This is a general question relating to openEO Platform:
login() is to only thing I need. I think this should be fixed.@stefaan.lippens Is this also the case in the Python client? I suspect the EGI migration to keycloak could be the issue (started to happen roughly at that time), but maybe it’s an issue in an upstream library of the R client…
To be honest, I don’t completely understand the question (probably because I don’t know the login flow with the R client).
Is this about the OIDC device flow with a device code (instead of authentication code/token as mentioned in the OP)?
In the Python client, the device code flow works normally after the EGI Keycloak migration (with a minor difference that user have to enter the device code before they might have to authenticate with their institution)
Thanks, that already answers my question wrt to the Python client. Indeed, the R client should also use the device code.
What happens for some time is that the R client shows a device code to be copied, but in the EGI flow in the browser we don’t have a field anymore to copy it into (neither before nor after the institution thing). We can just click through without ever providing it. This sounds like a security issue and is confusing for the user, but maybe it is provided through the URL directly?
Indeed, I just checked it and the Device Code is now part of the URL, which gets more clear in a non-interactive environment:
Visit https://aai.egi.eu/auth/realms/egi/device?user_code=ABCD-ICYX and enter code ABCD-ICYX
So the client asks to copy /enter something that already has been transferred. A bit confusing but works so nevermind?
Ok interesting, the device code request indeed returns something like
{'device_code': '5EKr8rAg...',
'user_code': 'ABCD-UIXY',
'verification_uri':
'https://aai.egi.eu/auth/realms/egi/device',
'verification_uri_complete':
'https://aai.egi.eu/auth/realms/egi/device?user_code=ABCD-UIXY',
'expires_in': 900, 'interval': 5}
The Python client uses the (standard) verification_uri fields, which does not include the device code, while the OIDC library used in R client probably uses verification_uri_complete with device code included
It’s definitely more user friendly to let the user click on a link with the device code included (less typing, less forms to click through), but it might feel less secure to a savvy user (as illustrated by the confusion in the OP).
I’m not sure if the Python client should switch to verification_uri_complete by default for that reason, but I’m open to change my mind on that. It could at least be an opt-in config option.
(created OIDC device code flow: support `verification_uri_complete` · Issue #335 · Open-EO/openeo-python-client · GitHub for this)
I think it’s just a matter of wording and being used to it in the R client. If it was
Visit Sign in to egi - if requested, enter code ABCD-ICYX
it would indicate that you only need to copy if really requested, which might happen in some cases.The language comes from a dependency though so we’d need to change it there, which is not too easy.
Otherwise, Huriel was really just confused because it was different beforehand but if he had used the R client for the first time, I think that would not be so confusing at all (and I actually asked him to report here to make sure we check whether things work correctly).
@stefaan.lippens As for the Python client, I’d say it should be as convenient as possible. With the right wording I’d really vote for the complete URI. Just make sure to still provide the code in case some IPs don’t append it to the URL (like old EGI or some others).