|
| 1 | +# Authentication |
| 2 | + |
| 3 | +While not integrated into this library directly, pystac-client provides a series of hooks that support a wide variety of authentication mechanisms. These can be used when interacting with stac API implementations behind various authorization walls. |
| 4 | + |
| 5 | +## Basic auth |
| 6 | + |
| 7 | +Pystac-client supports HTTP basic authentication by simply exposing the ability to define headers to be used when sending requets. Simply encode the token and provide the header. |
| 8 | + |
| 9 | +```python |
| 10 | +import base64 |
| 11 | +import pystac_client |
| 12 | + |
| 13 | +# encode credentials |
| 14 | +user_name = "yellowbeard" |
| 15 | +password = "yaarg" |
| 16 | +userpass = f"{user_name}:{password}" |
| 17 | +b64_userpass = base64.b64encode(userpass.encode()).decode() |
| 18 | + |
| 19 | +# create the client |
| 20 | +client = pystac_client.Client.open( |
| 21 | + url="https://planetarycomputer.microsoft.com/api/stac/v1", |
| 22 | + headers={ |
| 23 | + 'Authorization': f"Basic {b64_userpass}" |
| 24 | + } |
| 25 | +) |
| 26 | +``` |
| 27 | + |
| 28 | +## Token auth |
| 29 | + |
| 30 | +Providing a authentication token can be accomplished using the same mechanism as described above for [basic auth](#basic-auth). Simply provide the token in the `Authorization` header to the client in the same manner. |
| 31 | + |
| 32 | +## AWS SigV4 |
| 33 | + |
| 34 | +Accessing a stac api protected by AWS IAM often requires signing the request using [AWS SigV4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). Unlike basic and token authentication, the entire request is part of the signing process. Thus the `Authorization` header cannot be added when the client is created, rather it must be generated and added after the request is fully formed. |
| 35 | + |
| 36 | +Pystac-client provides a lower-level hook, the `request_modifier` parameter, which can mutate the request, adding the necessary header after the request has been generated but before it is sent. |
| 37 | + |
| 38 | +The code cell below demonstrates this, using the `boto3` module. |
| 39 | + |
| 40 | +```python |
| 41 | +import boto3 |
| 42 | +import botocore.auth |
| 43 | +import botocore.awsrequest |
| 44 | +import pystac_client |
| 45 | +import requests |
| 46 | + |
| 47 | +# Details regarding the private stac api |
| 48 | +region = "us-east-1" |
| 49 | +service_name = "execute-api" |
| 50 | +endpoint_id = "xxxxxxxx" |
| 51 | +deployment_stage = "dev" |
| 52 | +stac_api_url = f"https://{endpoint_id}.{service_name}.{region}.amazonaws.com/{deployment_stage}" |
| 53 | + |
| 54 | +# load AWS credentials |
| 55 | +credentials = boto3.Session(region_name=region).get_credentials() |
| 56 | +signer = botocore.auth.SigV4Auth(credentials, service_name, region) |
| 57 | + |
| 58 | +def sign_request(request: requests.Request) -> requests.Request: |
| 59 | + """Sign the request using AWS SigV4. |
| 60 | +
|
| 61 | + Args: |
| 62 | + request (requests.Request): The fully populated request to sign. |
| 63 | +
|
| 64 | + Returns: |
| 65 | + requests.Request: The provided request object, with auth header added. |
| 66 | + """ |
| 67 | + aws_request = botocore.awsrequest.AWSRequest( |
| 68 | + method=request.method, |
| 69 | + url=request.url, |
| 70 | + params=request.params, |
| 71 | + data=request.data, |
| 72 | + headers=request.headers |
| 73 | + ) |
| 74 | + signer.add_auth(aws_request) |
| 75 | + request.headers = aws_request.headers |
| 76 | + return request |
| 77 | + |
| 78 | +# create the client |
| 79 | +client = pystac_client.Client.open( |
| 80 | + url=stac_api_url, |
| 81 | + request_modifier=sign_request |
| 82 | +) |
| 83 | +``` |
0 commit comments