[Koha-bugs] [Bug 31378] Add a generic OAuth2/OIDC client implementation

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Nov 2 06:12:46 CET 2022 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378

David Cook <dcook at prosentient.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Patch doesn't apply         |Failed QA

--- Comment #104 from David Cook <dcook at prosentient.com.au> ---
Test plan 1:
1. apt install libmojolicious-plugin-oauth2-perl
2. koha-upgrade-schema kohadev
3. restart_all

<Note that Nick and David's patches from Bugzilla are still needed for Gitlab
branch...>

Test plan 2:
1. Go to http://localhost:8081/cgi-bin/koha/admin/admin-home.pl
2. Click on "Identity providers"
3. Click "New identity provider"
(#NOTE: UI formatting looks OK on Koha 22.06, but I wonder what it'll look like
on Koha 22.11...)
(#FIXME: "Add default OAuth..." buttons still don't work if you make any
changes in the text box before pressing the button.)
(#FIXME: There's still not enough help text on the UI to explain how to fill it
all in.)
(#NOTE: It probably makes more sense to default to "OIDC" than "OAuth" since
the former is more common with common identity providers)
4. Enter relevant details and click "Submit"
(#FIXME: "Code" shouldn't be able to contain non-alphanumeric characters)
(#FIXME: Putting in garbage values causes the page to return to
/cgi-bin/koha/admin/identity_providers.pl with no error messages)
(#FIXME: There needs to be a warning that integration won't work until after an
application restart...)
5. Click on "Manage Domains"
(#FIXME: It's not clear what "domains" means in this context. It should say
something like "Identity provider email domains")
6. Click "Edit" on the default domains
(#FIXME: The "Default library" and "Default category" are initially set to
empty, but you can't set them to empty in the "Edit" interface)
(#FIXME: The breadcrumb says "Domains for" instead of "Domains for Test")

7. koha-plack --restart kohadev

8. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that doesn't exist in Koha
(#FIXME: When authentication fails, the end user sees the following message:
There was an error authenticating to external identity provider

Can't call method "auto_register" on an undefined value at
/kohadevbox/koha/Koha/REST/Plugin/Auth/IdP.pm line 66.
)

9. Change "Identity provider" default domain to "Auto register"
10. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that doesn't exist in Koha
(#FIXME: When authentication fails, the end user sees the following message:
There was an error authenticating to external identity provider

Can't call method "auto_register" on an undefined value at
/kohadevbox/koha/Koha/REST/Plugin/Auth/IdP.pm line 66.
)
(#FIXME: The auto register feature doens't work. It needs to be fixed.)

11. Create a Koha user to match your IdP user
12. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that does exist in Koha
13. Login succeeds

14. Kill IdP session and logout of Koha

15. Change default domain to "Update on login"

16. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that does exist in Koha
(#FIXME: The update on login feature doesn't work. It needs to be fixed.)

17. Change default domain to "Allow staff" logins
18. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that does exist in Koha
19. Note that you get a normal "Error: You do not have permission to access
this page" message. That's good.

20. Add "catalogue" permission to the Koha user
21. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that does exist in Koha
22. Login succeeds

23. In an Incognito window or different browser, go to http://localhost:8081,
and try logging in with a user that doesn't exist in Koha
(#FIXME: When authentication fails, the end user sees the following message:
Error: Session timed out.
Please log in again
There was an error authenticating to external identity provider

Exception 'Koha::Exceptions::Auth::Unauthorized' thrown 'External auth user
cannot access resource' with code => 401
)

24. Add a new domain for that matches the email domain of your IdP/Koha user.
25. Mark "Allow opac" and "Allow staff" as "No"

26. In an Incognito window or different browser, go to http://localhost:8080,
and try logging in with a user that does exist in Koha
(#FIXME: Koha login happens even though the specific domain says it shouldn't
be allowed)
27. In an Incognito window or different browser, go to http://localhost:8081,
and try logging in with a user that does exist in Koha
(#FIXME: Koha login happens even though the specific domain says it shouldn't
be allowed)

--

I imagine that there are other problems, but I think that's a fairly thorough
analysis of the core functionality.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list