Service Authorization¶
TiTiler OpenEO implements a flexible service authorization mechanism that controls access to services based on their configuration. Each service can be configured with different access levels through the scope
parameter.
Scopes¶
Services can be configured with one of three scopes:
private
: Only the service owner can access the servicerestricted
: Any authenticated user can access, with optional user-specific restrictionspublic
(default): No authentication required, anyone can access the service
Configuration¶
Authorization is configured through the service configuration object when creating or updating a service:
{
"configuration": {
"scope": "restricted",
"authorized_users": ["user1", "user2"] // Optional: specific users for restricted scope
}
}
Configuration Parameters¶
Parameter | Type | Description |
---|---|---|
scope |
string | Access scope: private , restricted , or public |
authorized_users |
array | Optional list of user IDs allowed to access a restricted service |
inject_user |
boolean | Whether to inject the authenticated user as a named parameter '_openeo_user' into the process graph (default: false). |
Implementation¶
The authorization mechanism is implemented in two main components:
ServiceAuthorizationManager
class (titiler/openeo/services/auth.py
):- Encapsulates authorization logic
- Validates access based on service configuration and user context
-
Throws appropriate HTTP exceptions for unauthorized access
-
Service endpoints:
- Retrieve service configuration
- Use ServiceAuthorizationManager to enforce access control
- Pass authorized requests to the service implementation
Example Usage¶
For example:
{
"configuration": {
"scope": "restricted",
"authorized_users": ["user1", "user2"],
"inject_user": true // Enable user injection into process graph
}
}
The behavior of the injected user parameter depends on how it's defined in the process's JSON schema:
-
When the parameter schema defines
The process will receive just the user ID string, even when using from_parameter:"type": "string"
: -
When the parameter schema defines a User object type:
The process will receive the complete User object:
from titiler.openeo.services.auth import ServiceAuthorizationManager
# In your service endpoint:
service = services_store.get_service(service_id)
auth_manager = ServiceAuthorizationManager()
auth_manager.authorize(service, user) # Raises HTTPException if access denied
Authorization Flow¶
- Client requests a service endpoint
- Service configuration is retrieved from the store
- ServiceAuthorizationManager validates access based on:
- Service scope
- User authentication status
- User authorization (for restricted services)
- If access is denied:
- 401 Unauthorized - For missing authentication
- 403 Forbidden - For insufficient permissions
- If access is granted, the request proceeds to service execution
Best Practices¶
- Always set an appropriate scope for your services
- Use
private
scope by default for maximum security - For restricted services, explicitly list authorized users
- Consider using
public
scope only for non-sensitive data - Regularly audit service configurations and access patterns