v14.0.0-rc.11

v14.0.0-rc.11 (2026-02-11)

Bug Fixes

• Add auth unit tets to pr.yml (e80c79f)

• Add resource extractor for post collections via transactions endpoint, update readme and tests (36772bf)

• Refactor extract_stac_resource_id (9bbb583)

• Remove properties extraction, remove test (1e2d0c2)

• Update based on feedback, use template strings, update to throw error (5547d91)

Features

• Add ingest extraction function and tests (8151265)

• Create resource extractors for permission ticket buildling (39d3f1d)

• Create resource extractors for RPT (requesting party token) (#566, 1c659ad)

Issue

#556

What?/Why?

This PR adds resource extractor functions that parse HTTP requests to extract resource ids and scopes that are needed for Keycloak's RPT endpoint.

In order to create a permission ticket or request an RPT from keycloak, we need - resource id (needs to follow convention defined in our keycloak config ) - scope (action being performed)

Additional Context, from https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions ``` Example of an authorization request when a client is seeking access to two resources protected by a resource server.

curl -X POST \ http://${host}:${port}/realms/${realm-name}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience={resource_server_client_id}" \ --data "permission=Resource A#Scope A" \ --data "permission=Resource B#Scope B" ```

Testing?

• Unit tests - I will add integration tests when we create the actual policy enforcement point middleware that will use these functions

You can also test this yourself trying different permission permutations. A successful request looks like: curl -X POST \ https://[HOST]/realms/veda/protocol/openid-connect/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \ -d 'audience=uma-resource-server' \ -d 'client_id=uma-resource-server' \ -d 'client_secret=[redacted]' \ -d 'permission=stac:collection:faketenant1:*#create' \ -H "Authorization: Bearer TOKEN" {"upgraded":false,"access_token":"redacted","token_type":"Bearer","not-before-policy":0}%

And one where you are not authorized because you either aren't in a Tenancy group or don't have sufficient permissions (determined by your role) in a tenancy, will yield

{"error":"access_denied","error_description":"not_authorized"}%

---

Detailed Changes: v14.0.0-rc.10...v14.0.0-rc.11

v14.0.0-rc.10

v14.0.0-rc.10 (2026-01-23)

Bug Fixes

• Add debugging to pr.yml test step (8ebd647)

• Add debugging to stac api step (b8bb796)

• Add error handling for getting keycloak secret (de22e08)

• Attempt to make less complex (c265ec4)

• Final docs updates (e014cf4)

• Grant permission to get keycloak secret (a8df729)

• Make function less complex (03f49a5)

• Modify output based on feedback (a46fd48)

• Remove fallback (1539f6f)

• Revert debugging in pr.yml (a9a1c82)

• Revert docker veda.stac logging and install veda_auth for ingest api step (0db0c7d)

• Try waiting for oidc to be ready (3968802)

• Update credential variables to retrieve (0dddbbc)

• Update default resource server secret name and simplify try catch based on feedback (78600b7)

• Update keycloak client credentials function to use secret name instead of arn (c72d104)

• Update lambda to grant read access to keycloak secret (29e7f4b)

• Update to retrieve keycloak client creds from secret (fb355cd)

• Update to use kms key, add to example.env (8d6f610)

• Update to use secret name instead of arn (7a7c71c)

Features

• Add list tenants with create/update scopes endpoint (860f666)

• Add list tenants with create/update scopes endpoint (#555, 1e8b19f)

Issue

#521

What?/ Why?

Keycloak Client & Tenant Access Endpoint - KeycloakPDPClient which contains functions: - get_rpt to request the requesting party token from keycloak - check_permission which checks to see is a user has a permission granted for a resource and scope - get_tenants_with_create_update_access which gets a list of tenants the user has create and update access to - base64 padding helper function (this is needed because the decode function requires proper padding or it will raise an error) - JWT permission extraction functions - /auth/tenants/writeable endpoint added to Ingest API - Ingest API config updated to include resource server client ID and secret env vars

Testing?

-updated SIT envs to have VEDA_KEYCLOAK_UMA_RESOURCE_SERVER_CLIENT_SECRET_NAME and VEDA_KEYCLOAK_SECRET_KMS_KEY_ARN - Deployed to sit https://sit.openveda.cloud/api/ingest/docs#/Auth/get_writable_tenant_access_auth_tenants_writable_get

---

Detailed Changes: v14.0.0-rc.9...v14.0.0-rc.10

v14.0.0-rc.9

v14.0.0-rc.9 (2026-01-14)

Bug Fixes

• Use 0.11.1rc2 (f6fe1c5)

Chores

• Upgrade stac-auth-proxy to v0.11.1 (82eae61)

• Upgrade stac-auth-proxy to v0.11.1 (#565, 5ccb436)

What?

This upgrades stac auth proxy to to version that contains enhanced type safety developmentseed/stac-auth-proxy#125 ### Why?

When we were testing migrating EIC staging data, we had a couple collections that failed to migrate due to invalid fields NASA-IMPACT/veda-architecture#688

---

Detailed Changes: v14.0.0-rc.8...v14.0.0-rc.9

v14.0.0-rc.8

v14.0.0-rc.8 (2026-01-13)

Bug Fixes

• Update docs to mention migration (9a62cd5)

Features

• Add multi-tenancy documentation (960f534)

• stac-api: Multi-tenancy and migration documentation (#564, fef8608)

Issue

#544

What?

Documentation for enabling multi-tenancy and migrating data

---

Detailed Changes: v14.0.0-rc.7...v14.0.0-rc.8

v14.0.0-rc.7

v14.0.0-rc.7 (2026-01-09)

Bug Fixes

• Upgrade stac-fastapi to v6.1.5 (564e154)

---

Detailed Changes: v14.0.0-rc.6...v14.0.0-rc.7

v14.0.0-rc.6

v14.0.0-rc.6 (2025-10-27)

Bug Fixes

• Update .example.env (1bfc654)

Refactoring

• Update tenant field name (7885024)

• Update tenant field name (#548, dbd0592)

Issue

#539

• Updates tenant field to be eic:tenant
• Makes tenant field name configurable through env vars

---

Detailed Changes: v14.0.0-rc.5...v14.0.0-rc.6

v14.0.0-rc.5

v14.0.0-rc.5 (2025-10-21)

Bug Fixes

• Account for additional path with no trailing slash (b5b5db5)

• Add allowed_jwt_audiences to configure_app (feae63f)

• Add asyncio and update mocking oidc (aefb3c2)

• Add back custom host default setting (c068969)

• Add back dashboard check for link injection (1a8ca6b)

• Add compression middleware when stac-auth-proxy is not enabled (9adf8b5)

• Add feature flag (ef8cae2)

• Add feature flag fixes, add prefix redirect middleware, fix tenant extraction middleware (8413fd3)

• Add health check back for integration tests (e1b771e)

• Add prefix redirect middleware (#536, 6d69617)

#535

• I added the necessary and missing changes required for the feature flag

• The PrefixRedirectMiddleware is added to preserve our root path and correctly redirect us

• I also updated the TenantExtractionMiddleware to handle trailing slashes but I'd love a closer look at this change

• Add protocol to custom host if missing (e68a80a)

• Add root path to test endpoints (7d2d7d0)

• Add root path to test environment (a149efb)

• Break up middleware, rm cql2 filtering (19367fa)

• Check for root_path before extracting or removing tenant (b415fd3)

• Cleanup after test (00117e5)

• Consider root_path when determining if link should be transformed (aa0af07)

refactor: eliminate need to pass in root_path into middleware (root path is available on request)

• Disable compression on stac-auth-proxy (4944a2a)

• Lint error (6a5556a)

• Lint errors (a7aff1d)

• Only add tenant to local links (e.g. ignore links to tiler) (6c516c4)

• Refactor and update to account for trailing slashes (9436f25)

• Remove endpoint, not needed (9b8c0fc)

• Remove print statement (5873f48)

• Remove redunant swagger ui settings (994547f)

• Remove unused import (d67bc00)

• Remove unused TENANT_ITEM_LINK_TEMPLATES, update config variable default for custom_host to None (7268d45)

• Resolve merge conflicts (9297219)

• Resolve merge conflicts (54bcfee)

• Rewrite item link url rewriting, check for geo+json (aac1015)

• Run tenant middleware before stac-auth-proxy middleware (d3f625c)

• Set custom host in stac lambda (85c0fb1)

• Support root path when parsing URLs (f9ce41f)

• Tenant filtering via stac auth proxy (#535, 6b08cb3)

What?

This PR represents recommendations of updates to #531 to better integrate with the stac-auth-proxy.

How?

The primary adjustments made were:

1. Remove any attempt at applying tenant filters to the incoming requests. This is the responsibility of the filtering tooling that is built into the stac-auth-proxy. Instead, the STAC API should provide filter generators[^1] that build the CQL2 filters, trusting that the stac-auth-proxy will apply them to the items and collections endpoints. 2. Break-up tenant middleware into two separate middleware for simplicity and better encapsulation 3. Move tenant middleware to after the application of the stac-auth-proxy, ensuring that it runs before the stac-auth-proxy's middleware. This way, the tenant is extracted and the path is cleaned up before the stac-auth-proxy processes requests. 2. Remove compression from stac-auth-proxy, perform it after all middleware runs (this is a reversal of my previous suggestion, sorry 🤕, I wasn't aware that we would need to process links after the stac-auth-proxy's middleware ran)

[!IMPORTANT] > There are some issues with the current queries (as documented within the ItemFilter class) preventing us from querying across multiple collections. We'll need to sync with @bitner to assess the cause.

Along the way...

• Docker Compose file - Reduce the concurrency of the STAC API to just a single worker. I think this reduces visual noise when running docker compose locally. - Adding a dummy OIDC server for testing when we do want to start making use of auth - Specifying the root_path to better match production - Fix env var to enable stac-auth-proxy

Testing?

1. Run dev env: docker compose up 2. Run through scenarios: ``` # Successfully return unfiltered collections without tenant ▶ curl -s http://localhost:8081/api/stac/collections | jq .numberReturned 1

Successfully return collection items without a tenant ▶ curl -s http://localhost:8081/api/stac/collections/noaa-emergency-response/items | jq .numberReturned 10

Successfully return unfiltered search without tenant ▶ curl -s http://localhost:8081/api/stac/search | jq .numberReturned 10

Successfully return collections with a tenant ▶ curl -s http://localhost:8081/api/stac/fake-tenant/collections | jq .numberReturned 1

Successfully return collection items with a tenant ▶ curl -s http://localhost:8081/api/stac/fake-tenant/collections/noaa-emergency-response/items | jq .numberReturned 10

Successfully return search with a tenant ▶ curl -s http://localhost:8081/api/stac/fake-tenant/search | jq .numberReturned 10

Return no collections for unknown tenant ▶ curl -s http://localhost:8081/api/stac/foo/collections | jq .numberReturned 0

Return no collection items for unknown tenant ▶ curl -s http://localhost:8081/api/stac/bar/collections/noaa-emergency-response/items | jq .numberReturned 0

Return no search for unknown tenant ▶ curl -s http://localhost:8081/api/stac/xyz/search | jq .numberReturned 0

Correctly places tenant in search links ▶ curl -s http://localhost:8081/api/stac/fake-tenant/search | jq '.features[0].links[0]' { "rel": "collection", "type": "application/json", "href": "http://localhost:8081/api/stac/fake-tenant/collections/noaa-emergency-response" }

Correctly render links without tenant for search ▶ curl -s http://localhost:8081/api/stac/search | jq '.features[0].links[0]' { "rel": "collection", "type": "application/json", "href": "http://localhost:8081/api/stac/collections/noaa-emergency-response" }

Correctly places tenant in collection links ▶ curl -s http://localhost:8081/api/stac/fake-tenant/collections | jq '.collections[0].links[0]' { "rel": "items", "type": "application/geo+json", "href": "http://localhost:8081/api/stac/fake-tenant/collections/noaa-emergency-response/items" }

Correctly render links without tenant for collections ▶ curl -s http://localhost:8081/api/stac/collections | jq '.collections[0].links[0]' { "rel": "items", "type": "application/geo+json", "href": "http://localhost:8081/api/stac/collections/noaa-emergency-response/items" }

[^1]: https://developmentseed.org/stac-auth-proxy/user-guide/record-level-auth/#filter-contract

- Udpate datetime to actual value ([`04b8d66`...

v14.0.0-rc.4

v14.0.0-rc.4 (2025-09-29)

Bug Fixes

• Add additional metrics, add version metric (45eb69b)

• Increase latency resolution (f752d5a)

• Stac-api and ingeat-api import errors (be46550)

Features

• Switch to middleware for monitoring (f9b470d)

---

Detailed Changes: v14.0.0-rc.3...v14.0.0-rc.4

v14.0.0-rc.3

v14.0.0-rc.3 (2025-09-23)

Bug Fixes

• Update parse_obj to model_validate (#511, e57e66b)

• Upgrade pystac version and implement override for a lower stac spec version in configuration (f6fc5be)

• stac-validation: Upgrade pystac version and override pystac default stac version (#530, 9d1bfc8)

What

• STAC metadata validations are currently failing due to a import error that is corrected in a newer version of pystac #527.
• The default stac version in the updated pystac is higher than the stac version of our records so additional configuration was added with a default value of the current catalog's stac version.

How tested The tests are now passing on the github runner: https://github.com/NASA-IMPACT/veda-backend/actions/runs/17841567081/job/50732312624

---

Detailed Changes: v14.0.0-rc.2...v14.0.0-rc.3

v14.0.0-rc.2

v14.0.0-rc.2 (2025-09-15)

Bug Fixes

• Add tileMatrixSetId to path params (#523, d665143)

---

Detailed Changes: v14.0.0-rc.1...v14.0.0-rc.2