QGIS¶
You can use QGIS directly against the EOCube.Ro platform — browse the STAC catalog and add OGC / tile layers (WMS, WMTS, XYZ, OGC API) that are protected by the ROCS Single Sign-On (SSO).
Authentication uses the same SSO as the rest of the platform: you sign in with your EOCube.Ro account in the browser, and QGIS attaches the resulting token to its requests. There is no static key and no client secret to manage — the downloadable configuration below describes a public OAuth2 client that uses PKCE.
What this is for
This configures authenticated access to the STAC catalog and other SSO-protected HTTP / OGC services. Authenticated access also reveals your private and group-restricted collections, which are hidden from anonymous users.
S3 object storage (/vsis3/) is not covered here — it uses temporary S3
credentials rather than OAuth2. See the Storage page.
Requirements¶
- QGIS ≥ 3.34 LTR (PKCE support).
- A QGIS master password must be set — QGIS stores authentication configurations in an encrypted database and will prompt you to create one the first time.
- To browse STAC on QGIS < 3.40, install the STAC API Browser plugin (Plugins → Manage and Install Plugins). QGIS 3.40 LTR and newer have native STAC support in the Data Source Manager.
1. Import the authentication configuration¶
Download the configuration profile:
Then, in QGIS:
- Open Settings → Options → Authentication**.
- Click Add (the green
+) and choose the OAuth2 authentication method. - Click Load and select the downloaded
EOCube-SSO.qgis-oauth2.json. - Confirm the imported values: Grant Flow = PKCE and Redirect port = 7070. (In QGIS, PKCE is its own grant flow for public clients — selecting it hides the client-secret field, which is what we want; do not pick Authorization Code, which would demand a secret.)
- Save. A new authentication configuration named EOCube.Ro SSO appears in the list.
Redirect port
QGIS captures the sign-in redirect on a local port (default 7070). This
port is pre-registered for the platform. If you change it in QGIS, sign-in
will fail until the new port is registered — keep the default 7070.
The first time the configuration is used, QGIS opens a browser window for the ROCS Single Sign-On. Sign in with your EOCube.Ro account; QGIS captures the token automatically.
2. Browse the STAC catalog¶
| STAC endpoint | https://stac.eocube.ro |
| Authentication | ROCS Single Sign-On (the EOCube.Ro SSO config above) |
- QGIS ≥ 3.40 LTR: Data Source Manager → STAC → New connection.
- QGIS < 3.40 (STAC API Browser plugin): add a new connection in the plugin.
Set the connection URL to https://stac.eocube.ro and select the EOCube.Ro
SSO authentication configuration. After signing in you will also see your
own and your groups' collections, not only the public ones.
3. Add SSO-protected OGC / tile layers¶
The same authentication configuration can be attached to any SSO-protected
service. When creating a WMS/WMTS, XYZ tiles, or OGC API connection,
expand the Authentication section and select EOCube.Ro SSO. QGIS sends the
bearer token in the Authorization header on every request (for example, for
SSO-protected tile endpoints).
Troubleshooting¶
- Sign-in window fails / redirect error — the local redirect port does not
match the registered one. Reset it to
7070in the authentication configuration. - Catalog shows only public data — the connection is not using the EOCube.Ro SSO authentication configuration, or your session is anonymous. Re-select the config; if needed, clear the cached token: Options → Authentication → edit the config → Clear token.
Access Deniedon a collection — your account lacks the required role or group. Contact the ROCS project administrators.- No browser opens — make sure no firewall blocks the local
127.0.0.1:7070loopback, which QGIS uses to receive the sign-in redirect.