Support new JWT token based auth from openEO API 1.3

openeo/rest/_testing.py

@@ -14,6 +14,7 @@
     Union,
 )
 
+from openeo.utils.version import ComparableVersion
 from openeo import Connection, DataCube
 from openeo.rest.vectorcube import VectorCube
 from openeo.utils.http import HTTP_201_CREATED, HTTP_202_ACCEPTED, HTTP_204_NO_CONTENT
@@ -189,6 +190,14 @@ def setup_file_format(self, name: str, type: str = "output", gis_data_types: Ite
         }
         self._requests_mock.get(self.connection.build_url("/file_formats"), json=self.file_formats)
         return self
+
+    def _get_conformance(self, request, context):
+        return {
+            "conformsTo": build_conformance(
+                api_version="1.3.0", 
+                stac_version="1.0.0"
+            )
+        }
 
     def _handle_post_result(self, request, context):
         """handler of `POST /result` (synchronous execute)"""
@@ -424,6 +433,20 @@ def get_status(job_id: str, current_status: str) -> str:
 
         self.job_status_updater = get_status
 
+def build_conformance(
+    *,
+    api_version: str = "1.0.0",
+    stac_version: str = "1.1.0",
+) -> list[str]:
+    conformance = [
+        "https://api.openeo.org/{api_version}",
+        "https://api.stacspec.org/v{stac_version}/core",
+        "https://api.stacspec.org/v{stac_version}/collections"
+    ]
+    if ComparableVersion(api_version) >= ComparableVersion("1.3.0"):
+        conformance.append(f"https://api.openeo.org/{api_version}/authentication/jwt")
+    return conformance
+
 
 def build_capabilities(
     *,
@@ -470,17 +493,23 @@ def build_capabilities(
         endpoints.extend(
             [
                 {"path": "/process_graphs", "methods": ["GET"]},
-                {"path": "/process_graphs/{process_graph_id", "methods": ["GET", "PUT", "DELETE"]},
+                {"path": "/process_graphs/{process_graph_id}", "methods": ["GET", "PUT", "DELETE"]},
             ]
         )
 
+    conformance = build_conformance(
+        api_version=api_version, 
+        stac_version=stac_version,
+    )
+
     capabilities = {
         "api_version": api_version,
         "stac_version": stac_version,
         "id": "dummy",
         "title": "Dummy openEO back-end",
         "description": "Dummy openeEO back-end",
         "endpoints": endpoints,
+        "conformsTo": conformance,
         "links": [],
     }
     return capabilities

openeo/rest/auth/auth.py

@@ -50,3 +50,4 @@ class OidcBearerAuth(BearerAuth):
 
     def __init__(self, provider_id: str, access_token: str):
         super().__init__(bearer="oidc/{p}/{t}".format(p=provider_id, t=access_token))
+

openeo/rest/capabilities.py

@@ -1,3 +1,4 @@
+import re
 from typing import Dict, List, Optional, Union
 
 from openeo.internal.jupyter import render_component
@@ -7,6 +8,8 @@
 
 __all__ = ["OpenEoCapabilities"]
 
+CONFORMANCE_JWT_BEARER = re.compile(r"https://api\.openeo\.org/[^/]+/authentication/jwt")
+
 
 class OpenEoCapabilities:
     """Container of the openEO capabilities document of an openEO backend."""
@@ -37,6 +40,13 @@ def api_version_check(self) -> ComparableVersion:
             raise ApiVersionException("No API version found")
         return ComparableVersion(api_version)
 
+    def has_conformance(self, uri: str) -> bool:
+        """Check if backend provides a given conformance string"""
+        for conformance_uri in self.capabilities.get("conformsTo", []):
+            if re.fullmatch(uri, conformance_uri):
+                return True
+        return False
+
     def supports_endpoint(self, path: str, method="GET") -> bool:
         """Check if backend supports given endpoint"""
         return any(

openeo/rest/connection.py

@@ -68,7 +68,7 @@
     OidcRefreshTokenAuthenticator,
     OidcResourceOwnerPasswordAuthenticator,
 )
-from openeo.rest.capabilities import OpenEoCapabilities
+from openeo.rest.capabilities import CONFORMANCE_JWT_BEARER, OpenEoCapabilities
 from openeo.rest.datacube import DataCube, InputDate
 from openeo.rest.graph_building import CollectionProperty
 from openeo.rest.job import BatchJob
@@ -277,8 +277,15 @@ def authenticate_basic(self, username: Optional[str] = None, password: Optional[
             # /credentials/basic is the only endpoint that expects a Basic HTTP auth
             auth=HTTPBasicAuth(username, password)
         ).json()
+
+        # check for JWT bearer token conformance
+        jwt_conformance = self.capabilities().has_conformance(CONFORMANCE_JWT_BEARER)
+
         # Switch to bearer based authentication in further requests.
-        self.auth = BasicBearerAuth(access_token=resp["access_token"])
+        if jwt_conformance:
+            self.auth = BearerAuth(bearer=resp["access_token"])
+        else:
+            self.auth = BasicBearerAuth(access_token=resp["access_token"])
         return self
 
     def _get_oidc_provider(
@@ -416,7 +423,12 @@ def _authenticate_oidc(
             )
 
         token = tokens.access_token
-        self.auth = OidcBearerAuth(provider_id=provider_id, access_token=token)
+        # check for JWT bearer token conformance
+        jwt_conformance = self.capabilities().has_conformance(CONFORMANCE_JWT_BEARER)
+        if jwt_conformance:
+            self.auth = BearerAuth(bearer=token)
+        else:
+            self.auth = OidcBearerAuth(provider_id=provider_id, access_token=token)
         self._oidc_auth_renewer = oidc_auth_renewer
         return self
 

tests/rest/conftest.py

@@ -19,6 +19,10 @@ def api_version(request):
     return request.param
 
 
+@pytest.fixture(params=["1.0.0", "1.3.0"])
+def api_version_authentication_tests(request):
+    return request.param
+
 class _Sleeper:
     def __init__(self):
         self.history = []
@@ -99,6 +103,12 @@ def con120(requests_mock, api_capabilities):
     con = Connection(API_URL)
     return con
 
+@pytest.fixture
+def con130(requests_mock, api_capabilities):
+    requests_mock.get(API_URL, json=build_capabilities(api_version="1.3.0", **api_capabilities))
+    con = Connection(API_URL)
+    return con
+
 
 @pytest.fixture
 def dummy_backend(requests_mock, con120) -> DummyBackend: