Open-EO · niebl · Feb 5, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
diff --git a/openeo/rest/_testing.py b/openeo/rest/_testing.py
@@ -14,6 +14,7 @@
     Union,
 )
 
+from openeo.utils.version import ComparableVersion
 from openeo import Connection, DataCube
 from openeo.rest.vectorcube import VectorCube
 from openeo.utils.http import HTTP_201_CREATED, HTTP_202_ACCEPTED, HTTP_204_NO_CONTENT
@@ -189,6 +190,14 @@ def setup_file_format(self, name: str, type: str = "output", gis_data_types: Ite
         }
         self._requests_mock.get(self.connection.build_url("/file_formats"), json=self.file_formats)
         return self
+
+    def _get_conformance(self, request, context):
+        return {
+            "conformsTo": build_conformance(
+                api_version="1.3.0", 
+                stac_version="1.0.0"
+            )
+        }
 
     def _handle_post_result(self, request, context):
         """handler of `POST /result` (synchronous execute)"""
@@ -424,6 +433,20 @@ def get_status(job_id: str, current_status: str) -> str:
 
         self.job_status_updater = get_status
 
+def build_conformance(
+    *,
+    api_version: str = "1.0.0",
+    stac_version: str = "1.1.0",
+) -> list[str]:
+    conformance = [
+        "https://api.openeo.org/{api_version}",
+        "https://api.stacspec.org/v{stac_version}/core",
+        "https://api.stacspec.org/v{stac_version}/collections"
+    ]
+    if ComparableVersion(api_version) >= ComparableVersion("1.3.0"):
+        conformance.append(f"https://api.openeo.org/{api_version}/authentication/jwt")
+    return conformance
+
 
 def build_capabilities(
     *,
@@ -470,17 +493,23 @@ def build_capabilities(
         endpoints.extend(
             [
                 {"path": "/process_graphs", "methods": ["GET"]},
-                {"path": "/process_graphs/{process_graph_id", "methods": ["GET", "PUT", "DELETE"]},
+                {"path": "/process_graphs/{process_graph_id}", "methods": ["GET", "PUT", "DELETE"]},
             ]
         )
 
+    conformance = build_conformance(
+        api_version=api_version, 
+        stac_version=stac_version,
+    )
+
     capabilities = {
         "api_version": api_version,
         "stac_version": stac_version,
         "id": "dummy",
         "title": "Dummy openEO back-end",
         "description": "Dummy openeEO back-end",
         "endpoints": endpoints,
+        "conformsTo": conformance,
         "links": [],
     }
     return capabilities
diff --git a/openeo/rest/auth/auth.py b/openeo/rest/auth/auth.py
@@ -29,8 +29,9 @@ class BearerAuth(OpenEoApiAuthBase):
     https://open-eo.github.io/openeo-api/apireference/#section/Authentication/Bearer
     """
 
-    def __init__(self, bearer: str):
+    def __init__(self, bearer: str, origin: str):
         self.bearer = bearer
+        self.origin = origin
 
     def __call__(self, req: Request) -> Request:
         # Add bearer authorization header.
@@ -42,11 +43,11 @@ class BasicBearerAuth(BearerAuth):
     """Bearer token for Basic Auth (openEO API 1.0.0 style)"""
 
     def __init__(self, access_token: str):
-        super().__init__(bearer="basic//{t}".format(t=access_token))
+        super().__init__(bearer="basic//{t}".format(t=access_token), origin="basic")
 
 
 class OidcBearerAuth(BearerAuth):
     """Bearer token for OIDC Auth (openEO API 1.0.0 style)"""
 
     def __init__(self, provider_id: str, access_token: str):
-        super().__init__(bearer="oidc/{p}/{t}".format(p=provider_id, t=access_token))
+        super().__init__(bearer="oidc/{p}/{t}".format(p=provider_id, t=access_token), origin="oidc")
diff --git a/openeo/rest/auth/testing.py b/openeo/rest/auth/testing.py
@@ -281,7 +281,7 @@ def validate_access_token(self, access_token: str):
         raise LookupError("Invalid access token")
 
     def invalidate_access_token(self):
-        self.state["access_token"] = "***invalidated***"
+        self.state["access_token"] = None
 
     def get_request_history(
         self, url: Optional[str] = None, method: Optional[str] = None

diff --git a/openeo/rest/capabilities.py b/openeo/rest/capabilities.py
@@ -1,3 +1,4 @@
+import re
 from typing import Dict, List, Optional, Union
 
 from openeo.internal.jupyter import render_component
@@ -7,6 +8,8 @@
 
 __all__ = ["OpenEoCapabilities"]
 
+CONFORMANCE_JWT_BEARER = re.compile(r"https://api\.openeo\.org/[^/]+/authentication/jwt")
+
 
 class OpenEoCapabilities:
     """Container of the openEO capabilities document of an openEO backend."""
@@ -37,6 +40,13 @@ def api_version_check(self) -> ComparableVersion:
             raise ApiVersionException("No API version found")
         return ComparableVersion(api_version)
 
+    def has_conformance(self, uri: str) -> bool:
+        """Check if backend provides a given conformance string"""
+        for conformance_uri in self.capabilities.get("conformsTo", []):
+            if re.fullmatch(uri, conformance_uri):
+                return True
+        return False
+
     def supports_endpoint(self, path: str, method="GET") -> bool:
         """Check if backend supports given endpoint"""
         return any(

diff --git a/openeo/rest/connection.py b/openeo/rest/connection.py
@@ -68,7 +68,7 @@
     OidcRefreshTokenAuthenticator,
     OidcResourceOwnerPasswordAuthenticator,
 )
-from openeo.rest.capabilities import OpenEoCapabilities
+from openeo.rest.capabilities import CONFORMANCE_JWT_BEARER, OpenEoCapabilities
 from openeo.rest.datacube import DataCube, InputDate
 from openeo.rest.graph_building import CollectionProperty
 from openeo.rest.job import BatchJob
@@ -277,8 +277,15 @@ def authenticate_basic(self, username: Optional[str] = None, password: Optional[
             # /credentials/basic is the only endpoint that expects a Basic HTTP auth
             auth=HTTPBasicAuth(username, password)
         ).json()
+
+        # check for JWT bearer token conformance
+        jwt_conformance = self.capabilities().has_conformance(CONFORMANCE_JWT_BEARER)
+
         # Switch to bearer based authentication in further requests.
-        self.auth = BasicBearerAuth(access_token=resp["access_token"])
+        if jwt_conformance:
+            self.auth = BearerAuth(bearer=resp["access_token"], origin="basic")
+        else:
+            self.auth = BasicBearerAuth(access_token=resp["access_token"])
         return self
 
     def _get_oidc_provider(
@@ -416,7 +423,12 @@ def _authenticate_oidc(
             )
 
         token = tokens.access_token
-        self.auth = OidcBearerAuth(provider_id=provider_id, access_token=token)
+        # check for JWT bearer token conformance
+        jwt_conformance = self.capabilities().has_conformance(CONFORMANCE_JWT_BEARER)
+        if jwt_conformance:
+            self.auth = BearerAuth(bearer=token, origin="oidc")
+        else:
+            self.auth = OidcBearerAuth(provider_id=provider_id, access_token=token)
         self._oidc_auth_renewer = oidc_auth_renewer
         return self
 
@@ -726,7 +738,7 @@ def authenticate_bearer_token(self, bearer_token: str) -> Connection:
 
         .. versionadded:: 0.38.0
         """
-        self.auth = BearerAuth(bearer=bearer_token)
+        self.auth = BearerAuth(bearer=bearer_token, origin="unknown")
         self._oidc_auth_renewer = None
         return self
 
@@ -736,7 +748,7 @@ def try_access_token_refresh(self, *, reason: Optional[str] = None) -> bool:
         Returns whether a new access token was obtained.
         """
         reason = f" Reason: {reason}" if reason else ""
-        if isinstance(self.auth, OidcBearerAuth) and self._oidc_auth_renewer:
+        if isinstance(self.auth, BearerAuth) and self.auth.origin == "oidc" and self._oidc_auth_renewer:
-        if isinstance(self.auth, BearerAuth) and self.auth.origin == "oidc" and self._oidc_auth_renewer:
+        if self._oidc_auth_renewer:
-        if isinstance(self.auth, BearerAuth) and self.auth.origin == "oidc" and self._oidc_auth_renewer:
+        if self._oidc_auth_renewer:
             try:
                 self._authenticate_oidc(
                     authenticator=self._oidc_auth_renewer,

diff --git a/tests/extra/artifacts/_s3sts/test_s3sts.py b/tests/extra/artifacts/_s3sts/test_s3sts.py
@@ -93,7 +93,7 @@ def conn_with_s3sts_capabilities(
     requests_mock.get(API_URL, json={"api_version": "1.0.0", **extra_api_capabilities})
     requests_mock.get(f"{API_URL}me", json={})
     conn = Connection(API_URL)
-    conn.auth = BearerAuth("oidc/fake/token")
+    conn.auth = BearerAuth("oidc/fake/token", origin="oidc")
     yield conn
 
 

diff --git a/tests/rest/conftest.py b/tests/rest/conftest.py
@@ -19,6 +19,10 @@ def api_version(request):
     return request.param
 
 
+@pytest.fixture(params=["1.0.0", "1.3.0"])
+def api_version_authentication_tests(request):
+    return request.param
+
 class _Sleeper:
     def __init__(self):
         self.history = []
@@ -99,6 +103,12 @@ def con120(requests_mock, api_capabilities):
     con = Connection(API_URL)
     return con
 
+@pytest.fixture
+def con130(requests_mock, api_capabilities):
+    requests_mock.get(API_URL, json=build_capabilities(api_version="1.3.0", **api_capabilities))
+    con = Connection(API_URL)
+    return con
+
 
 @pytest.fixture
 def dummy_backend(requests_mock, con120) -> DummyBackend: