/api/network.py#L100

update for clarity I believe we need to pass the authentication credentials into pystac_client.Client.open. I have a STAC where I can use the headers arg in pystac_client.Client.open to authenticate my connection e.g.

pystac_client.Client.open(
    <CATALOG_URL>,
    headers={"x-functions-key": <TOKEN>}
)

From what I can tell, the plugin is not passing any credentials to pystac_client.

remicres commented 1 year ago

@hrodmn I believe that's the STAC endpoint.

You have to pass the parameters from here: image

Unfortunately for now I am still not able to use OAuth2

hrodmn commented 1 year ago

I opened a fork and made a change that enables API header authentication via the QGIS authentication manager: https://github.com/stac-utils/qgis-stac-plugin/commit/fd446f68bba400fddd04390e0bd60fc5ab201dab

Right now it would only work for an API Header type of authentication so it's not a complete solution.

remicres commented 1 year ago

Okay, thanks for clarifications!

Samweli commented 1 year ago

Do you know if QGIS authentication system supports GDAL's /vsicurl handler now?

Hi @remicres it currently doesn't supports the handler there is no entry for it in the list of the supported auth methods.

Samweli commented 1 year ago

Hi, @Samweli! Do we need to pass the authentication parameters here? https://github.com/stac-utils/qgis-stac-plugin/blob/main/src/qgis_stac/api/network.py#L100

Hi @hrodmn, as you mentioned at the moment the plugin doesn't support passing authentication parameters to the pystac_client library, the intention is to use the QGIS authentication system to achieve authentication in the plugin.

remicres commented 1 year ago

Hi @remicres it currently doesn't supports the handler there is no entry for it in the list of the supported auth methods.

Hi @Samweli thanks for the info.

I guess accessing secured assets files is another thing. I am starting to think that this could be done nicely with a secured (i.e. with auth. required) dynamic STAC endpoint returning signed assets URIs.