Migrate from openEO-specific tokens to JWT #558

m-mohr · m-mohr · commit ff16451d3dda · 2025-08-22T15:04:33.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `version` property to `GET /processes` [#517](https://github.com/Open-EO/openeo-api/issues/517)
 - Added `queued`, `started` and `unpublished` to the batch job metadata and the corresponding STAC results [#542](https://github.com/Open-EO/openeo-api/issues/542)
 - Added all the batch job timestamps (including the new timestamps above) to the Collection type of batch job results
+- Support for JWT-based Bearer tokens [#558](https://github.com/Open-EO/openeo-api/issues/558)
+
+### Deprecated
+
+- Deprecated the openEO-specific Bearer token format (authentication mechanism/provider id/access token) [#558](https://github.com/Open-EO/openeo-api/issues/558)
+
+### Changed
+
+- Migrate from openEO-specific tokens to JWT [#558](https://github.com/Open-EO/openeo-api/issues/558)
 
 ### Fixed
 
diff --git a/openapi.yaml b/openapi.yaml
@@ -1884,18 +1884,7 @@ paths:
         openEO clients MUST use the **access token** as part of the Bearer token
         for authorization in subsequent API calls (see also the information
         about Bearer tokens in this document). Clients MUST NOT use the id token
-        or the authorization code. The access token provided by an OpenID Connect
-        Provider does not necessarily provide information about the issuer (i.e. the
-        OpenID Connect provider) and therefore a prefix MUST be added to the Bearer
-        Token sent in subsequent API calls to protected endpoints. The Bearer
-        Token sent to protected endpoints MUST consist of the authentication
-        method (here `oidc`), the provider ID and the access token itself. All
-        separated by a forward slash `/`. The provider ID corresponds to the
-        value specified for `id` for each provider in the response body of this
-        endpoint.  The header in subsequent API calls for a provider with `id`
-        `ms` would look as follows: `Authorization: Bearer oidc/ms/TOKEN`
-        (replace `TOKEN` with the actual access token received from the OpenID
-        Connect Provider).
+        or the authorization code.
 
         Back-ends MAY request user information ([including Claims](https://openid.net/specs/openid-connect-core-1_0.html#Claims))
         from the [OpenID Connect Userinfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
@@ -1941,7 +1930,7 @@ paths:
                         issuer:
                           type: string
                           format: uri
-                          description: >-
+                          description: |-
                             The [issuer location](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
                             (also referred to as 'authority' in some client libraries) is the URL of the
                             OpenID Connect provider, which conforms to a set of rules:
@@ -1955,7 +1944,6 @@ paths:
                             OpenID Connect.
 
                             2. The URL MUST NOT contain a terminating forward slash `/`.
-
                           example: 'https://accounts.google.com'
                         scopes:
                           type: array
@@ -2097,27 +2085,20 @@ paths:
     get:
       summary: HTTP Basic authentication
       operationId: authenticate-basic
-      description: >-
+      description: |-
         Checks the credentials provided through [HTTP Basic Authentication
-        according to RFC 7617](https://www.rfc-editor.org/rfc/rfc7617.html) and returns
-        an access token for valid credentials.
-
+        according to RFC 7617](https://www.rfc-editor.org/rfc/rfc7617.html) and
+        returns an access token in exchange for providing valid credentials.
 
         The credentials (username and password) MUST be sent in the HTTP header
         `Authorization` with type `Basic` and the Base64 encoded string
         consisting of username and password separated by a double colon `:`. The
         header would look as follows for username `user` and password `pw`:
         `Authorization: Basic dXNlcjpwdw==`.
 
-
         The access token has to be used in the Bearer token for authorization in
         subsequent API calls (see also the information about Bearer tokens in
-        this document). The access token returned by this request MUST NOT be
-        provided with `basic//` prefix, but the Bearer Token sent in subsequent
-        API calls to protected endpoints MUST be prefixed with `basic//`. The
-        header in subsequent API calls would look as follows: `Authorization:
-        Bearer basic//TOKEN` (replace `TOKEN` with the actual access token).
-
+        this document).
 
         It is RECOMMENDED to implement this authentication method for non-public
         services only.
@@ -6809,13 +6790,41 @@ components:
       type: http
       scheme: bearer
       bearerFormat: >-
-        The Bearer Token MUST consist of the authentication method, a provider
-        ID (if available) and the token itself. All separated by a forward slash
-        `/`. Examples (replace `TOKEN` with the actual access token): (1) Basic
-        authentication (no provider ID available): `basic//TOKEN` (2) OpenID
-        Connect (provider ID is `ms`): `oidc/ms/TOKEN`. For OpenID Connect, the
-        provider ID corresponds to the value specified for `id` for each
-        provider in `GET /credentials/oidc`.
+        Bearer tokens can be provided in two different ways:
+
+        1. **RECOMMENDED: JSON Web Token (JWT)**
+           
+           The Bearer token is a [JWT](https://datatracker.ietf.org/doc/html/rfc7519)
+           as defined in RFC 7519. For openEO, it MUST include the issuer in the
+           `iss` claim although being optional in RFC 7519.
+
+           If this method is supported by the openEO implementation,
+           the server MUST provide the conformance class
+           `https://api.openeo.org/1.2.0/authentication/jwt`.
+
+        2. **DEPRECATED: openEO Tokens**
+        
+           The Bearer Token is constructed from the authentication method, a
+           provider ID (if available) and the token itself. All separated by a
+           forward slash `/`.
+
+           Examples (replace `TOKEN` with the actual access token):
+
+           - Basic authentication (no provider ID available): `basic//TOKEN`
+           - OpenID Connect (provider ID is `ms`): `oidc/ms/TOKEN`.
+             For OpenID Connect, the provider ID corresponds to the value
+             specified for `id` for each provider in `GET /credentials/oidc`.
+
+           All servers must accept this method for backward compatibility
+           until version 2.0 of the specification.
+
+          The access tokens provided by the identity provider MUST NOT include
+          the prefix that includes the authentication method and provider ID.
+          The Bearer Token sent to the server MUST be prefixed with `basic//`.
+          This means that the clients have to prepend the prefix.
+        
+        JWT and openEO tokens can be distinguished by the presence of a slash
+        `/` in the token, which JWT can never contain due to the Base64 encoding.
     Basic:
       type: http
       scheme: basic
