refactor: moved config of auth method to backend config

JanssenBrm · JanssenBrm · commit 1fde89cf0a0e · 2025-10-22T09:49:56.000+02:00
diff --git a/app/config/openeo/settings.py b/app/config/openeo/settings.py
@@ -3,12 +3,13 @@
 from pydantic import BaseModel
 
 
+class OpenEOAuthMethod(str, Enum):
+    CLIENT_CREDENTIALS = "CLIENT_CREDENTIALS"
+    USER_CREDENTIALS = "USER_CREDENTIALS"
+
+
 class OpenEOBackendConfig(BaseModel):
+    auth_method: OpenEOAuthMethod = OpenEOAuthMethod.USER_CREDENTIALS
     client_credentials: Optional[str] = None
     token_provider: Optional[str] = None
     token_prefix: Optional[str] = None
-
-
-class OpenEOAuthMethod(str, Enum):
-    CLIENT_CREDENTIALS = "CLIENT_CREDENTIALS"
-    USER_CREDENTIALS = "USER_CREDENTIALS"
diff --git a/app/config/settings.py b/app/config/settings.py
@@ -41,11 +41,6 @@ class Settings(BaseSettings):
     )
 
     # openEO Settings
-    openeo_auth_method: OpenEOAuthMethod = Field(
-        default=OpenEOAuthMethod.USER_CREDENTIALS,
-        json_schema_extra={"env": "OPENEO_AUTH_METHOD"},
-    )
-
     openeo_backends: str | None = Field(
         default="", json_schema_extra={"env": "OPENEO_BACKENDS"}
     )
@@ -60,21 +55,21 @@ def load_openeo_backends_from_env(self):
         required_fields = []
         if self.openeo_backends:
 
-            if self.openeo_auth_method == OpenEOAuthMethod.CLIENT_CREDENTIALS:
-                required_fields = ["client_credentials"]
-            elif self.openeo_auth_method == OpenEOAuthMethod.USER_CREDENTIALS:
-                required_fields = ["token_provider"]
-
             try:
                 raw = json.loads(self.openeo_backends)
                 for host, cfg in raw.items():
                     backend = OpenEOBackendConfig(**cfg)
 
+                    if backend.auth_method == OpenEOAuthMethod.CLIENT_CREDENTIALS:
+                        required_fields = ["client_credentials"]
+                    elif backend.auth_method == OpenEOAuthMethod.USER_CREDENTIALS:
+                        required_fields = ["token_provider"]
+
                     for field in required_fields:
                         if not getattr(backend, field, None):
                             raise ValueError(
                                 f"Backend '{host}' must define '{field}' when "
-                                f"OPENEO_AUTH_METHOD={self.openeo_auth_method}"
+                                f"OPENEO_AUTH_METHOD={backend.auth_method}"
                             )
                     self.openeo_backend_config[host] = OpenEOBackendConfig(**cfg)
             except Exception:
diff --git a/app/platforms/implementations/openeo.py b/app/platforms/implementations/openeo.py
@@ -88,11 +88,17 @@ async def _authenticate_user(
         if url not in settings.openeo_backend_config:
             raise ValueError(f"No OpenEO backend configuration found for URL: {url}")
 
-        if settings.openeo_auth_method == OpenEOAuthMethod.USER_CREDENTIALS:
+        if (
+            settings.openeo_backend_config[url].auth_method
+            == OpenEOAuthMethod.USER_CREDENTIALS
+        ):
             logger.debug("Using user credentials for OpenEO connection authentication")
             bearer_token = await self._get_bearer_token(user_token, url)
             connection.authenticate_bearer_token(bearer_token=bearer_token)
-        elif settings.openeo_auth_method == OpenEOAuthMethod.CLIENT_CREDENTIALS:
+        elif (
+            settings.openeo_backend_config[url].auth_method
+            == OpenEOAuthMethod.CLIENT_CREDENTIALS
+        ):
             logger.debug(
                 "Using client credentials for OpenEO connection authentication"
             )
@@ -105,7 +111,8 @@ async def _authenticate_user(
             )
         else:
             raise ValueError(
-                f"Unsupported OpenEO authentication method: {settings.openeo_auth_method}"
+                "Unsupported OpenEO authentication method: "
+                f"{settings.openeo_backend_config[url].auth_method}"
             )
 
         return connection
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -28,15 +28,20 @@ Here is an example of how to structure this configuration:
 ```json
 {
   "https://openeo.backend1.com": {
+    "auth_method": "CLIENT_CREDENTIALS",
     "client_credentials": "oidc_provider/client_id/secret_secret",
+  },
+ "https://openeo.backend2.com": {
+    "auth_method": "USER_CREDENTIALS",
     "token_provider": "backend",
     "token_prefix": "oidc/backend"
-  },
+  }, 
   ...
 }
 ```
 Each backend configuration can include the following fields:
 
+- `auth_method`: The authentication method to use for the openEO backend. This value can either be `USER_CREDENTIALS` or `CLIENT_CREDENTIALS`. The default value is set to `USER_CREDENTIALS`.
 - `client_credentials`: The client credentials for authenticating with the openEO backend. This is required if the `OPENEO_AUTH_METHOD` is set to `CLIENT_CREDENTIALS`. It is a single string in the format `oidc_provider/client_id/client_secret` that should be split into its components when used.
 - `token_provider`: The provider refers to the OIDC IDP alias that needs to be used to exchange the incoming token to an external token. This is required if the `OPENEO_AUTH_METHOD` is set to `USER_CREDENTIALS`. For example, if you have a Keycloak setup with an IDP alias `openeo-idp`, you would set this field to `openeo-idp`. This means that when a user authenticates with their token, the Dispatcher will use the `openeo-idp` to exchange the user's token for a token that is valid for the openEO backend.
 - `token_prefix`: An optional prefix to be added to the token when authenticating (e.g., "CDSE"). The prefix is required by some backends to identify the token type. This will be prepended to the exchanged token when authenticating with the openEO backend.
@@ -64,5 +69,5 @@ KEYCLOAK_CLIENT_SECRET=apex-client-secret
 
 # openEO Settings
 OPENEO_AUTH_METHOD=USER_CREDENTIALS
-OPENEO_BACKENDS='{"https://openeo.backend1.com" {"client_credentials": "oidc_provider/client_id/secret_secret", "token_provider": "backend", "token_prefix": "oidc/backend"}}'
+OPENEO_BACKENDS='{"https://openeo.backend1.com" {"auth_method": "CLIENT_CREDENTIALS", "client_credentials": "oidc_provider/client_id/secret_secret"}, "https://openeo.backend2.com" {"auth_method": "USER_CREDENTIALS",  "token_provider": "backend", "token_prefix": "oidc/backend"}}'
 ```
diff --git a/docs/getting_started.md b/docs/getting_started.md
@@ -49,7 +49,7 @@ docker run -d --name postgres -p 5432:5432 \
 
 ### Configure the environment
 
-Create a `.env` file in the root directory of the project and set the necessary environment variables as described in the [Environment Configuration](environment.md) documentation.
+Create a `.env` file in the root directory of the project and set the necessary environment variables as described in the [Environment Configuration](configuration.md) documentation.
 
 ### Apply Database Migrations
 Ensure your database schema is up-to-date by running:
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -9,6 +9,7 @@ theme:
 nav:
   - Home: index.md
   - Getting Started: getting_started.md
+  - Configuration: configuration.md
   - Contributing: contributing.md
   - Architecture: architecture.md
 
diff --git a/tests/platforms/test_openeo_platform.py b/tests/platforms/test_openeo_platform.py
@@ -240,8 +240,10 @@ def test_connection_expired_no_bearer(platform):
     new_callable=AsyncMock,
 )
 async def test_authenticate_user_with_user_credentials(mock_exchange, platform):
+    url = "https://openeo.vito.be"
+
     # enable user credentials path
-    settings.openeo_auth_method = OpenEOAuthMethod.USER_CREDENTIALS
+    settings.openeo_backend_config[url].auth_method = OpenEOAuthMethod.USER_CREDENTIALS
 
     # set up a fake connection with the expected method
     conn = MagicMock()
@@ -251,7 +253,6 @@ async def test_authenticate_user_with_user_credentials(mock_exchange, platform):
     mock_exchange.return_value = {"access_token": "exchanged-token"}
 
     # choose a url that maps via BACKEND_PROVIDER_ID_MAP (hostname only)
-    url = "https://openeo.vito.be"
     returned = await platform._authenticate_user("user-token", url, conn)
 
     # assertions
@@ -272,15 +273,17 @@ async def test_authenticate_user_with_user_credentials(mock_exchange, platform):
 async def test_authenticate_user_with_client_credentials(
     mock_exchange, monkeypatch, platform
 ):
+    url = "https://openeo.vito.be"
     # disable user credentials path -> use client credentials
-    settings.openeo_auth_method = OpenEOAuthMethod.CLIENT_CREDENTIALS
+    settings.openeo_backend_config[url].auth_method = (
+        OpenEOAuthMethod.CLIENT_CREDENTIALS
+    )
 
     # prepare fake connection and spy method
     conn = MagicMock()
     conn.authenticate_oidc_client_credentials = MagicMock()
 
     # ensure the exchange mock exists but is not awaited
-    url = "https://openeo.vito.be"
     returned = await platform._authenticate_user("user-token", url, conn)
 
     # client creds path should be used
