Skip to content

feat: Add stac-auth-proxy. #358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: Add stac-auth-proxy. #358

wants to merge 7 commits into from

Conversation

@pantierra
Copy link
Contributor

@pantierra pantierra commented Nov 18, 2025
edited
Loading

Closes #222

Integrates stac-auth-proxy as an optional authentication/authorization layer for the STAC API service. When enabled, all STAC API requests are routed through the auth proxy, which validates tokens against an OIDC provider before forwarding to the upstream STAC service.

  • Added stac-auth-proxy as subchart dependency . Uses official upstream chart from ghcr.io/developmentseed/stac-auth-proxy/charts (version 0.1.1)
  • Service disabled by default because it only works if some OIDC provider is configured
  • Added validation to ensure OIDC_DISCOVERY_URL is set when stac-auth-proxy is enabled
  • Automatically routes /stac traffic through stac-auth-proxy when enabled, falls back to direct STAC service when disabled.
  • Added unit tests to verify ingress routing behavior with/without auth proxy
  • Sets DEFAULT_PUBLIC=true to protect the sensible defaults by stac-auth-proxy which STAC API endpoints to protect.

@pantierra pantierra force-pushed the feature/stac-auth-proxy branch 4 times, most recently from f463b6b to 650a01e Compare November 18, 2025 16:09
@pantierra pantierra self-assigned this Nov 18, 2025
@pantierra pantierra mentioned this pull request Nov 18, 2025
Open
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch 5 times, most recently from 10cb103 to f76cfa7 Compare November 23, 2025 01:37
@pantierra pantierra mentioned this pull request Nov 24, 2025
Merged
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from f76cfa7 to 0abcf57 Compare November 25, 2025 15:59
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from 0abcf57 to 2a43c59 Compare November 25, 2025 16:32
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from 2a43c59 to f13e4f3 Compare November 25, 2025 16:57
pantierra added a commit to developmentseed/stac-auth-proxy that referenced this pull request Nov 25, 2025
@pantierra @alukach
feat(helm): Add support for initContainers. (#104)
a7ca408 
This could be useful when the auth server is deployed with
stac-auth-proxy and we need to wait.
At least in eoAPI would be good for testing
(developmentseed/eoapi-k8s#358).

---------

Co-authored-by: Anthony Lukach <[email protected]>
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from e15f7de to d82dcfd Compare November 27, 2025 10:25
@pantierra pantierra marked this pull request as ready for review November 27, 2025 10:32
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch 2 times, most recently from 38a30e1 to 94ff7d1 Compare November 27, 2025 10:36
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from 94ff7d1 to feb8792 Compare November 27, 2025 10:37
@pantierra pantierra mentioned this pull request Nov 27, 2025
Open
batpad
batpad reviewed Nov 27, 2025
View reviewed changes
charts/eoapi/tests/stac-auth-proxy-ingress_test.yaml
- it: should not create stac routes when stac is disabled
set:
ingress.enabled: true
stac.enabled: false
Copy link
Member

@batpad batpad Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it ever valid to have stac disabled but stac-auth-proxy enabled? Should that rather be a validation check that stac-auth-proxy cannot be enabled is stac.enabled is set to false ?

Copy link
Contributor Author

@pantierra pantierra Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, indeed stac-auth-proxy without stac doesn't make sense. Will adjust in a bit.

On a side note: does anybody deploy eoAPI without the stac service at all?

Copy link
Member

@batpad batpad Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a side note: does anybody deploy eoAPI without the stac service at all?

Not that I know of. But it seems like it makes sense to leave the option in there for consistency? I think it can sometimes be convenient if one wants to temporarily remove a service or so.

batpad
batpad approved these changes Nov 27, 2025
View reviewed changes
Copy link
Member

@batpad batpad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pantierra this looks really good to me! 👏

Left one minor comment - feel free to ignore if it seems like I misunderstood.

@batpad batpad mentioned this pull request Nov 27, 2025
Open
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from 5296712 to bf1c0e1 Compare November 27, 2025 16:29
@pantierra pantierra force-pushed the feature/stac-auth-proxy branch from bf1c0e1 to fab55d0 Compare November 27, 2025 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@batpad batpad batpad approved these changes

@alukach alukach Awaiting requested review from alukach

@emmanuelmathot emmanuelmathot Awaiting requested review from emmanuelmathot

Assignees

@pantierra pantierra

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Making auth a first-class citizen

3 participants

@pantierra @batpad