[Koha-bugs] [Bug 31378] Add a generic OAuth2/OIDC client implementation

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Oct 14 22:51:50 CEST 2022 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378

--- Comment #78 from Agustín Moyano <agustinmoyano at theke.io> ---
Hi everyone, it's been a long time since I wrote to you!

Thanks so much David for so extensive testing.. I'll try to address as much
points as possible.

(In reply to David Cook from comment #68)


> (#NOTE: I would've preferred "Identity Providers" since that's a more common
> industry term.)

Nice point. I'll talk to Tomas if we change it

> (#NOTE: The UI looks poorly formatted, but I think that's probably a symptom
> of the new staff interface styling. Not a blocker for me. This can be fixed
> later...)

Sorry, it's been a long time since I've done anything related to Koha.. If you
could point me to a well formated page, I'll try to stick to the style as much
as possible

> (#NOTE: There is a bug with the "Configuration" where "Add new X
> configuration" doesn't work if you've manually changed anything in the text
> box. Not a blocker for me, but will need to be fixed at some point. Same
> goes for "Add default OIDC mapping.)

I do not believe this patches are at the latest version.. I've added a
jquery-validator to check if your jsons are valid before saving. I imagine this
is a patch for now, and we need a way to edit a json in a proper way

> (#NOTE: There's not enough documentation/help text on how to use this UI.

Yes, I've been coding this between jobs so I had no time to document, but
surely we will add some follow-ups.

> I'm figuring it out through trial and error, but a bit of help text for
> "Code", "Description", and "Icon URL" at a minimum would be good.)

Code should be a unique name for your Identity Provider, the Description is the
text that will appear in the login button, and Icon URL should be a URL where
we can fetch an icon for login button

> (#NOTE: With the new Staff Interface, there should be a "Help" link on the
> right hand side, but I don't see it for this new functionality. I think
> that's a blocker.)

Ok, I'll ask Tomas for help about how this shoul be done

> (#NOTE: I don't really like having to include raw JSON in this UI. This
> could be made more beautiful.)

Me neither, there should be a JSON editor or something.. does Koha have one?

> (#NOTE: "Code" doesn't appear to be restricted or validated in any way. We
> should stick to alphanumeric codes. This is borderline... but I think it's a
> blocker. We need to set the rule before people start using it.)

Good point. Will be done

> (#NOTE: We need to add help text at the bottom of this page that says this
> auth provider won't be available until after a Koha restart.)

Yes, but we have plans to make it so that you wont need to restart Koha for the
provider to be available (a PR to Mojolicious::Plugin::OAuth2 project)

> 4. Click on "Manage Domains"
> 5. Click "Edit" for first and only line
> (#NOTE: It's not clear what a "Domain" is in this context. This needs more
> help text/documentation. I'd say that's a blocker. From past code review in
> Koha for OIDC, "Domain" referred to email domain. That really should spelled
> out clearly. )

Agree. Domain in this case is, as you said, email domain.

> 6. The breadcrumb doesn't show the auth provider code on the "Edit
> authentication provider domain" like it does on the "Authentication provider
> domains" page

I'll check it

> 
> 
> 4. koha-plack --restart kohadev
> (#NOTE: This is an unfortunate step but necessary because of the plugin
> being used. Auth providers are rarely set up, so not a big drama.)
> 
> 4. In an Incognito tab or different browser, go to http://localhost:8081/
> (#NOTE: In my opinion, we should *not* be allowing staff login by default.
> While "Auto register" is "Don't allow" by default, we should keep the staff
> interface as locked down as possible. Not a blocker but an observation...)

Ok, that's easily done

> 
> 5. When I try to login with Keycloak, I get the following error in Koha:
> [{"message":"Malformed query string","path":"\/query\/session_state"}]
> (#NOTE: Newer OIDC providers will provide session_state in the
> authentication response. I'll turn this off in Keycloak. Folks can read more
> about session_state at
> https://openid.net/specs/openid-connect-session-1_0.html)
> 
> 6. Now I'm getting this error on the Koha Staff Interface login page (since
> the user doesn't exist in Koha and I have auto-register turned off):
> There was an error authenticating to external identity provider
> Exception 'Koha::Exceptions::Auth::Unauthorized' thrown 'External auth user
> cannot access resource' with code => 401
> (#NOTE: I don't think printing the exception on the staff interface is a
> good idea. Let's remove that.)

As I said, I do not believe these patches to be at the latest version.. now the
user gets redirected to the login page (staff or opac) with error message

> 
> 7. After adding my user to Koha and giving staff permissions, I'm able to
> log in. Very nice!
> 
> 8. Go to http://localhost:8080/ and click "Log in with Keycloak IdP"
> 9. Since I already have a session in Keycloak, I'm logged into the OPAC with
> no login. Very good!
> 
> 10. If I logout of Keycloak and try to log back into http://localhost:8080/
> via Keycloak, I get the following:
> There was an error authenticating to external identity provider
> Can't call method "auto_register" on an undefined value at
> /kohadevbox/koha/Koha/REST/Plugin/Auth.pm line 66.

Strange, I'll have to check that out

> 
> (#NOTE: In the code I see "tranverse_hash" but it should be "traverse_hash"
> in English.)

typo... sorry

> 
> 11. Turn on auto register for all blank domain...
> 12. restart_all in ktd
> 13. Try to log into OPAC and Staff Interface
> 14. Neither works... 
> (#NOTE: In Koha/REST/Plugin/Auth.pm, it looks like auto-register should only
> work for OPAC. In theory, I like that, although I suppose the workaround
> would be to auto-register for the OPAC, and then your account would exist
> for the Staff Interface anyway...)
> 
> 15. I tried "Update on login" using the blank domain and a domain of
> "prosentient.com.au" and both failed to update my firstname and surname on
> login. That's a blocker...

Yep, I think I forgot to code that part

Thanks!

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list