OpenID Connect Configuration¶
TiTiler-OpenEO supports OpenID Connect (OIDC) authentication following the OpenEO authentication model. The implementation supports the OpenID Connect Authorization Code Flow with PKCE.
The implementation is available in titiler/openeo/auth.py
with the main class being OIDCAuth
.
OpenEO Authentication Model¶
TiTiler-OpenEO follows the OpenEO authentication specification where tokens are provided in the format:
The token structure consists of three parts:
1. Authentication method (oidc
)
2. Provider identifier (oidc
)
3. The actual OIDC token
Token parsing is handled by the AuthToken
class.
Configuration¶
The OIDC configuration is managed through OIDCConfig
in the settings. To enable OpenID Connect authentication, configure the following environment variables:
TITILER_OPENEO_AUTH_METHOD=oidc
TITILER_OPENEO_AUTH_OIDC_CLIENT_ID="your-client-id"
TITILER_OPENEO_AUTH_OIDC_WK_URL="https://your-provider/.well-known/openid-configuration"
TITILER_OPENEO_AUTH_OIDC_REDIRECT_URL="your-redirect-url"
Optional configuration:
TITILER_OPENEO_AUTH_OIDC_SCOPES="openid email profile" # Space-separated list (default)
TITILER_OPENEO_AUTH_OIDC_NAME_CLAIM="name" # Claim to use for user name (default)
TITILER_OPENEO_AUTH_OIDC_TITLE="OIDC" # Provider title (default)
TITILER_OPENEO_AUTH_OIDC_DESCRIPTION="OpenID Connect (OIDC) Authorization Code Flow with PKCE" # Provider description (default)
Token Validation¶
The OIDC implementation performs the following validations in the _verify_token
method:
- Verifies the token signature using the provider's JWKS
- Validates token claims including:
- Client ID matches the configured one
- Token expiration
- Token audience
User Information¶
Upon successful validation, a User
object is created with:
- user_id
: Subject claim from the token (sub
)
- email
: Email claim if available
- name
: Value from the configured name claim (defaults to "name")
Security Considerations¶
- Keep your client ID secure
- Configure appropriate token expiration times
- Use HTTPS in production
- Review and limit the requested scopes
- Regularly rotate any client secrets if used
For more details on the implementation, see the auth module source code.