Authentication Eurac

Question

Authentication Eurac

przell opened this issue 2 years ago · comments

I tried cross device login at our eurac backend. But it doesn't seem to work. I don't know where the problem is. With the python client it works. For openeo.cloud it works also with the R-client. openeo package version: 1.2.0.

eurac r-client: --> this site can't be reached. local host refused to connect.

library(openeo)
euracHost = "https://openeo.eurac.edu"
eurac = connect(euracHost)
conf = list(client_id = "openEO_PKCE", grant_type = "authorization_code+pkce")
prov = list_oidc_providers()
login(provider = prov$Eurac_EDP_Keycloak, 
      config = conf, con = eurac)

eurac python-client -> works

import openeo
openeoHost = "https://openeo.eurac.edu"
eurac = openeo.connect(openeoHost).authenticate_oidc(client_id="openEO_PKCE")

openeo.cloud r-client -> works

host = "https://openeo.cloud"
con = connect(host, provider = "egi")

Florian Lahn · Answer 1 · Thu Mar 24 2022 17:50:54 GMT+0800 (China Standard Time)

The exact same code refers me to the EURAC login and RStudio starts the Authorization Code PKCE workflow as you request it in grant_type = "authorization_code+pkce". How do you run it? Is your R/RStudio on your local machine or is it remote?

Just to make sure, you really want to use authorization_code+pkce as authentication method and not the device_code+pkce login, right?

Florian Lahn · Answer 2 · Thu Mar 24 2022 22:06:48 GMT+0800 (China Standard Time)

To summarize the externally held discussion:

a device_code authentication should have been used: login() should have taken care about that
"authorization_code+pkce" was always selected as a default, also after the login with login()
the underlying problem was that "urn:ietf:params:oauth:grant-type:device_code+pkce" is not supported by the EURAC authentication provider
we now should implement the corresponding device code workflow without using pkce, which corresponds to the grant type: urn:ietf:params:oauth:grant-type:device_code

Florian Lahn · Answer 3 · Fri Apr 01 2022 22:12:59 GMT+0800 (China Standard Time)

I have implemented the device code authentication without PKCE and it is the preferred grant_type after device_code+pkce, given the authentication provider supports it. Please have a look at this feature in the develop branch.

library(openeo)
euracHost = "https://openeo.eurac.edu"
eurac = connect(euracHost)
login()

That code should suffice. If you want a different authentication you can use the grant_type, client_id and secret as always.

przell · Answer 4 · Fri Apr 08 2022 22:44:49 GMT+0800 (China Standard Time)

@flahn, thanks for the fix!
I tried your snippet above and it worked! :)
Two open points:

The snippet above delivers a code to the R console... I didn't have to use that anywhere in the authentication, it worked without... sounds like a bug on our side?
could you provide the conf info that is used for this short login version. I mean updating this code so that it represents what happens now in the background:

conf = list(client_id = "openEO_PKCE", grant_type = "authorization_code+pkce")
prov = list_oidc_providers()
login(provider = prov$Eurac_EDP_Keycloak, 
      config = conf, con = eurac)

To me it is not clear what can be put into this conf list... is there a general docu somewhere? I know that it takes client_id, grant_type and secret. But that's all I know.

Florian Lahn · Answer 5 · Sat Apr 09 2022 00:29:07 GMT+0800 (China Standard Time)

Usually the device code flow with or without PKCE is chosen automatically, if provided by the backend. To select this authenication method manually you can use the following to align it with your code segment:

conf = list(grant_type="urn:ietf:params:oauth:grant-type:device_code")
...

Regarding the configuration options, there is a documentation about it in ?login. But I can see that it is not that obvious what to use. I will adapt the documentation for this.