Skip to content

QGIS

You can use QGIS directly against the EOCube.Ro platform — browse the STAC catalog and add OGC / tile layers (WMS, WMTS, XYZ, OGC API) that are protected by the ROCS Single Sign-On (SSO).

Authentication uses the same SSO as the rest of the platform: you sign in with your EOCube.Ro account in the browser, and QGIS attaches the resulting token to its requests. There is no static key and no client secret to manage — the downloadable configuration below describes a public OAuth2 client that uses PKCE.

What this is for

This configures authenticated access to the STAC catalog and other SSO-protected HTTP / OGC services. Authenticated access also reveals your private and group-restricted collections, which are hidden from anonymous users.

S3 object storage (/vsis3/) is not covered here — it uses temporary S3 credentials rather than OAuth2. See the Storage page.

Requirements

  • QGIS ≥ 3.34 LTR (PKCE support).
  • A QGIS master password must be set — QGIS stores authentication configurations in an encrypted database and will prompt you to create one the first time.
  • To browse STAC on QGIS < 3.40, install the STAC API Browser plugin (Plugins → Manage and Install Plugins). QGIS 3.40 LTR and newer have native STAC support in the Data Source Manager.

1. Import the authentication configuration

Download the configuration profile:

Then, in QGIS:

  1. Open Settings → Options → Authentication**.
  2. Click Add (the green +) and choose the OAuth2 authentication method.
  3. Click Load and select the downloaded EOCube-SSO.qgis-oauth2.json.
  4. Confirm the imported values: Grant Flow = PKCE and Redirect port = 7070. (In QGIS, PKCE is its own grant flow for public clients — selecting it hides the client-secret field, which is what we want; do not pick Authorization Code, which would demand a secret.)
  5. Save. A new authentication configuration named EOCube.Ro SSO appears in the list.

Redirect port

QGIS captures the sign-in redirect on a local port (default 7070). This port is pre-registered for the platform. If you change it in QGIS, sign-in will fail until the new port is registered — keep the default 7070.

The first time the configuration is used, QGIS opens a browser window for the ROCS Single Sign-On. Sign in with your EOCube.Ro account; QGIS captures the token automatically.

2. Browse the STAC catalog

STAC endpoint https://stac.eocube.ro
Authentication ROCS Single Sign-On (the EOCube.Ro SSO config above)
  • QGIS ≥ 3.40 LTR: Data Source Manager → STAC → New connection.
  • QGIS < 3.40 (STAC API Browser plugin): add a new connection in the plugin.

Set the connection URL to https://stac.eocube.ro and select the EOCube.Ro SSO authentication configuration. After signing in you will also see your own and your groups' collections, not only the public ones.

3. Add SSO-protected OGC / tile layers

The same authentication configuration can be attached to any SSO-protected service. When creating a WMS/WMTS, XYZ tiles, or OGC API connection, expand the Authentication section and select EOCube.Ro SSO. QGIS sends the bearer token in the Authorization header on every request (for example, for SSO-protected tile endpoints).

Troubleshooting

  • Sign-in window fails / redirect error — the local redirect port does not match the registered one. Reset it to 7070 in the authentication configuration.
  • Catalog shows only public data — the connection is not using the EOCube.Ro SSO authentication configuration, or your session is anonymous. Re-select the config; if needed, clear the cached token: Options → Authentication → edit the config Clear token.
  • Access Denied on a collection — your account lacks the required role or group. Contact the ROCS project administrators.
  • No browser opens — make sure no firewall blocks the local 127.0.0.1:7070 loopback, which QGIS uses to receive the sign-in redirect.