[Koha-bugs] [Bug 30988] Add generic OpenIDConnect client implementation

Thu Jun 23 04:07:01 CEST 2022

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30988

David Cook <dcook at prosentient.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Failed QA

--- Comment #26 from David Cook <dcook at prosentient.com.au> ---
My test plan:
0. Set up koha-testing-docker with a jboss/keycloak container as per
https://hub.docker.com/r/jboss/keycloak/
0b. Create "test" realm with discovery doc:
http://<my_ip>:8082/auth/realms/test/.well-known/openid-configuration
0c. Create condiential OIDC client "koha" in "test" realm
0d. Create "test" user with email "test at test.test", first name "test1", last
name "test2", password "test"
0e. Fix "OPACBaseURL" so that it resolves to localhost instead of a
non-existent domain name
1. Apply patch
2. koha-plack --restart kohadev
3. koha-upgrade-schema kohadev
4. Set "OIDC" syspref to "Yes"
5. Set "OIDCAutoRegister" to "Allow"
6. Set "OIDCConfigURL" to
"http://<my_ip>:8082/auth/realms/test/.well-known/openid-configuration" 
7. Set "OIDCDefaultBranch" to "CPL"
8. Set "OIDCDefaultCategory" to "Patron"
9. Set "OIDCOAuth2ClientID" to my Keycloak client id
10. Set "OIDCOAuth2ClientSecret" to my Keycloak client secret
11. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
12. Click "Log in to your account"
13. Fill out your username and password in Keycloak
14. Success! Returned to a logged in OPAC with new auto-registered borrower

--

Remaining issues:
1)
- installer/data/mysql/atomicupdate/bug_30988-add_oidc_syspref.pl
- installer/data/mysql/mandatory/sysprefs.sql
- koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
"URL to identity provider's OpenID config" should be "URL to identity
provider's OpenID Connect config"
("OIDCOAuth2ClientID" and "OIDCOAuth2ClientSecret" shouldn't include "OAuth2"
as it's redundant but not really an issue I suppose.)

2)
- koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
4 instances of "OpenID" instead of "OpenID Connect"

3)
- koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-main.tt
- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
I think the following text is totally unnecessary (and somewhat inaccurate
since the protocol is OpenID Connect but the account isn't): 
"If you do not have an OpenID account from the provider specified in this
library, but do have a local account, you can still log in:"

Personally, I envision a login area like the following:
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=97684. Without that
text, we'd have something like that.

-- 
You are receiving this mail because:
You are watching all bug changes.