Skip to content

OAuth Copernicus API #563

New issue
New issue
Closed
Closed
OAuth Copernicus API#563
@amael-ls

Description

@amael-ls
amael-ls
opened on Oct 10, 2024

Hello,

I am trying to connect to the Copernicus Land Monitoring Service API (see stack overflow question for more details on R code)

When I use

library(httr2)

## Read the keys created at step 2.1
service_key = rjson::fromJSON(file = "./land-copernicus.json")
private_key = service_key[["private_key"]]

## Create the authorisation grant from private key
claim = jwt_claim(
	iss = service_key[["client_id"]],
	sub = service_key[["user_id"]],
	aud = service_key[["token_uri"]],
	iat = Sys.time(),
	exp = Sys.time() + 60*60 # Gives an expiration date of one hour (the maximum authorised)
)

grant = jwt_encode_hmac(claim = claim, secret = private_key, header = list(alg = "RS256"))

## Exchange the JWT authorization grant at the @@oauth2-token endpoint
req = request(base_url = service_key[["token_uri"]]) |>
	req_headers("Accept" = "application/json", "Content-Type" = "application/x-www-form-urlencoded") |>
	req_body_json(data = list(grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer", assertion = grant)) |>
	req_perform(verbosity = 2)

req2 = request(base_url = service_key[["token_uri"]]) |>
	req_headers("Accept" = "application/json", "Content-Type" = "application/x-www-form-urlencoded") |>
	req_body_raw(body = paste0("grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=", grant)) |>
	req_perform(verbosity = 2)

I get errors in both cases. With req, I get:

> POST /@@oauth2-token HTTP/2
-> Host: land.copernicus.eu
-> user-agent: httr2/1.0.5 r-curl/5.2.3 libcurl/7.81.0
-> accept-encoding: deflate, gzip, br, zstd
-> accept: application/json
-> content-type: application/x-www-form-urlencoded
-> content-length: 461
-> 
>> {"grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer","assertion":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImFsZy4xIjoiUlMyNTYifQ.eyJpc3MiOiIyYjhlMTdmYzBkOTg4YzVkNGY2OTg1ZTMyYjdmY2VkNCIsInN1YiI6Im4wMGg3ZGthIiwiYXVkIjoiaHR0cHM6Ly9sYW5kLmNvcGVybmljdXMuZXUvQEBvYXV0aDItdG9rZW4iLCJleHAiOjE3Mjg1NTQxMTcsIm5iZiI6MTcyODU1MDUxNywiaWF0IjoxNzI4NTUwNTE3LCJqdGkiOiJxdjJ3aWdIM0I3SndqMF9wd0xBazZRSVFmS1Y5Y3VmUkxEYW5QdkJfSVBrIn0.Yr3EMPhvs9K0slvnMKq0mslmEcOoafU4iAW-SIE5Yw4"}
<- HTTP/2 400 
<- cache-control: no-store
<- content-length: 73
<- content-type: application/json
<- date: Thu, 10 Oct 2024 08:56:47 GMT
<- pragma: no-cache
<- server: waitress
<- via: waitress
<- x-frame-options: SAMEORIGIN
<- x-powered-by: Zope (www.zope.dev), Python (www.python.org)
<- strict-transport-security: max-age=31536000; includeSubDomains; preload
<- x-content-type-options: nosniff
<- x-xss-protection: 1; mode=block
<- access-control-allow-headers: Authorization, Content-Type, content-type
<- vary: Origin
<- 
<< **{"error": "invalid_request", "error_description": "Missing 'grant_type'"}**
Error in `req_perform()`:
! HTTP 400 Bad Request.

and with req2:

-> POST /@@oauth2-token HTTP/2
-> Host: land.copernicus.eu
-> user-agent: httr2/1.0.5 r-curl/5.2.3 libcurl/7.81.0
-> accept-encoding: deflate, gzip, br, zstd
-> accept: application/json
-> content-type: application/x-www-form-urlencoded
-> content-length: 451
-> 
>> grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImFsZy4xIjoiUlMyNTYifQ.eyJpc3MiOiIyYjhlMTdmYzBkOTg4YzVkNGY2OTg1ZTMyYjdmY2VkNCIsInN1YiI6Im4wMGg3ZGthIiwiYXVkIjoiaHR0cHM6Ly9sYW5kLmNvcGVybmljdXMuZXUvQEBvYXV0aDItdG9rZW4iLCJleHAiOjE3Mjg1NTQxMTcsIm5iZiI6MTcyODU1MDUxNywiaWF0IjoxNzI4NTUwNTE3LCJqdGkiOiJxdjJ3aWdIM0I3SndqMF9wd0xBazZRSVFmS1Y5Y3VmUkxEYW5QdkJfSVBrIn0.Yr3EMPhvs9K0slvnMKq0mslmEcOoafU4iAW-SIE5Yw4
<- HTTP/2 400 
<- cache-control: no-store
<- content-length: 96
<- content-type: application/json
<- date: Thu, 10 Oct 2024 08:58:42 GMT
<- pragma: no-cache
<- server: waitress
<- via: waitress
<- x-frame-options: SAMEORIGIN
<- x-powered-by: Zope (www.zope.dev), Python (www.python.org)
<- strict-transport-security: max-age=31536000; includeSubDomains; preload
<- x-content-type-options: nosniff
<- x-xss-protection: 1; mode=block
<- access-control-allow-headers: Authorization, Content-Type, content-type
<- vary: Origin
<- 
**<< {"error": "invalid_request", "error_description": "Only RS256 signature algorithm is supported"}**

I do not understand given that I put both agrant_type and the algorithm RS256.

I generated the grant with Python with the following code, copy-pasted the grant in R, and it worked:

import json
import jwt
import time
import requests

base_url = 'https://land.copernicus.eu'

# Load saved key from filesystem
service_key = json.load(open('./land-copernicus.json', 'rb'))

private_key = service_key['private_key'].encode('utf-8')

claim_set = {
    "iss": service_key['client_id'],
    "sub": service_key['user_id'],
    "aud": service_key['token_uri'],
    "iat": int(time.time()),
    "exp": int(time.time() + (60 * 60)),
}
grant = jwt.encode(claim_set, private_key, algorithm='RS256')

Any idea of where could be the problem? Many thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions