[Koha-bugs] [Bug 25796] Allow REST API to use external OAuth2 authorization server
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 28 07:51:51 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25796
--- Comment #4 from David Cook <dcook at prosentient.com.au> ---
But then if you read this:
https://auth0.com/blog/id-token-access-token-what-is-the-difference/
In theory, the access token should be for the "Resource server" (ie the Koha
API). I suppose that the access token can then be used to do a UserInfo lookup
in order to get the user info (I did that in my early 2014 OpenID Connect
work).
I suppose the Koha API would check the "iss" and "aud" claims. The "iss" would
let it know what IdP to talk to (and whether or not it trusts it). I think the
"aud" would need to be the whole Koha API and then further authorization would
be handled by Koha at a more granular level...
Looking at Koha::OAuth, it would be fairly trivial to add support. We'd just
need a table really to store providers. If the "iss" provider isn't found in
the table, then we default to a Koha supplied access token.
We need a table to store providers anyway for improving Koha's SSO options so
this dovetail with that.
If we wanted to handle this with plugins, we could do that instead so long as
we put a plugin hook in "Koha::OAuth::_verify_access_token_cb".
It does look like we'd need to alter Koha::Rest::V1::Auth a little bit as it
tries to lookup the patron using the "client_id" in the access token.
Anyway, lots of possibilities there.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list