[Koha-bugs] [Bug 17004] REST API: add route to authenticate patron (Single Sign On - SSO)

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17004

--- Comment #39 from David Cook <dcook at prosentient.com.au> ---
I'm going to add another wrinkle into all of this!

Since Koha isn't yet capable of being an OpenID Connect/SAML2 IDP itself, we're
using the Keycloak IDAM system instead (which Red Hat very actively develops
and supports).

The cool part is that I've written an extension using the User Storage SPI
(https://www.keycloak.org/docs/latest/server_development/#_user-storage-spi) to
use the Koha database as the User Federation provider. 

Right now, I'm using the existing REST API to GET patrons, but I need a REST
API endpoint to validate the credentials entered by the user. I'll be creating
a custom endpoint for that this afternoon. *Note that this isn't creating a
Koha authentication session. It's just validating that the password entered by
the user into Keycloak is the same password stored in the Koha database.*

So Keycloak will provide the SSO for Koha and other systems, but the real
backend user database (and potentially business rules) will still happen in
Koha. 

I thought about doing the REST API endpoint as a Koha plugin, but I'm going to
just code it into our local Koha, so that it's easier to maintain and
distribute. 

Once we've battle tested everything, I could look at sharing.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.