added authentication tutorial

This includes the AWS SigV4 example.

Author: Joe Reed

docs/tutorials.rst

@@ -47,3 +47,13 @@ Calculating Coverage Percentage of the AOI by an Item
 This tutorial demonstrates the use of pystac-client to calculate the
 percentage an Item's geometry that intesects with the area of interest
 (AOI) specified in the search by the `intersects` parameter.
+
+Authentication
+--------------
+
+- :tutorial:`GitHub version <authentication.ipynb>`
+- :ref:`Docs version </tutorials/authentication.ipynb>`
+
+This tutorial demontrates different ways the pystac-client can be
+used to access a private stac api, when protected with various
+authentication mechanisms.

docs/tutorials/authentication.ipynb

@@ -0,0 +1,141 @@
+{
+ "cells": [
+  {
+   "attachments": {},
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Authentication\n",
+    "\n",
+    "While not integrated into this library directly, pystac-client provides a series of hooks that support a wide variety of authentication mechanisms. These can be used when interacting with stac API implementations behind various authorization walls."
+   ]
+  },
+  {
+   "attachments": {},
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Basic auth\n",
+    "\n",
+    "Pystac-client supports HTTP basic authentication by simply exposing the ability to define headers to be used when sending requets.  Simply encode the token and provide the header."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import base64\n",
+    "import pystac_client\n",
+    "\n",
+    "# encode credentials\n",
+    "user_name = \"yellowbeard\"\n",
+    "password = \"yaarg\"\n",
+    "userpass = f\"{user_name}:{password}\"\n",
+    "b64_userpass = base64.b64encode(userpass.encode()).decode()\n",
+    "\n",
+    "# create the client\n",
+    "client = pystac_client.Client.open(\n",
+    "    url=\"https://planetarycomputer.microsoft.com/api/stac/v1\",\n",
+    "    headers={\n",
+    "        'Authorization': f\"Basic {b64_userpass}\"\n",
+    "    }\n",
+    ")"
+   ]
+  },
+  {
+   "attachments": {},
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Token auth\n",
+    "\n",
+    "Providing a authentication token can be accomplished using the same mechanism as described above for [basic auth](#basic-auth). Simply provide the token in the `Authorization` header to the client in the same manner."
+   ]
+  },
+  {
+   "attachments": {},
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## AWS SigV4\n",
+    "\n",
+    "Accessing a stac api protected by AWS IAM often requires signing the request using [AWS SigV4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). Unlike basic and token authentication, the entire request is part of the signing process. Thus the `Authorization` header cannot be added when the client is created, rather it must be generated and added after the request is fully formed.\n",
+    "\n",
+    "Pystac-client provides a lower-level hook, the `request_modifier` parameter, which can mutate the request, adding the necessary header after the request has been generated but before it is sent.\n",
+    "\n",
+    "The code cell below demonstrates this, using the `boto3` module."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import boto3\n",
+    "import botocore.auth\n",
+    "import botocore.awsrequest\n",
+    "import pystac_client\n",
+    "import requests\n",
+    "\n",
+    "# Details regarding the private stac api\n",
+    "region = \"us-east-1\"\n",
+    "service_name = \"execute-api\"\n",
+    "endpoint_id = \"xxxxxxxx\"\n",
+    "deployment_stage = \"dev\"\n",
+    "stac_api_url = f\"https://{endpoint_id}.{service_name}.{region}.amazonaws.com/{deployment_stage}\"\n",
+    "\n",
+    "# load AWS credentials\n",
+    "credentials = boto3.Session(region_name=region).get_credentials()\n",
+    "signer = botocore.auth.SigV4Auth(credentials, service_name, region)\n",
+    "\n",
+    "def sign_request(request: requests.Request) -> requests.Request:\n",
+    "    \"\"\"Sign the request using AWS SigV4.\n",
+    "\n",
+    "    Args:\n",
+    "        request (requests.Request): The fully populated request to sign.\n",
+    "\n",
+    "    Returns:\n",
+    "        requests.Request: The provided request object, with auth header added.\n",
+    "    \"\"\"\n",
+    "    aws_request = botocore.awsrequest.AWSRequest(\n",
+    "        method=request.method,\n",
+    "        url=request.url,\n",
+    "        params=request.params,\n",
+    "        data=request.data,\n",
+    "        headers=request.headers\n",
+    "    )\n",
+    "    signer.add_auth(aws_request)\n",
+    "    request.headers = aws_request.headers\n",
+    "    return request\n",
+    "\n",
+    "# create the client\n",
+    "client = pystac_client.Client.open(\n",
+    "    url=stac_api_url,\n",
+    "    request_modifier=sign_request\n",
+    ")"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3.11.0 ('pystac-client')",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "name": "python",
+   "version": "3.11.0"
+  },
+  "orig_nbformat": 4,
+  "vscode": {
+   "interpreter": {
+    "hash": "b62550f29e06d2208e428c097c27b298f772314506f572254f8375b095fcaf78"
+   }
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}

requirements-docs.txt

@@ -10,4 +10,5 @@ hvplot~=0.8.2
 matplotlib~=3.6.2
 geojson~=2.5.0
 pygeoif~=1.0
-pydata-sphinx-theme~=0.12
+pydata-sphinx-theme~=0.12
+boto3~=1.26.23