using oauth for token generation

[cehbrecht]

No description provided.

[cehbrecht]

use the ESGF OAuth service.

[tomLandry]

Label PAVICS please.

[cehbrecht]

OAuth can be used together with JWT tokens. JWT tokens may contain additional information. ESGF may use this combination in the implementation of their ESGF-SLCS-service.

[cehbrecht]

Python libraries for OAuth.

Client:

• https://github.com/requests/requests-oauthlib

Provider:

• https://github.com/oauthlib/oauthlib

[cehbrecht]

An initial implementation using pyramid-oauthlib is available on the dev-oauth branch.

The implementation is using a client-credentials workflow to get an access token:
https://oauthlib.readthedocs.io/en/latest/oauth2/grants/credentials.html

Tokens are just simple strings with uuid:
https://oauthlib.readthedocs.io/en/latest/oauth2/tokens/tokens.html

The XMLRPC interface for service registration has been replaced by a Swagger/OpenAPI Rest interface protected by OAuth tokens using Cornice.

The resource access to OWS services (WPS, WMS, ...) is protected by OAuth tokens.

See the Jupyter notebook examples for usage.

See also OAuth overview talk.

[cehbrecht]

@fmigneault Just be warned :) I won't merge to master before this is kind of stable and accepted. The adapter code needs to be tuned.

[fmigneault]

@cehbrecht
👍 for Cornice, I like this approach.

What do you mean specifically about the access of OWS services with the token?
For instance, if I call https://<host>/twitcher/ows/proxy/<service-name>, I would need a token?
If so, will it be possible to have this token requirement disabled by config, as this is handled by Magpie (with it's own token/cookies) in PAVICS ?

[cehbrecht]

@fmigneault currently the WPS execute request can be blocked by an access token. But you can register a WPS as "public" and access is not restricted. The "access" is checked by twitcher ... it would just call an oauth verify_request method when configured.

[fmigneault]

@cehbrecht
Can you point me to where this verification is/would-be accomplished?
If the adapter interface is used along the way, maybe this won't cause any issue on Magpie side.
In fact, I think no actual Twitcher service gets created in our case since services are fetched from Magpie's db.

[cehbrecht]

@fmigneault currently the "access" check is done here:

twitcher/twitcher/owsproxy.py

Line 167 in 943b568

def verify_request(request, service):

[fmigneault]

Looking at the process execution chain, to keep things working, I will need to add public=True here:
https://github.com/Ouranosinc/Magpie/blob/63a7e2c39acfc85244e5f84ecb1622e9092a3fc1/magpie/adapter/magpieservice.py#L55-L57

I see however another issue, related to this call:

twitcher/twitcher/owsproxy.py

Line 169 in 943b568

if ows_request.service_allowed() is False:

Since Magpie defines other service and request types, the configs here are problematic.

twitcher/twitcher/owsrequest.py

Lines 16 to 26 in 943b568

	allowed_service_types = ('wps', 'wms')
	allowed_request_types = {'wps': ('getcapabilities', 'describeprocess', 'execute'),
	'wms': ('getcapabilities',
	'getmap',
	'getfeatureinfo',
	'getlegendgraphic',
	# ncwms extras,
	'getmetadata')}
	public_request_types = {'wps': ('getcapabilities', 'describeprocess'),
	'wms': ('getcapabilities', )}
	allowed_versions = {'wps': ('1.0.0',), 'wms': ('1.1.1', '1.3.0',)}

One workaround could be to have these config variables defined in a separate file, which can be overridden in Dockerfile, similarly to how it's done with celeryconfig.py.
Another way would be to have a ows_request_factory defined in the adapter, which by default returns OWSRequest, but Magpie's adaptation would provide it's variant that always returns true when calling OWSRequest.service_allowed().

[cehbrecht]

fixed in PR #86