Merge pull request #44 from sentinel-hub/auth

Add OpenID Connect support to authentication

Author: emmanuelmathot

.gitignore

@@ -168,3 +168,4 @@ node_modules
 cdk.context.json
 *.nc
 .claud*
+openapi.json

.pre-commit-config.yaml

@@ -18,12 +18,12 @@ repos:
       - id: ruff-format
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.3.0
+    rev: v1.15.0
     hooks:
       - id: mypy
         language_version: python
         exclude: tests/.*
         additional_dependencies:
         - pydantic~=2.0
         - types-cachetools
-        - types-attrs
+        - attrs

CONTRIBUTING.md

@@ -11,6 +11,45 @@ cd titiler
 python -m pip install -e ".[test,dev]"
 ```
 
+**Authentication Testing with Keycloak**
+
+The project includes a Keycloak instance for testing OpenID Connect authentication:
+
+1. Start the development environment:
+```bash
+docker compose up
+```
+
+2. Access Keycloak admin console at http://localhost:8082/admin
+   - Username: `admin`
+   - Password: `admin`
+
+3. Create a new client:
+   - Go to "Clients" → "Create client"
+   - Client ID: `titiler-openeo`
+   - Client type: `OpenID Connect`
+   - Click "Next"
+   - Enable "Client authentication"
+   - Enable "Authorization"
+   - Click "Save"
+
+4. Configure client settings:
+   - Valid redirect URIs: `http://localhost:8081/*` and `http://localhost:8080/*` for the openEO editor
+   - Web origins: `http://localhost:8081` and `http://localhost:8080` for the openEO editor
+   - Click "Save"
+
+5. Create a test user:
+   - Go to "Users" → "Add user"
+   - Username: `test`
+   - Email: `[email protected]`
+   - Click "Create"
+   - Go to "Credentials" tab
+   - Set password: `test123`
+   - Disable "Temporary"
+   - Click "Save password"
+
+The Keycloak server will be available at http://localhost:8082 for testing OIDC authentication flows.
+
 **pre-commit**
 
 This repo is set to use `pre-commit` to run *isort*, *flake8*, *pydocstring*, *black* ("uncompromising Python code formatter") and mypy when committing new code.
@@ -44,4 +83,3 @@ Actions deploys automatically for new commits.):
 
 ```bash
 mkdocs gh-deploy -f docs/mkdocs.yml
-```

Dockerfile

@@ -1,25 +1,81 @@
-# Dockerfile for running titiler application with uvicorn server
+# syntax=docker/dockerfile:1
 ARG PYTHON_VERSION=3.11
 
-FROM python:${PYTHON_VERSION}-slim
+# Build stage
+FROM python:${PYTHON_VERSION}-slim AS builder
 
-RUN apt update && apt upgrade -y
+# Set build labels
+LABEL stage=builder
+LABEL org.opencontainers.image.source="https://github.com/developmentseed/titiler-openeo"
+LABEL org.opencontainers.image.description="TiTiler OpenEO API"
+LABEL org.opencontainers.image.licenses="MIT"
 
-# ref: https://github.com/rasterio/rasterio-wheels/issues/136, https://github.com/docker-library/python/issues/989
-RUN apt install -y libexpat1
+# Set environment variables
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
 
-RUN python -m pip install uvicorn gunicorn uvicorn worker
+# Install build dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    libexpat1 && \
+    rm -rf /var/lib/apt/lists/*
 
-# Copy files and install titiler.openeo
-WORKDIR /tmp
+# Create and activate virtual environment
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
 
+# Install application
+WORKDIR /tmp
 COPY titiler/ titiler/
-COPY pyproject.toml pyproject.toml
-COPY README.md README.md
+COPY pyproject.toml .
+COPY README.md .
+RUN pip install --no-cache-dir --upgrade uvicorn PyYAML ".[pystac,oidc,postgres]"
+
+# Runtime stage
+FROM python:${PYTHON_VERSION}-slim
+
+# Set runtime labels
+LABEL org.opencontainers.image.source="https://github.com/developmentseed/titiler-openeo"
+LABEL org.opencontainers.image.description="TiTiler OpenEO API"
+LABEL org.opencontainers.image.licenses="MIT"
 
-RUN python -m pip install --no-cache-dir --upgrade ".[pystac,postgres]"
-RUN rm -rf /tmp/titiler pyproject.toml README.md
+# Set environment variables
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PATH="/opt/venv/bin:$PATH"
 
-RUN mkdir /data
+# Install runtime dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    libexpat1 \
+    curl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy virtual environment from builder
+COPY --from=builder /opt/venv /opt/venv
+
+# Create non-root user
+RUN useradd -m -s /bin/bash titiler && \
+    mkdir -p /data /config
+COPY log_config.yaml /config/log_config.yaml
+RUN chown -R titiler:titiler /data /config
 
 WORKDIR /app
+USER titiler
+
+# Create data directory
+VOLUME /data
+# Create config directory and copy default config
+VOLUME /config
+
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
+    CMD curl --fail http://localhost:8000/api || exit 1
+
+# Set default command
+CMD ["uvicorn", "titiler.openeo.main:app", "--host", "0.0.0.0", "--port", "80", "--log-config", "/config/log_config.yaml", "--workers", "4"]
+
+# Expose port
+EXPOSE 80

deployment/k8s/charts/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 0.1.0
 description: OpenEO by TiTiler
 name: titiler-openeo
-version: 0.4.0
+version: 0.5.0
 icon: https://raw.githubusercontent.com/developmentseed/titiler/main/docs/logos/TiTiler_logo_small.png
 maintainers:
   - name: DevelopmentSeed

deployment/k8s/charts/files/log_config.yaml

@@ -0,0 +1,34 @@
+version: 1
+disable_existing_loggers: False
+formatters:
+  default:
+    # "()": uvicorn.logging.DefaultFormatter
+    format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+  access:
+    # "()": uvicorn.logging.AccessFormatter
+    format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+handlers:
+  default:
+    formatter: default
+    class: logging.StreamHandler
+    stream: ext://sys.stderr
+  access:
+    formatter: access
+    class: logging.StreamHandler
+    stream: ext://sys.stdout
+loggers:
+  uvicorn.error:
+    level: INFO
+    handlers:
+      - default
+    propagate: no
+  uvicorn.access:
+    level: INFO
+    handlers:
+      - access
+    propagate: no
+root:
+  level: INFO
+  handlers:
+    - default
+  propagate: no

deployment/k8s/charts/templates/configmap.yaml

@@ -6,6 +6,8 @@ data:
   {{- if .Values.netrc }}
   netrc: {{ tpl (.Values.netrc) . | quote }}
   {{- end }}
+  log_config.yaml: |-
+    {{ .Files.Get .Values.logging.configFile | nindent 4 }}
   {{- if .Values.persistence.localStoreSeed }}
   init_store.json: |-
     {{ .Files.Get .Values.persistence.localStoreSeed | nindent 4 }}

deployment/k8s/charts/templates/deployment.yaml

@@ -19,7 +19,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       initContainers:
-      {{- if .Values.persistence.localStoreSeed }}
+      {{- if and .Values.persistence.enabled .Values.persistence.localStoreSeed }}
         - name: init-store
           image: busybox
           command:

deployment/k8s/charts/templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "titiler.fullname" . }}
+  labels:
+    {{- include "titiler.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "titiler.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

deployment/k8s/charts/values.yaml

@@ -1,5 +1,5 @@
 # Default values for titiler-openeo.
-replicaCount: 1
+
 
 image:
   repository: ghcr.io/sentinel-hub/titiler-openeo
@@ -13,9 +13,11 @@ image:
     - "--port"
     - "80"
     - "--workers"
-    - "1"
+    - "4"
     - "--forwarded-allow-ips"  # to make sure it works behind a reverse proxy
     - "*"  # Allow all
+    - "--log-config"
+    - "/config/log_config.yaml"
 
 nameOverride: ""
 fullnameOverride: ""
@@ -39,6 +41,16 @@ ingress:
   #    hosts:
   #      - titiler.local
 
+# Autoscaling configuration
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 5
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+replicaCount: 1
+
 extraHostPathMounts: []
   # - name: map-sources
   #   mountPath: /map-sources/
@@ -76,6 +88,10 @@ tolerations: []
 
 affinity: {}
 
+# logging configuration
+logging:
+  configFile: "files/log_config.yaml"
+
 # Persistent storage configuration for the local database file
 persistence:
   enabled: true
@@ -107,7 +123,10 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1001
 
-podSecurityContext: {}
+podSecurityContext:
+  sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
   # fsGroup: 1001
   # runAsNonRoot: true
   # runAsUser: 1001

docker-compose.yml

@@ -6,7 +6,7 @@ services:
     build:
       context: .
     ports:
-      - "8081:8081"
+      - "8081:80"
     environment:
       # GDAL Config
       # This option controls the default GDAL raster block cache size.
@@ -33,12 +33,19 @@ services:
       # - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
       # TiTiler STAC API Config
       - TITILER_OPENEO_API_DEBUG=TRUE
-      # - TITILER_OPENEO_STAC_API_URL=https://stac.eoapi.dev
-      # - TITILER_OPENEO_SERVICE_STORE_URL=/tmp/services/eoapi.json
+      - TITILER_OPENEO_STAC_API_URL=https://stac.eoapi.dev
+      - TITILER_OPENEO_SERVICE_STORE_URL=/tmp/services/eoapi.json
+      # Keycloak Config
+      - TITILER_OPENEO_AUTH_METHOD=oidc
+      - TITILER_OPENEO_AUTH_OIDC_CLIENT_ID=titiler-openeo
+      - TITILER_OPENEO_AUTH_OIDC_WK_URL=http://keycloak:8080/realms/master/.well-known/openid-configuration
+      - TITILER_OPENEO_AUTH_OIDC_REDIRECT_URL=http://localhost:8080/
+      - TITILER_OPENEO_AUTH_OIDC_SCOPES=openid profile email
+      - TITILER_OPENEO_AUTH_OIDC_NAME_CLAIM=preferred_username
     env_file:
       - path: .env
         required: false
-    command: ["uvicorn", "titiler.openeo.main:app", "--host", "0.0.0.0", "--port", "8081", "--workers", "4"]
+    # command: ["uvicorn", "titiler.openeo.main:app", "--host", "0.0.0.0", "--port", "8000", "--workers", "4"]
     volumes:
       - ./services:/tmp/services
 
@@ -50,3 +57,43 @@ services:
     env_file:
       - path: .env
         required: false
+
+  keycloak_db:
+    image: postgres:15-alpine
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+    volumes:
+      - keycloak_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U keycloak"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:22.0
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: keycloak
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_HOSTNAME: localhost
+      KC_HOSTNAME_PORT: 8082
+    ports:
+      - "8082:8080"
+    depends_on:
+      keycloak_db:
+        condition: service_healthy
+    command: start-dev
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+volumes:
+  keycloak_data: