Client credentials flow change announcement

tcerovski · October 20, 2023, 8:57am

EDIT: The migration happened on 2023-12-07.

Dear Users,

Please note that due to a migration to a newer authentication system planned for release on 2023-11-14 15:00 UTC, client credentials containing special characters ‘+%’ sent in the Basic HTTP Authentication header will have to be URL encoded according to RFC6749 section 2.3.1.

If you’re affected, and you’re not already URL encoding your requests you have 3 options:

Create a new OAuth2 client from the Dashboard, which will create a new client id and secret that will not contain any characters that would need to be URL encoded.
To continue using Basic Authentication header, URL encode the client id and secret passed in the header
Or alternatively pass the client_id and client_secret in the request body, as described for:

The existing authentication system already supports both methods and you can start migrating your flows now. None of the options should take more than a few minutes of your time.

Please don’t hesitate to reach out if you experience issues accessing any data with your account.

bhanuPrakash · October 23, 2023, 6:07pm

We use sentinelhub python pypi package’s SentinelHubClient(client_id, client_secret) and get session headers to pass as headers in http requests.

Given the below usage, are we effected by this change and need to take any action? Out client_secret has special characters.

Our usage:

sh_client = SentinelHubClient(client_id, client_secret)

  response = requests.post(
      <search_url_here>,
      json = <payload>,
      headers = **sh_client.sh_session.session_headers,**
  )

And also

request = SentinelHubRequest(
            evalscript= <eval_script_string_here>,
            input_data=[
                SentinelHubRequest.input_data(
                    data_collection=data_collection,
                    time_interval=query_date,
                    maxcc=1,
                    mosaicking_order="leastCC",
                )
            ],
            responses=[SentinelHubRequest.output_response(band.value, MimeType.TIFF) for band in bands],
            geometry=Geometry(field_boundary, crs=CRS.WGS84),
            resolution=<resolution_here>,
            config=**sh_client(client_id, client_secret).sh_config,**
            data_folder=data_folder,
        )

request.get_data(save_data=True, decode_data=False)

From my investigation, the sentinelhub pypi packages uses the python (3rd) as described in the… sentinel-hub documentation here: Authentication

sentinelhub pypi package source code following the recommended code: https://github.com/sentinel-hub/sentinelhub-py/blob/98d0327e3929999ec07645f77b16fceb7f9c88b9/sentinelhub/download/session.py#L133-L144C1

Please confirm. Thanks!!

tcerovski · October 24, 2023, 3:54pm

Hi @bhanuPrakash

Thank you for bringing this up. This was fixed in the recent release v3.9.2. Credentials are now passed in the body. If you update the library version, you should be ok.

Regards,
Teo

system · April 21, 2024, 3:54pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.