[Koha-bugs] [Bug 31378] Add a generic OAuth2/OIDC client implementation

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Oct 14 04:24:34 CEST 2022 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378

David Cook <dcook at prosentient.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Failed QA

--- Comment #68 from David Cook <dcook at prosentient.com.au> ---
I'll shortly add a follow-up to catch the error of the missing database update. 

In theory, with a package install, the database will be automatically upgraded
before the web app is started up. But some people will still need to use the
web installer, so we don't want it to fail. (Those people will need to restart
their Koha before they're able to use the new auth functionality of course.)

Test plan 1:
1. apt install libmojolicious-plugin-oauth2-perl
2. restart_all
3. koha-upgrade-schema kohadev
4. koha-plack --restart kohadev
5. prove t/db_dependent/Koha/Auth/Provider.t

So far so good.

Test plan 2:
1. Go to http://localhost:8081/cgi-bin/koha/admin/admin-home.pl
2. Click on "Authentication providers"
(#NOTE: I would've preferred "Identity Providers" since that's a more common
industry term.)
3. Click "New authentication provider"
(#NOTE: The UI looks poorly formatted, but I think that's probably a symptom of
the new staff interface styling. Not a blocker for me. This can be fixed
later...)
(#NOTE: There is a bug with the "Configuration" where "Add new X configuration"
doesn't work if you've manually changed anything in the text box. Not a blocker
for me, but will need to be fixed at some point. Same goes for "Add default
OIDC mapping.)
(#NOTE: There's not enough documentation/help text on how to use this UI. I'm
figuring it out through trial and error, but a bit of help text for "Code",
"Description", and "Icon URL" at a minimum would be good.)
(#NOTE: With the new Staff Interface, there should be a "Help" link on the
right hand side, but I don't see it for this new functionality. I think that's
a blocker.)
(#NOTE: I don't really like having to include raw JSON in this UI. This could
be made more beautiful.)
(#NOTE: "Code" doesn't appear to be restricted or validated in any way. We
should stick to alphanumeric codes. This is borderline... but I think it's a
blocker. We need to set the rule before people start using it.)
(#NOTE: We need to add help text at the bottom of this page that says this auth
provider won't be available until after a Koha restart.)
4. Click on "Manage Domains"
5. Click "Edit" for first and only line
(#NOTE: It's not clear what a "Domain" is in this context. This needs more help
text/documentation. I'd say that's a blocker. From past code review in Koha for
OIDC, "Domain" referred to email domain. That really should spelled out
clearly. )
6. The breadcrumb doesn't show the auth provider code on the "Edit
authentication provider domain" like it does on the "Authentication provider
domains" page


4. koha-plack --restart kohadev
(#NOTE: This is an unfortunate step but necessary because of the plugin being
used. Auth providers are rarely set up, so not a big drama.)

4. In an Incognito tab or different browser, go to http://localhost:8081/
(#NOTE: In my opinion, we should *not* be allowing staff login by default.
While "Auto register" is "Don't allow" by default, we should keep the staff
interface as locked down as possible. Not a blocker but an observation...)

5. When I try to login with Keycloak, I get the following error in Koha:
[{"message":"Malformed query string","path":"\/query\/session_state"}]
(#NOTE: Newer OIDC providers will provide session_state in the authentication
response. I'll turn this off in Keycloak. Folks can read more about
session_state at https://openid.net/specs/openid-connect-session-1_0.html)

6. Now I'm getting this error on the Koha Staff Interface login page (since the
user doesn't exist in Koha and I have auto-register turned off):
There was an error authenticating to external identity provider
Exception 'Koha::Exceptions::Auth::Unauthorized' thrown 'External auth user
cannot access resource' with code => 401
(#NOTE: I don't think printing the exception on the staff interface is a good
idea. Let's remove that.)

7. After adding my user to Koha and giving staff permissions, I'm able to log
in. Very nice!

8. Go to http://localhost:8080/ and click "Log in with Keycloak IdP"
9. Since I already have a session in Keycloak, I'm logged into the OPAC with no
login. Very good!

10. If I logout of Keycloak and try to log back into http://localhost:8080/ via
Keycloak, I get the following:
There was an error authenticating to external identity provider
Can't call method "auto_register" on an undefined value at
/kohadevbox/koha/Koha/REST/Plugin/Auth.pm line 66.

(#NOTE: In the code I see "tranverse_hash" but it should be "traverse_hash" in
English.)

11. Turn on auto register for all blank domain...
12. restart_all in ktd
13. Try to log into OPAC and Staff Interface
14. Neither works... 
(#NOTE: In Koha/REST/Plugin/Auth.pm, it looks like auto-register should only
work for OPAC. In theory, I like that, although I suppose the workaround would
be to auto-register for the OPAC, and then your account would exist for the
Staff Interface anyway...)

15. I tried "Update on login" using the blank domain and a domain of
"prosentient.com.au" and both failed to update my firstname and surname on
login. That's a blocker...

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list