Rework openEO OIDC client creation (#84)

* [openeo] Rework OIDC client creation * Update usages of create-client script for additional questions
EOEPCA · Feb 28, 2025 · d4a88fd · d4a88fd
1 parent 1741ac7
commit d4a88fd
Show file tree

Hide file tree

Showing 14 changed files with 4,601 additions and 63 deletions.
diff --git a/docs/building-blocks/application-hub.md b/docs/building-blocks/application-hub.md
@@ -133,17 +133,19 @@ When prompted:
 - **Keycloak base domain**: e.g. `auth.example.com`
 - **Realm**: Typically `eoepca`.
 
+- **Confidential Client?**: specify `true` to create a CONFIDENTIAL client
 - **Client ID**: `application-hub`.
 - **Client name** and **description**: Provide any helpful text (e.g., `Application Hub Client`).
 - **Client secret**: Enter the Client Secret that was generated during the configuration script (check `~/.eoepca/state`).
 - **Subdomain**: Use `app-hub` for the OAPIP engine. 
 - **Additional Subdomains**: Leave blank.
+- **Additional Hosts**: Leave blank.
 
 After it completes, you should see a JSON snippet confirming the newly created client.
 
 ---
 
-3. **Deploy the Application Hub Using Helm**
+1. **Deploy the Application Hub Using Helm**
 
 Return to the `deployment-guide/scripts/app-hub` directory and deploy the Application Hub using Helm:
 

diff --git a/docs/building-blocks/application-quality.md b/docs/building-blocks/application-quality.md
@@ -129,11 +129,13 @@ When prompted:
 - **Keycloak base domain**: e.g. `auth.example.com`
 - **Realm**: Typically `eoepca`.
 
+- **Confidential Client?**: specify `true` to create a CONFIDENTIAL client
 - **Client ID**: You should use the client ID you inputted in the configuration script (`application-quality`).
 - **Client name** and **description**: Provide any helpful text (e.g. Application Quality)
 - **Client secret**: Enter the Client Secret that was generated during the configuration script (check `~/.eoepca/state`).
 - **Subdomain**: Use `application-quality`.
 - **Additional Subdomains**: Leave blank.
+- **Additional Hosts**: Leave blank.
 
 After it completes, you should see a JSON snippet confirming the newly created client.
 

diff --git a/docs/building-blocks/iam/client-management.md b/docs/building-blocks/iam/client-management.md
@@ -42,9 +42,10 @@ ACCESS_TOKEN=$( \
     --data-urlencode "password=${KEYCLOAK_ADMIN_PASSWORD}" \
     -d "grant_type=password" \
     -d "client_id=admin-cli" \
-    "https://auth.<YOUR DOMAIN>/realms/master/protocol/openid-connect/token" \
+    "https://auth.${INGRESS_HOST}/realms/master/protocol/openid-connect/token" \
   | jq -r '.access_token' \
 )
+echo ${ACCESS_TOKEN}
 ```
 
 **Create a Client**:

diff --git a/docs/building-blocks/iam/main-iam.md b/docs/building-blocks/iam/main-iam.md
@@ -184,10 +184,13 @@ When prompted:
 - **Keycloak Admin Username and Password**: Enter the credentials of your Keycloak admin user<br>_See `~/.eoepca/state`_
 - **Keycloak base domain**: e.g. `auth.${INGRESS_HOST}`
 - **Realm**: Typically `eoepca`.
+
+- **Confidential Client?**: specify `true` to create a CONFIDENTIAL client
 - **Client ID**: For OPA, you should use `opa`.
 - **Client name** and **description**: Provide any helpful text<br>_e.g. name=`OPA Client` and description=`Open Policy Agent`_
 - **Client secret**: Enter the OPA Client Secret that was generated during the configuration script (check `~/.eoepca/state`).
 - **Subdomain**: Use `opa` for Open Policy Agent. 
+- **Additional Hosts**: Leave blank.
 
 After it completes, you should see a JSON snippet confirming the newly created client.
 

diff --git a/docs/building-blocks/mlops.md b/docs/building-blocks/mlops.md
@@ -118,11 +118,13 @@ When prompted:
 - **Keycloak base domain**: e.g. `auth.example.com`
 - **Realm**: Typically `eoepca`.
 
+- **Confidential Client?**: specify `true` to create a CONFIDENTIAL client
 - **Client ID**: You should use `gitlab`.
 - **Client name** and **description**: Provide any helpful text (e.g., `GitLab OIDC Client`).
 - **Client secret**: Enter the Client Secret that was generated during the configuration script (check `~/.eoepca/state`).
 - **Subdomain**: Use `gitlab`
 - **Additional Subdomains**: Leave empty.
+- **Additional Hosts**: Leave blank.
 
 After it completes, you should see a JSON snippet confirming the newly created client.
 

diff --git a/docs/building-blocks/oapip-engine.md b/docs/building-blocks/oapip-engine.md
@@ -123,11 +123,13 @@ When prompted:
 - **Keycloak base domain**: e.g. `auth.example.com`
 - **Realm**: Typically `eoepca`.
 
+- **Confidential Client?**: specify `true` to create a CONFIDENTIAL client
 - **Client ID**: For the OAPIP engine, you should use `oapip-engine`.
 - **Client name** and **description**: Provide any helpful text (e.g. `OAPIP Engine Client`).
 - **Client secret**: Enter the OAPIP Client Secret that was generated during the configuration script (check `~/.eoepca/state`).
 - **Subdomain**: Use `zoo` for the OAPIP engine. 
 - **Additional Subdomains**: Leave blank.
+- **Additional Hosts**: Leave blank.
 
 After it completes, you should see a JSON snippet confirming the newly created client.
 

diff --git a/docs/building-blocks/openeo-engine.md b/docs/building-blocks/openeo-engine.md
@@ -105,6 +105,59 @@ Deploy ingress
 kubectl apply -f openeo-geotrellis/generated-ingress.yaml
 ```
 
+#### Step 4: Create a Keycloak Client
+
+The openEO API provides an endpoint for service discovery, which allows openEO clients to integrate with each openEO instance. This includes auth discovery that provides details of supported identity providers. For OIDC identity providers details of an OIDC client is provided through this discovery interface. This is assumed to be a public OIDC client for use with OIDC PKCE flows (Authorization/Device Code). This allows the openEO client to dynamically integrate with the authentication approach offered by the openEO instance - with the need to register their own OIDC client.
+
+Thus, we configure in our openEO deployment integration with an `EOEPCA` identity provider.<br>
+Ref. helm values...
+
+```python
+oidc_providers = [
+  OidcProvider(
+    id="eoepca",
+    title="EOEPCA",
+    issuer="${OIDC_ISSUER_URL}",
+    scopes=["openid", "profile", "email"],
+    default_clients=[
+      {
+        "id": "${OPENEO_CLIENT_ID}",
+        "grant_types": [
+          "authorization_code+pkce",
+          "urn:ietf:params:oauth:grant-type:device_code+pkce",
+          "refresh_token",
+        ],
+        "redirect_urls": ["https://openeo.$INGRESS_HOST","https://editor.openeo.org"],
+      }
+    ],
+  ),
+  #...
+]
+```
+
+To support this configuration, we need to create the `openeo-public` client in Keycloak, using the `create-client.sh` script.<br>
+This script prompts you for basic details and automatically creates a Keycloak client in your chosen realm:
+
+```bash
+bash ../../utils/create-client.sh
+```
+
+When prompted:
+
+- **Keycloak Admin Username and Password**: Enter the credentials of your Keycloak admin user (these are also in `~/.eoepca/state` if you have them set).
+- **Keycloak base domain**: e.g. `auth.example.com`
+- **Realm**: Typically `eoepca`.
+- **Confidential Client?**: specify `false` to create a PUBLIC client
+- **Client ID**: Use `openeo-public` or what you named the client in the configuration script (check `~/.eoepca/state`).
+- **Client name** and **description**: Provide any helpful text (e.g., "OpenEO Public Client").
+- **Subdomain**: Use `openeo`.
+- **Additional Subdomains**: Leave blank.
+- **Additional Hosts**: Add `editor.openeo.org` to allow integration with the openEO Web Editor
+
+After it completes, you should see a JSON snippet confirming the newly created client. 
+
+Look through the JSON and make a note of the **`secret`** value. This is the **Client Secret** and you will need this to obtain an access token. You can always retrieve this value from the Keycloak UI later if needed.
+
 ---
 
 ## Validation
@@ -163,71 +216,32 @@ _Expected output:_ A JSON object with an array of processes. Use your terminal
 
 Before running any jobs, you must obtain an access token from your OIDC Provider. Use the following command to get an access token if you followed our [IAM Deployment Guide](./iam/main-iam.md).
 
-#### Create a Keycloak Client
-
-Use the `create-client.sh` script in the `/scripts/utils/` directory. This script prompts you for basic details and automatically creates a Keycloak client in your chosen realm:
-
-```bash
-bash ../../utils/create-client.sh
-```
-
-When prompted:
-
-- **Keycloak Admin Username and Password**: Enter the credentials of your Keycloak admin user (these are also in `~/.eoepca/state` if you have them set).
-- **Keycloak base domain**: e.g. `auth.example.com`
-- **Realm**: Typically `eoepca`.
-- **Client ID**: Use `openeo-client` or what you named the client in the configuration script (check `~/.eoepca/state`).
-- **Client name** and **description**: Provide any helpful text (e.g., "OpenEO Client").
-- **Client secret**: Leave blank and let Keycloak generate one.
-- **Subdomain**: Use `openeo`.
-- **Additional Subdomains**: Leave blank.
-
-After it completes, you should see a JSON snippet confirming the newly created client. 
-
-Look through the JSON and make a note of the **`secret`** value. This is the **Client Secret** and you will need this to obtain an access token. You can always retrieve this value from the Keycloak UI later if needed.
-
-#### Create a Keycloak User
-
-If you have not already created a user, you can do so using the helper scripts or through the Keycloak UI. To create a user using the helper script, run
-
-```bash
-bash ../../utils/create-user.sh
-```
+#### Get an Accces Token
 
+This assumes use of the previously created `KEYCLOAK_TEST_USER` (default `eoepcauser`).<br>
+If needed, run the `create-user.sh` script to create a test user - `bash ../../utils/create-user.sh`.
 
-#### Get an Accces Token
+Request the access token.
 
 ```bash
 source ~/.eoepca/state
-
-export OPENEO_USERNAME='' # The username of the user you created
-export OPENEO_PASSWORD='' # The password of the user you created
-export OPENEO_CLIENT_SECRET='' # You can retrieve this from the Keycloak UI, or from the JSON output of the create-client.sh script
-
 ACCESS_TOKEN=$(
-    curl --silent --show-error \
-         -X POST \
-         -d "username=${OPENEO_USERNAME}" \
-         --data-urlencode "password=${OPENEO_PASSWORD}" \
-         -d "grant_type=password" \
-         -d "client_id=${OPENEO_CLIENT_ID}" \
-         -d "client_secret=${OPENEO_CLIENT_SECRET}" \
-         -d "scope=openid profile email" \
-         "https://${KEYCLOAK_HOST}/realms/${REALM}/protocol/openid-connect/token" |
-         jq -r '.access_token'
+  curl --silent --show-error \
+    -X POST \
+    -d "username=${KEYCLOAK_TEST_USER}" \
+    --data-urlencode "password=${KEYCLOAK_TEST_PASSWORD}" \
+    -d "grant_type=password" \
+    -d "client_id=${OPENEO_CLIENT_ID}" \
+    -d "client_secret=${OPENEO_CLIENT_SECRET}" \
+    -d "scope=openid profile email" \
+    "https://${KEYCLOAK_HOST}/realms/${REALM}/protocol/openid-connect/token" |
+    jq -r '.access_token'
 )
-
 echo "Access token: ${ACCESS_TOKEN}"
 
 AUTH_TOKEN="oidc/eoepca/${ACCESS_TOKEN}"
 ```
 
-Make sure that you replace the following values:
-
-- <YOUR-USERNAME> with your username
-- <YOUR-PASSWORD> with your password
-- <CLIENT-SECRET> with your client secret
-
 If the Access Token is empty, please make sure that the Keycloak client and user are correctly set up.
 
 We need to format the token as `oidc/eoepca/${ACCESS_TOKEN}` to comply with the `oidc_providers` variable seen in the Helm values.

diff --git a/docs/building-blocks/workspace.md b/docs/building-blocks/workspace.md
@@ -195,11 +195,13 @@ When prompted:
 - **Keycloak base domain**: e.g. `auth.example.com`
 - **Realm**: Typically `eoepca`.
 
+- **Confidential Client?**: specify `true` to create a CONFIDENTIAL client
 - **Client ID**: You should use `workspace` or what you set in the configuration script.
 - **Client name** and **description**: Provide any helpful text (e.g., `Workspace Client`).
 - **Client secret**: Enter the Workspace Client Secret that was generated during the configuration script (check `~/.eoepca/state`).
 - **Subdomain**: Use `workspace-api`.
 - **Additional Subdomains**: Use `workspace-swagger,workspace-ui,workspace-admin`.
+- **Additional Hosts**: Leave blank.
 
 After it completes, you should see a JSON snippet confirming the newly created client.
 

diff --git a/scripts/iam/keycloak/ingress-template.yaml b/scripts/iam/keycloak/ingress-template.yaml
@@ -14,6 +14,10 @@ spec:
           - auth.$INGRESS_HOST
         paths:
           - /*
+      plugins:
+        # Allow CORS access
+        - name: cors
+          enable: true
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate

diff --git a/scripts/processing/openeo/configure-openeo.sh b/scripts/processing/openeo/configure-openeo.sh
@@ -15,7 +15,7 @@ if [ -z "$OIDC_ISSUER_URL" ]; then
     check_oidc_provider_accessible
 fi
 
-ask "OPENEO_CLIENT_ID" "As we need to set the Client ID in the Helm values, please provider what you'd like the Client ID to be. We advise you to use the default provided." "openeo-client"
+ask "OPENEO_CLIENT_ID" "Enter the Client ID (Keycloak OIDC public client) that will be created for openEO clients" "openeo-public"
 
 envsubst <"openeo-geotrellis/values-template.yaml" >"openeo-geotrellis/generated-values.yaml"
 envsubst <"sparkoperator/values-template.yaml" >"sparkoperator/generated-values.yaml"

diff --git a/scripts/processing/openeo/openeo-geotrellis/ingress-template.yaml b/scripts/processing/openeo/openeo-geotrellis/ingress-template.yaml
@@ -6,7 +6,8 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: apisix
     ${CLUSTER_ISSUER_ANNOTATION}
-    apisix.ingress.kubernetes.io/use-regex: "true"
+    k8s.apisix.apache.org/enable-cors: "true"
+    k8s.apisix.apache.org/http-to-https: "true"
 spec:
   ingressClassName: apisix
   rules:

diff --git a/scripts/processing/openeo/openeo-geotrellis/values-template.yaml b/scripts/processing/openeo/openeo-geotrellis/values-template.yaml
@@ -31,16 +31,49 @@ configMaps:
             id="eoepca",
             title="EOEPCA",
             issuer="${OIDC_ISSUER_URL}",
+            scopes=["openid", "profile", "email"],
             default_clients=[
                 {
                     "id": "${OPENEO_CLIENT_ID}",
                     "grant_types": [
-                        "password",
                         "authorization_code+pkce",
                         "urn:ietf:params:oauth:grant-type:device_code+pkce",
                         "refresh_token",
                     ],
-                    "redirect_urls": ["https://openeo.$INGRESS_HOST"],
+                    "redirect_urls": ["https://openeo.$INGRESS_HOST","https://editor.openeo.org"],
+                }
+            ],
+        ),
+        OidcProvider(
+            id="egi",
+            title="EGI Check-in",
+            issuer="https://aai.egi.eu/auth/realms/egi/",
+            scopes=["openid", "email"],
+            default_clients=[
+                {
+                    "id": "vito-default-client",
+                    "grant_types": [
+                        "authorization_code+pkce",
+                        "urn:ietf:params:oauth:grant-type:device_code+pkce",
+                        "refresh_token",
+                    ],
+                    "redirect_urls": ["https://editor.openeo.org"],
+                }
+            ],
+        ),
+        OidcProvider(
+            id="egi-dev",
+            title="EGI Check-in (dev)",
+            issuer="https://aai-dev.egi.eu/auth/realms/egi/",
+            default_clients=[
+                {
+                    "id": "openeo-eoepca-demo",
+                    "grant_types": [
+                        "authorization_code+pkce",
+                        "urn:ietf:params:oauth:grant-type:device_code+pkce",
+                        "refresh_token",
+                    ],
+                    "redirect_urls": ["https://editor.openeo.org"],
                 }
             ],
         ),