[Koha-bugs] [Bug 20627] New: Prevent leakages of user permissions to api access tokens
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Apr 20 14:48:23 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20627
Bug ID: 20627
Summary: Prevent leakages of user permissions to api access
tokens
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: new feature
Priority: P5 - low
Component: Authentication
Assignee: koha-bugs at lists.koha-community.org
Reporter: martin.renvoize at ptfs-europe.com
QA Contact: testopia at bugs.koha-community.org
CC: dcook at prosentient.com.au, dpavlin at rot13.org,
julian.maurice at biblibre.com, katrin.fischer at bsz-bw.de,
oleonard at myacpl.org, tomascohen at gmail.com
Depends on: 20568
Blocks: 20612, 20624
Bug #20568 allow users to create API access tokens, but it always associates
all a users permissions with that access token and additionally if that user
comes to have more permissions down the line those additional permissions are
automagically added to the access token as well. This is generally bad practice
for access tokens as in general, they should be of a definite scope and any
time additional privileges are required the client application should have to
ask for them and receive a new token with the additional privileges assigned to
it.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20568
[Bug 20568] Add API key management interface for patrons
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20612
[Bug 20612] Make OAuth2 use patron's client_id/secret pairs
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624
[Bug 20624] Allow switching off the OAuth2 client credentials grant
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list