feat: update authentication extension integratino to use discovery URL

Along the way, normalize all OIDC discovery url input arguments to match config.

Author: alukach

src/stac_auth_proxy/app.py

@@ -103,13 +103,14 @@ async def lifespan(app: FastAPI):
             default_public=settings.default_public,
             public_endpoints=settings.public_endpoints,
             private_endpoints=settings.private_endpoints,
+            oidc_discovery_url=str(settings.oidc_discovery_url),
         )
 
     if settings.openapi_spec_endpoint:
         app.add_middleware(
             OpenApiMiddleware,
             openapi_spec_path=settings.openapi_spec_endpoint,
-            oidc_config_url=str(settings.oidc_discovery_url),
+            oidc_discovery_url=str(settings.oidc_discovery_url),
             public_endpoints=settings.public_endpoints,
             private_endpoints=settings.private_endpoints,
             default_public=settings.default_public,
@@ -136,7 +137,7 @@ async def lifespan(app: FastAPI):
         public_endpoints=settings.public_endpoints,
         private_endpoints=settings.private_endpoints,
         default_public=settings.default_public,
-        oidc_config_url=settings.oidc_discovery_internal_url,
+        oidc_discovery_url=settings.oidc_discovery_internal_url,
     )
 
     if settings.root_path or settings.upstream_url.path != "/":

src/stac_auth_proxy/middleware/AuthenticationExtensionMiddleware.py

@@ -28,16 +28,15 @@ class AuthenticationExtensionMiddleware(JsonResponseMiddleware):
     private_endpoints: EndpointMethods
     public_endpoints: EndpointMethods
 
-    auth_scheme_name: str = "oauth"
+    oidc_discovery_url: str
+    auth_scheme_name: str = "oidc"
     auth_scheme: dict[str, Any] = field(default_factory=dict)
     extension_url: str = (
         "https://stac-extensions.github.io/authentication/v1.1.0/schema.json"
     )
 
     json_content_type_expr: str = r"application/(geo\+)?json"
 
-    state_key: str = "oidc_metadata"
-
     def should_transform_response(self, request: Request, scope: Scope) -> bool:
         """Determine if the response should be transformed."""
         # Match STAC catalog, collection, or item URLs with a single regex
@@ -75,27 +74,11 @@ def transform_json(self, data: dict[str, Any], request: Request) -> dict[str, An
         # - Collections
         # - Item Properties
 
-        oidc_metadata = getattr(request.state, self.state_key, {})
-        if not oidc_metadata:
-            logger.error(
-                "OIDC metadata not found in scope. Skipping authentication extension."
-            )
-            return data
-
         scheme_loc = data["properties"] if "properties" in data else data
         schemes = scheme_loc.setdefault("auth:schemes", {})
         schemes[self.auth_scheme_name] = {
-            "type": "oauth2",
-            "description": "requires an authentication bearertoken",
-            "flows": {
-                "authorizationCode": {
-                    "authorizationUrl": oidc_metadata["authorization_endpoint"],
-                    "tokenUrl": oidc_metadata.get("token_endpoint"),
-                    "scopes": {
-                        k: k for k in sorted(oidc_metadata.get("scopes_supported", []))
-                    },
-                },
-            },
+            "type": "openIdConnect",
+            "openIdConnectUrl": self.oidc_discovery_url,
         }
 
         # auth:refs

src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py

@@ -22,14 +22,14 @@
 class OidcService:
     """OIDC configuration and JWKS client."""
 
-    oidc_config_url: HttpUrl
+    oidc_discovery_url: HttpUrl
     jwks_client: jwt.PyJWKClient = field(init=False)
     metadata: dict[str, Any] = field(init=False)
 
     def __post_init__(self) -> None:
         """Initialize OIDC config and JWKS client."""
         logger.debug("Requesting OIDC config")
-        origin_url = str(self.oidc_config_url)
+        origin_url = str(self.oidc_discovery_url)
 
         try:
             response = httpx.get(origin_url)
@@ -73,7 +73,7 @@ class EnforceAuthMiddleware:
     private_endpoints: EndpointMethods
     public_endpoints: EndpointMethods
     default_public: bool
-    oidc_config_url: HttpUrl
+    oidc_discovery_url: HttpUrl
     allowed_jwt_audiences: Optional[Sequence[str]] = None
     state_key: str = "payload"
 
@@ -170,7 +170,7 @@ def validate_token(
     def oidc_config(self) -> OidcService:
         """Get the OIDC configuration."""
         if not self._oidc_config:
-            self._oidc_config = OidcService(oidc_config_url=self.oidc_config_url)
+            self._oidc_config = OidcService(oidc_discovery_url=self.oidc_discovery_url)
         return self._oidc_config
 
 

src/stac_auth_proxy/middleware/UpdateOpenApiMiddleware.py

@@ -19,7 +19,7 @@ class OpenApiMiddleware(JsonResponseMiddleware):
 
     app: ASGIApp
     openapi_spec_path: str
-    oidc_config_url: str
+    oidc_discovery_url: str
     private_endpoints: EndpointMethods
     public_endpoints: EndpointMethods
     default_public: bool
@@ -56,7 +56,7 @@ def transform_json(self, data: dict[str, Any], request: Request) -> dict[str, An
         securitySchemes = components.setdefault("securitySchemes", {})
         securitySchemes[self.auth_scheme_name] = self.auth_scheme_override or {
             "type": "openIdConnect",
-            "openIdConnectUrl": self.oidc_config_url,
+            "openIdConnectUrl": self.oidc_discovery_url,
         }
 
         # Add security to private endpoints

tests/test_auth_extension.py

@@ -10,13 +10,20 @@
 
 
 @pytest.fixture
-def middleware():
+def oidc_discovery_url():
+    """Create test OIDC discovery URL."""
+    return "https://auth.example.com/discovery"
+
+
+@pytest.fixture
+def middleware(oidc_discovery_url):
     """Create a test instance of the middleware."""
     return AuthenticationExtensionMiddleware(
         app=None,  # We don't need the actual app for these tests
         default_public=True,
         private_endpoints=EndpointMethods(),
         public_endpoints=EndpointMethods(),
+        oidc_discovery_url=oidc_discovery_url,
         auth_scheme_name="test_auth",
         auth_scheme={},
     )
@@ -49,16 +56,6 @@ def initial_message(request):
     }
 
 
-@pytest.fixture
-def oidc_metadata():
-    """Create test OIDC metadata."""
-    return {
-        "authorization_endpoint": "https://auth.example.com/auth",
-        "token_endpoint": "https://auth.example.com/token",
-        "scopes_supported": ["openid", "profile"],
-    }
-
-
 def test_should_transform_response_valid_paths(
     middleware, request_scope, initial_message
 ):
@@ -113,10 +110,9 @@ def test_should_transform_response_invalid_content_type(middleware, request_scop
     )
 
 
-def test_transform_json_catalog(middleware, request_scope, oidc_metadata):
+def test_transform_json_catalog(middleware, request_scope, oidc_discovery_url):
     """Test transforming a STAC catalog."""
     request = Request(request_scope)
-    request.state.oidc_metadata = oidc_metadata
 
     catalog = {
         "stac_version": "1.0.0",
@@ -136,23 +132,13 @@ def test_transform_json_catalog(middleware, request_scope, oidc_metadata):
     assert "test_auth" in transformed["auth:schemes"]
 
     scheme = transformed["auth:schemes"]["test_auth"]
-    assert scheme["type"] == "oauth2"
-    assert (
-        scheme["flows"]["authorizationCode"]["authorizationUrl"]
-        == oidc_metadata["authorization_endpoint"]
-    )
-    assert (
-        scheme["flows"]["authorizationCode"]["tokenUrl"]
-        == oidc_metadata["token_endpoint"]
-    )
-    assert "openid" in scheme["flows"]["authorizationCode"]["scopes"]
-    assert "profile" in scheme["flows"]["authorizationCode"]["scopes"]
+    assert scheme["type"] == "openIdConnect"
+    assert scheme["openIdConnectUrl"] == oidc_discovery_url
 
 
-def test_transform_json_collection(middleware, request_scope, oidc_metadata):
+def test_transform_json_collection(middleware, request_scope):
     """Test transforming a STAC collection."""
     request = Request(request_scope)
-    request.state.oidc_metadata = oidc_metadata
 
     collection = {
         "stac_version": "1.0.0",
@@ -173,10 +159,9 @@ def test_transform_json_collection(middleware, request_scope, oidc_metadata):
     assert "test_auth" in transformed["auth:schemes"]
 
 
-def test_transform_json_item(middleware, request_scope, oidc_metadata):
+def test_transform_json_item(middleware, request_scope):
     """Test transforming a STAC item."""
     request = Request(request_scope)
-    request.state.oidc_metadata = oidc_metadata
 
     item = {
         "stac_version": "1.0.0",