[Custom runtime] add auth #3
Comments
|
@vincentsarago how should we think about this with the deployments across multiple cloud providers? Should we just leave it to the end-user to configure authentication based on their context? |
I guess 🤷♂️ It would be nice to have it implemented in our different demo services still |
|
Yes, it came up during a call with some other external developers as being a key need that's unresolved for them... |
|
A quick dump of thoughts on the topic of auth in reusable FastAPI systems: On the VEDA STAC Ingestor, we have the maintainer provide the JWKS URL of whatever RS256-compliant auth provider they use (e.g. Cognito, Auth0) (1). This was done with the intention of the codebase being agnostic & flexible regarding auth setups. However, it comes at the cost of a lot of finer-grained controls. The STAC Ingestor basically asks "is this a valid token?" (2) and nothing more. It seems like fastapi-cloudauth is a bit more intelligent in terms of validating provider-dependent details in the auth scope (3, 4), which most likely more secure. Additionally, it adds tooling for custom verification of scopes/claims, which seems useful for anything but the most basic auth requirements. On STAC-FastAPI, we added a convenience function to allow implementors to add custom dependencies (e.g. auth requirements) to endpoints on an existing (ie imported) FastAPI app (5). It feels a bit kludgey, but I'm not sure what a better solution would be for extending a FastAPI app with endpoints defined in files out of the control of the implementor. One possible path forward would be to:
|
|
eoAPI runtimes are |
use Cognito
https://github.com/tokusumi/fastapi-cloudauth
The text was updated successfully, but these errors were encountered: