feat: build-time oidc configuration (#380)

gadomski · web-flow · commit 12f18642ff74 · 2026-04-07T17:59:06.000-06:00
I don't think there's too many cases where someone will want to configure the OIDC authority and client ID at "runtime", so for now I'm only supporting the white-label case. E.g. this would enable any client to deploy their own version of **stac-map** pointed at their auth provider. This makes sense to me b/c the OIDC stuff only works if you've configured your client id and redirect URL properly, so it's a deploy-time thing. Closes #373
diff --git a/README.md b/README.md
@@ -62,10 +62,12 @@ See [deploy.yaml](./.github/workflows/deploy.yaml) for a (drop-dead simple) exam
 
 You can deploy your own customized version of stac-map using environment variables:
 
-| Variable            | Description                        | Default            |
-| ------------------- | ---------------------------------- | ------------------ |
-| `VITE_BASE_PATH`    | URL path prefix (e.g., `/my-app/`) | `/stac-map/`       |
-| `VITE_DEFAULT_HREF` | STAC resource to load on startup   | None (shows intro) |
+| Variable              | Description                        | Default            |
+| --------------------- | ---------------------------------- | ------------------ |
+| `VITE_BASE_PATH`      | URL path prefix (e.g., `/my-app/`) | `/stac-map/`       |
+| `VITE_DEFAULT_HREF`   | STAC resource to load on startup   | None (shows intro) |
+| `VITE_AUTH_AUTHORITY` | The OIDC authority to use for auth | None               |
+| `VITE_AUTH_CLIENT_ID` | The OIDC client id to use for auth | None               |
 
 Example:
 
diff --git a/package.json b/package.json
@@ -59,12 +59,14 @@
     "geotiff-geokeys-to-proj4": "^2024.4.13",
     "maplibre-gl": "^5.20.1",
     "next-themes": "^0.4.3",
+    "oidc-client-ts": "^3.5.0",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "react-error-boundary": "^6.1.1",
     "react-icons": "^5.6.0",
     "react-map-gl": "^8.1.0",
     "react-markdown": "^10.1.0",
+    "react-oidc-context": "^3.3.1",
     "shiki": "^4.0.2",
     "stac-ts": "^1.0.4",
     "stac-wasm": "^0.1.0",
@@ -92,7 +94,6 @@
     "typescript": "~6.0.2",
     "typescript-eslint": "^8.58.0",
     "vite": "^8.0.5",
-    "vite-plugin-node-polyfills": "^0.26.0",
     "vite-plugin-top-level-await": "^1.5.0",
     "vite-plugin-wasm": "^3.6.0",
     "vitest": "^4.1.2",
diff --git a/src/components/collections/href.tsx b/src/components/collections/href.tsx
@@ -1,5 +1,6 @@
 import { useStore } from "@/store";
 import type { StacCollections } from "@/types/stac";
+import { getAccessToken } from "@/utils/auth";
 import { getLinkHref } from "@/utils/stac";
 import {
   ActionBar,
@@ -40,7 +41,10 @@ export default function CollectionsHref({ href }: { href: string }) {
     queryKey: ["stac-collections", searchHref],
     queryFn: async ({ pageParam }) => {
       if (pageParam) {
-        return await fetch(pageParam).then((response) => {
+        const headers: Record<string, string> = {};
+        const token = getAccessToken();
+        if (token) headers["Authorization"] = `Bearer ${token}`;
+        return await fetch(pageParam, { headers }).then((response) => {
           if (response.ok) return response.json();
           else
             throw new Error(
diff --git a/src/components/header.tsx b/src/components/header.tsx
@@ -1,6 +1,7 @@
 import { Button, HStack } from "@chakra-ui/react";
 import { Examples } from "./examples";
 import HrefInput from "./href-input";
+import { authConfig, UserButton } from "./ui/auth";
 import { ColorModeButton } from "./ui/color-mode";
 import { ProjectionButton } from "./ui/projection";
 import { SettingsButton } from "./ui/settings";
@@ -17,6 +18,7 @@ export default function Header() {
       <ProjectionButton variant={"surface"} />
       <ColorModeButton variant={"surface"} />
       <SettingsButton variant={"surface"} />
+      {authConfig && <UserButton variant={"surface"} />}
     </HStack>
   );
 }
diff --git a/src/components/ui/auth.tsx b/src/components/ui/auth.tsx
@@ -0,0 +1,141 @@
+import type { IconButtonProps } from "@chakra-ui/react";
+import {
+  AbsoluteCenter,
+  Button,
+  CloseButton,
+  Dialog,
+  Heading,
+  HStack,
+  IconButton,
+  Portal,
+  Spinner,
+  Stack,
+  Text,
+  VStack,
+} from "@chakra-ui/react";
+import * as React from "react";
+import { LuLock, LuUser } from "react-icons/lu";
+import { useAuth } from "react-oidc-context";
+
+const authority = import.meta.env.VITE_AUTH_AUTHORITY as string | undefined;
+const clientId = import.meta.env.VITE_AUTH_CLIENT_ID as string | undefined;
+
+export const authConfig =
+  authority && clientId
+    ? {
+        authority,
+        client_id: clientId,
+        redirect_uri:
+          window.location.origin +
+          (import.meta.env.BASE_URL ?? "/").replace(/\/$/, "") +
+          "/",
+        onSigninCallback: () => {
+          window.history.replaceState(
+            {},
+            document.title,
+            window.location.pathname + window.location.search
+          );
+        },
+      }
+    : null;
+
+export function LoginSplash({ children }: { children: React.ReactNode }) {
+  const { isLoading, isAuthenticated, signinRedirect, error } = useAuth();
+
+  if (isLoading) {
+    return (
+      <AbsoluteCenter>
+        <Spinner size="xl" />
+      </AbsoluteCenter>
+    );
+  }
+
+  if (!isAuthenticated) {
+    return (
+      <AbsoluteCenter>
+        <VStack gap={6}>
+          <Heading size="2xl">
+            <HStack>
+              stac-map with auth <LuLock />
+            </HStack>
+          </Heading>
+          {error && (
+            <Text color="fg.error" fontSize="sm">
+              {error.message}
+            </Text>
+          )}
+          <Button size="lg" onClick={() => signinRedirect()}>
+            Sign in
+          </Button>
+        </VStack>
+      </AbsoluteCenter>
+    );
+  }
+
+  return <>{children}</>;
+}
+
+interface UserButtonProps extends Omit<IconButtonProps, "aria-label"> {}
+
+export const UserButton = React.forwardRef<HTMLButtonElement, UserButtonProps>(
+  function UserButton(props, ref) {
+    const { user, removeUser } = useAuth();
+
+    return (
+      <Dialog.Root>
+        <Dialog.Trigger asChild>
+          <IconButton
+            variant="ghost"
+            aria-label="User info"
+            ref={ref}
+            {...props}
+          >
+            <LuUser />
+          </IconButton>
+        </Dialog.Trigger>
+        <Portal>
+          <Dialog.Backdrop />
+          <Dialog.Positioner>
+            <Dialog.Content>
+              <Dialog.Header>
+                <Dialog.Title>User Info</Dialog.Title>
+              </Dialog.Header>
+              <Dialog.Body>
+                <Stack gap={2}>
+                  {user?.profile?.name && (
+                    <Text>
+                      <Text as="span" fontWeight="bold">
+                        Name:
+                      </Text>{" "}
+                      {user.profile.name}
+                    </Text>
+                  )}
+                  {user?.profile?.email && (
+                    <Text>
+                      <Text as="span" fontWeight="bold">
+                        Email:
+                      </Text>{" "}
+                      {user.profile.email}
+                    </Text>
+                  )}
+                </Stack>
+              </Dialog.Body>
+              <Dialog.Footer>
+                <Button
+                  variant="outline"
+                  onClick={() => removeUser()}
+                  colorPalette="red"
+                >
+                  Sign out
+                </Button>
+              </Dialog.Footer>
+              <Dialog.CloseTrigger asChild>
+                <CloseButton size="sm" />
+              </Dialog.CloseTrigger>
+            </Dialog.Content>
+          </Dialog.Positioner>
+        </Portal>
+      </Dialog.Root>
+    );
+  }
+);
diff --git a/src/main.tsx b/src/main.tsx
@@ -2,18 +2,30 @@ import { QueryClientProvider } from "@tanstack/react-query";
 import { StrictMode } from "react";
 import { createRoot } from "react-dom/client";
 import { MapProvider } from "react-map-gl/maplibre";
+import { AuthProvider } from "react-oidc-context";
 import App from "./app.tsx";
+import { authConfig, LoginSplash } from "./components/ui/auth.tsx";
 import { Provider } from "./components/ui/provider.tsx";
 import { queryClient } from "./query-client.ts";
 
+const inner = (
+  <QueryClientProvider client={queryClient}>
+    <MapProvider>
+      <App />
+    </MapProvider>
+  </QueryClientProvider>
+);
+
 createRoot(document.getElementById("root")!).render(
   <StrictMode>
     <Provider>
-      <QueryClientProvider client={queryClient}>
-        <MapProvider>
-          <App />
-        </MapProvider>
-      </QueryClientProvider>
+      {authConfig ? (
+        <AuthProvider {...authConfig}>
+          <LoginSplash>{inner}</LoginSplash>
+        </AuthProvider>
+      ) : (
+        inner
+      )}
     </Provider>
   </StrictMode>
 );
diff --git a/src/utils/auth.ts b/src/utils/auth.ts
@@ -0,0 +1,16 @@
+import { User } from "oidc-client-ts";
+
+export function getAccessToken(): string | null {
+  const authority = import.meta.env.VITE_AUTH_AUTHORITY;
+  const clientId = import.meta.env.VITE_AUTH_CLIENT_ID;
+  if (!authority || !clientId) return null;
+
+  const oidcStorage = sessionStorage.getItem(
+    `oidc.user:${authority}:${clientId}`
+  );
+  if (oidcStorage) {
+    const user = User.fromStorageString(oidcStorage);
+    return user?.access_token ?? null;
+  }
+  return null;
+}
diff --git a/src/utils/stac.ts b/src/utils/stac.ts
@@ -9,6 +9,7 @@ import type {
 } from "stac-ts";
 import type { BBox2D } from "../types/map";
 import type { AssetWithAlternates, StacAssets, StacValue } from "../types/stac";
+import { getAccessToken } from "./auth";
 import { GLOBAL_BBOX, sanitizeBbox } from "./bbox";
 import { toAbsoluteUrl } from "./href";
 
@@ -81,11 +82,13 @@ export async function fetchStac({
   method?: "GET" | "POST";
   body?: string;
 }): Promise<StacValue> {
+  const headers: Record<string, string> = { Accept: "application/json" };
+  const token = getAccessToken();
+  if (token) headers["Authorization"] = `Bearer ${token}`;
+
   return await fetch(href, {
     method,
-    headers: {
-      Accept: "application/json",
-    },
+    headers,
     body,
   }).then(async (response) => {
     if (response.ok) {
diff --git a/vite.config.ts b/vite.config.ts
@@ -1,6 +1,5 @@
 import react from "@vitejs/plugin-react";
 import { defineConfig } from "vite";
-import { nodePolyfills } from "vite-plugin-node-polyfills";
 import topLevelAwait from "vite-plugin-top-level-await";
 import wasm from "vite-plugin-wasm";
 
@@ -13,12 +12,5 @@ export default defineConfig({
   resolve: {
     tsconfigPaths: true,
   },
-  plugins: [
-    react(),
-    wasm(),
-    topLevelAwait(),
-    nodePolyfills({
-      include: ["buffer"],
-    }),
-  ],
+  plugins: [react(), wasm(), topLevelAwait()],
 });
diff --git a/yarn.lock b/yarn.lock
