Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authentication of STAC Catalogs #207

Open
Samweli opened this issue Aug 12, 2022 · 11 comments
Open

Support authentication of STAC Catalogs #207

Samweli opened this issue Aug 12, 2022 · 11 comments
Labels
priority: high

Comments

@Samweli
Copy link
Collaborator

Samweli commented Aug 12, 2022

The QGIS application provides an authentication framework for different data providers. We need to integrate the plugin so that it works with all types of authentication that are supported by QGIS authentication system.
The UI for this is already in place and it was intended to work from the last release plugin version.

See #124 and #206
@roya0045
Copy link

I've having auth error with using the default Microsoft service either when trying to download an asset (adding the asset also cause an error but unsure if they have the same root cause). Is it due to lack of auth for this service or for another reason?

Error in downloading file, Download failed: Error transferring https://sentinel2l2a01.blob.core.windows.net/sentinel2-l2/20/T/LT/2022/08/16/S2A_MSIL2A_20220816T151701_N0400_R025_T20TLT_20220817T074117.SAFE/GRANULE/L2A_T20TLT_A037345_20220816T151703/IMG_DATA/R10m/T20TLT_20220816T151701_B08_10m.tif?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D - server replied: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Used in QGIS 3.27 in windows 10.

@Samweli
Copy link
Collaborator Author

Samweli commented Aug 23, 2022

I've having auth error with using the default Microsoft service either when trying to download an asset (adding the asset also cause an error but unsure if they have the same root cause). Is it due to lack of auth for this service or for another reason?

Error in downloading file, Download failed: Error transferring https://sentinel2l2a01.blob.core.windows.net/sentinel2-l2/20/T/LT/2022/08/16/S2A_MSIL2A_20220816T151701_N0400_R025_T20TLT_20220817T074117.SAFE/GRANULE/L2A_T20TLT_A037345_20220816T151703/IMG_DATA/R10m/T20TLT_20220816T151701_B08_10m.tif?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D?st=2022-08-16T17%3A14%3A22Z&se=2022-08-17T17%3A59%3A22Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-08-17T14%3A23%3A48Z&ske=2022-08-24T14%3A23%3A48Z&sks=b&skv=2021-06-08&sig=8a8HDj5G2y%2BTQLatzIf3Acz4HkwKc30UwIzJDqLi5qg%3D - server replied: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Used in QGIS 3.27 in windows 10.

@roya0045 no this is not related to the lack of authenication support. Can you share the steps and name of the item you wanted to download. thanks

@roya0045
Copy link

I did some testing with 2 installs, one was with the official 3.24.2 version of QGIS and the other was with 3.27.0 build of master with some of my additions as the mingw64 artefact.

For both I did the following:

  1. Load a basemap to view the extent and set the project in web mercator
  2. Zoom to Menorca (as it's easily identifiable)
  3. open the plugin from the web menu
  4. Use the default Microsfot and Sentinel 2 level 2 dataset
    image
  5. Set the date to cover august 2022
  6. Use the map extent to set boundaries
  7. Search
  8. In the result, select view assests (in this case either of the two starting with S2B_MSIL2A_20220820T103629_R008_)
  9. Select a band to display
  10. Select the same band to download

The results:

  • QGIS 3.24.2
  1. Got an error downloading the image
  2. The image displayed fine when adding it to the canvas, but adding any new images meant that no image displayed anymore (the latter may not be related to the plugin)
  • QGIS mingw64 3.27.0 (homebrew)
  1. Got an error downloading the image
  2. Got an error adding it to the canvas.

As a sidenote, the command to view the download folder throws an error. Using subprocess.check_call with explorer always seems to return 1, even if the file explorer is opened properly. This throws an error in QGIS. Might be worth silencing the error or just using subprocess.call directly and taking the 1.

@remicres
Copy link

hi @Samweli ,

Do you know if QGIS authentication system supports GDAL's /vsicurl handler now?

It looks like QGIS auths are restricted to specific remote resources (below is from the QGIS doc... but not sure if it's up-to-date)
from qgis doc

If not, we should still be able to use the framework to get token and put the authorization bearer somewhere GDAL can find it ...

@hrodmn
Copy link
Contributor

hrodmn commented Oct 27, 2022
edited
Loading

Hi, @Samweli! Do we need to pass the authentication parameters here?
https://github.com/stac-utils/qgis-stac-plugin/blob/main/src/qgis_stac/api/network.py#L100

update for clarity
I believe we need to pass the authentication credentials into pystac_client.Client.open. I have a STAC where I can use the headers arg in pystac_client.Client.open to authenticate my connection
e.g.

pystac_client.Client.open(
    <CATALOG_URL>,
    headers={"x-functions-key": <TOKEN>}
)

From what I can tell, the plugin is not passing any credentials to pystac_client.

@remicres
Copy link

@hrodmn I believe that's the STAC endpoint.

You have to pass the parameters from here:
image

Unfortunately for now I am still not able to use OAuth2

@hrodmn
Copy link
Contributor

hrodmn commented Oct 28, 2022

I opened a fork and made a change that enables API header authentication via the QGIS authentication manager:
fd446f6

Right now it would only work for an API Header type of authentication so it's not a complete solution.

@hrodmn hrodmn mentioned this issue Oct 28, 2022
Open
@remicres
Copy link

Okay, thanks for clarifications!

@Samweli
Copy link
Collaborator Author

Samweli commented Oct 28, 2022

Do you know if QGIS authentication system supports GDAL's /vsicurl handler now?

Hi @remicres it currently doesn't supports the handler there is no entry for it in the list of the supported auth methods.

@Samweli
Copy link
Collaborator Author

Samweli commented Oct 28, 2022

Hi, @Samweli! Do we need to pass the authentication parameters here?
https://github.com/stac-utils/qgis-stac-plugin/blob/main/src/qgis_stac/api/network.py#L100

Hi @hrodmn, as you mentioned at the moment the plugin doesn't support passing authentication parameters to the pystac_client library, the intention is to use the QGIS authentication system to achieve authentication in the plugin.

@remicres
Copy link

remicres commented Oct 28, 2022
edited
Loading

Hi @remicres it currently doesn't supports the handler there is no entry for it in the list of the supported auth methods.

Hi @Samweli thanks for the info.

I guess accessing secured assets files is another thing. I am starting to think that this could be done nicely with a secured (i.e. with auth. required) dynamic STAC endpoint returning signed assets URIs.

@hrodmn hrodmn mentioned this issue Oct 28, 2022
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: high
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Samweli @remicres @roya0045 @hrodmn