Skip to content

feat: add list tenants with create/update scopes endpoint #555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
botanical wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

feat: add list tenants with create/update scopes endpoint #555

botanical wants to merge 6 commits into from

Conversation

@botanical
Copy link
Member

@botanical botanical commented Dec 9, 2025
edited
Loading

Issue

#521

What?/ Why?

Keycloak Client & Tenant Access Endpoint

  • KeycloakPDPClient which contains functions:
    • get_rpt to request the requesting party token from keycloak
    • check_permission which checks to see is a user has a permission granted for a resource and scope
    • get_tenants_with_create_update_access which gets a list of tenants the user has create and update access to
    • base64 padding helper function (this is needed because the decode function requires proper padding or it will raise an error)
    • JWT permission extraction functions
  • /auth/tenants/writeable endpoint added to Ingest API
  • Ingest API config updated to include resource server client ID and secret env vars

Testing?

@botanical botanical marked this pull request as ready for review December 10, 2025 18:20
@stephenkilbourn stephenkilbourn mentioned this pull request Dec 12, 2025
Open
@botanical botanical requested review from anayeaye, ividito, sandrahoang686 and smohiudd and removed request for anayeaye and smohiudd January 6, 2026 22:35
@smohiudd
Copy link
Contributor

smohiudd commented Jan 9, 2026

@botanical I'm not seeing the /auth/tenants/writeable endpoint in the dev ingest api docs

smohiudd
smohiudd reviewed Jan 9, 2026
View reviewed changes
ingest_api/infrastructure/config.py Outdated

openid_configuration_url: AnyHttpUrl = Field(description="OpenID config url")

resource_server_client_id: Optional[str] = Field(
Copy link
Contributor

@smohiudd smohiudd Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pattern we've been using is to get the client id and secret from the secret manager. See Sm2a example with ingest api: https://github.com/NASA-IMPACT/veda-data-airflow/blob/dev/dags/veda_data_pipeline/utils/submit_stac.py#L49

So we could supply the secret arn instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smohiudd smohiudd smohiudd left review comments

@stephenkilbourn stephenkilbourn stephenkilbourn approved these changes

@anayeaye anayeaye Awaiting requested review from anayeaye

@ividito ividito Awaiting requested review from ividito

@sandrahoang686 sandrahoang686 Awaiting requested review from sandrahoang686

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@botanical @smohiudd @stephenkilbourn