Comments (8)
soxofaan
commented on September 18, 2024
Looking into that. Do you have the full stack trace of that error?
from openeo-python-client.
soxofaan
commented on September 18, 2024
first guess is that refresh_token grant type is not listed in your /credentials/oidc: response
from openeo-python-client.
soxofaan
commented on September 18, 2024
"grant_types":[
"urn:ietf:params:oauth:grant-type:device_code+pkce"
]
this indicates that you are only interested in device code grant, and not refresh token.
So .authenticate_oidc() is not really recommended to use (as automated refresh token handling is one of it's key features).
Using .authenticate_oidc_device() should work against that /credentials/oidc setup however. Can you confirm that?
That being said, I think there is a case to be made to make .authenticate_oidc() work againsts your setup too
from openeo-python-client.
m-mohr
commented on September 18, 2024
I've also tried it with urn:ietf:params:oauth:grant-type:device_code as default client and that lead to the same error.
I need to check the other parts...
from openeo-python-client.
soxofaan
commented on September 18, 2024
I've also tried it with urn:ietf:params:oauth:grant-type:device_code as default client and that lead to the same error.
indeed, with or without the +pkce doesn't matter here
from openeo-python-client.
m-mohr
commented on September 18, 2024
The Google OIDC is a bit weird in that it supports refresh_token, but not the offline_access scope. I always thought they were somewhat related, maybe they are not though. Also fiddling around with it in Open-EO/openeo-web-editor#319 - Maybe the primary issue is actually that we don't usually list offline_access in the scopes that are reported by the default clients? Should they do that?
Stack trace based on your last commit:
---------------------------------------------------------------------------
OpenEoClientException Traceback (most recent call last)
Cell In[9], line 1
----> 1 connection.authenticate_oidc()
File /mnt/c/Dev/openeo-python-client/openeo/rest/connection.py:716, in Connection.authenticate_oidc(self, provider_id, client_id, client_secret, store_refresh_token, use_pkce, display, max_poll_time)
714 else:
715 default_client_grant_check = lambda grants: (_g.DEVICE_CODE in grants or _g.DEVICE_CODE_PKCE in grants)
--> 716 provider_id, client_info = self._get_oidc_provider_and_client_info(
717 provider_id=provider_id,
718 client_id=client_id,
719 client_secret=client_secret,
720 default_client_grant_check=default_client_grant_check,
721 )
723 # Try refresh token first.
724 refresh_token = self._get_refresh_token_store().get_refresh_token(
725 issuer=client_info.provider.issuer,
726 client_id=client_info.client_id
727 )
File /mnt/c/Dev/openeo-python-client/openeo/rest/connection.py:454, in Connection._get_oidc_provider_and_client_info(self, provider_id, client_id, client_secret, default_client_grant_check)
450 _log.info("Using default client_id {c!r} from OIDC provider {p!r} info.".format(
451 c=client_id, p=provider_id
452 ))
453 if client_id is None:
--> 454 raise OpenEoClientException("No client_id found.")
456 client_info = OidcClientInfo(client_id=client_id, client_secret=client_secret, provider=provider)
458 return provider_id, client_info
OpenEoClientException: No client_id found.
from openeo-python-client.
soxofaan
commented on September 18, 2024
Stack trace based on your last commit:
With that POC commit you should also disable refresh token storage connection.authenticate_oidc(store_refresh_token=False)
FYI The other workaround mentioned above (which should work with a normal release of python client) is to use
connection.authenticate_oidc_device()
Have you tried that already with your setup?
from openeo-python-client.
m-mohr
commented on September 18, 2024
connection.authenticate_oidc(store_refresh_token=False)
This works indeed, thanks. A bit cumbersome that users have to specify a parameter.
But generally, I still struggle to understand whether the Google Auth supports PKCE for device_code or not. Some docy imply it does, but all requests ask me to provide a secret. So may not be supported.
Generally, I got it working in the Editor, but have still issues connecting through Google without a secret...
Have you tried that already with your setup?
Yes, works (with the caveats above). This also works:
connection.authenticate_oidc_device(provider_id="google", client_id="abc.apps.googleusercontent.com", client_secret="..." use_pkce=False)
More to be investigated (also the relation between offline_access scope and refresh_token grant).
from openeo-python-client.
Related Issues (20)
- support "identity" callbacks HOT 2
- Rename/deprecated `BatchJob.run_synchronous`
- JobManager: store joblist on http url as Parquet HOT 3
- `metadata_from_stac` can't handle STAC API ItemCollection HOT 1
- Support unordered band collection in BandDimension
- Drop support for Python 3.7 HOT 1
- GitHub Actions warnings
- Smarter geometry loading from `DataCube.aggregate_spatial` HOT 1
- Avoid index based "band math" where possible
- Eliminate wrong assumptions about "terminal" nodes HOT 1
- docs: introduce (remote) process definition instead of UDP
- Support new STAC "bands" construct HOT 1
- JobManager: include cost of job in resulting file
- `execute_batch`: option to cancel excessively long running jobs HOT 1
- As a developer I want to provide the MultiBackendJobManager with a maximal run time for each job.
- `apply_polygon`: rename `polygons` parameter to `geometries`
- introduce openeo.testing.results with reusable result comparison utilities for test suites HOT 2
- Authentication documentation is wrong HOT 2
- Authentication: support using access token obtained out of band HOT 2
- geopandas: optional dependency
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openeo-python-client.