[Koha-bugs] [Bug 31378] Add a generic OAuth2/OIDC client implementation
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Oct 14 22:51:50 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378
--- Comment #78 from AgustÃn Moyano <agustinmoyano at theke.io> ---
Hi everyone, it's been a long time since I wrote to you!
Thanks so much David for so extensive testing.. I'll try to address as much
points as possible.
(In reply to David Cook from comment #68)
> (#NOTE: I would've preferred "Identity Providers" since that's a more common
> industry term.)
Nice point. I'll talk to Tomas if we change it
> (#NOTE: The UI looks poorly formatted, but I think that's probably a symptom
> of the new staff interface styling. Not a blocker for me. This can be fixed
> later...)
Sorry, it's been a long time since I've done anything related to Koha.. If you
could point me to a well formated page, I'll try to stick to the style as much
as possible
> (#NOTE: There is a bug with the "Configuration" where "Add new X
> configuration" doesn't work if you've manually changed anything in the text
> box. Not a blocker for me, but will need to be fixed at some point. Same
> goes for "Add default OIDC mapping.)
I do not believe this patches are at the latest version.. I've added a
jquery-validator to check if your jsons are valid before saving. I imagine this
is a patch for now, and we need a way to edit a json in a proper way
> (#NOTE: There's not enough documentation/help text on how to use this UI.
Yes, I've been coding this between jobs so I had no time to document, but
surely we will add some follow-ups.
> I'm figuring it out through trial and error, but a bit of help text for
> "Code", "Description", and "Icon URL" at a minimum would be good.)
Code should be a unique name for your Identity Provider, the Description is the
text that will appear in the login button, and Icon URL should be a URL where
we can fetch an icon for login button
> (#NOTE: With the new Staff Interface, there should be a "Help" link on the
> right hand side, but I don't see it for this new functionality. I think
> that's a blocker.)
Ok, I'll ask Tomas for help about how this shoul be done
> (#NOTE: I don't really like having to include raw JSON in this UI. This
> could be made more beautiful.)
Me neither, there should be a JSON editor or something.. does Koha have one?
> (#NOTE: "Code" doesn't appear to be restricted or validated in any way. We
> should stick to alphanumeric codes. This is borderline... but I think it's a
> blocker. We need to set the rule before people start using it.)
Good point. Will be done
> (#NOTE: We need to add help text at the bottom of this page that says this
> auth provider won't be available until after a Koha restart.)
Yes, but we have plans to make it so that you wont need to restart Koha for the
provider to be available (a PR to Mojolicious::Plugin::OAuth2 project)
> 4. Click on "Manage Domains"
> 5. Click "Edit" for first and only line
> (#NOTE: It's not clear what a "Domain" is in this context. This needs more
> help text/documentation. I'd say that's a blocker. From past code review in
> Koha for OIDC, "Domain" referred to email domain. That really should spelled
> out clearly. )
Agree. Domain in this case is, as you said, email domain.
> 6. The breadcrumb doesn't show the auth provider code on the "Edit
> authentication provider domain" like it does on the "Authentication provider
> domains" page
I'll check it
>
>
> 4. koha-plack --restart kohadev
> (#NOTE: This is an unfortunate step but necessary because of the plugin
> being used. Auth providers are rarely set up, so not a big drama.)
>
> 4. In an Incognito tab or different browser, go to http://localhost:8081/
> (#NOTE: In my opinion, we should *not* be allowing staff login by default.
> While "Auto register" is "Don't allow" by default, we should keep the staff
> interface as locked down as possible. Not a blocker but an observation...)
Ok, that's easily done
>
> 5. When I try to login with Keycloak, I get the following error in Koha:
> [{"message":"Malformed query string","path":"\/query\/session_state"}]
> (#NOTE: Newer OIDC providers will provide session_state in the
> authentication response. I'll turn this off in Keycloak. Folks can read more
> about session_state at
> https://openid.net/specs/openid-connect-session-1_0.html)
>
> 6. Now I'm getting this error on the Koha Staff Interface login page (since
> the user doesn't exist in Koha and I have auto-register turned off):
> There was an error authenticating to external identity provider
> Exception 'Koha::Exceptions::Auth::Unauthorized' thrown 'External auth user
> cannot access resource' with code => 401
> (#NOTE: I don't think printing the exception on the staff interface is a
> good idea. Let's remove that.)
As I said, I do not believe these patches to be at the latest version.. now the
user gets redirected to the login page (staff or opac) with error message
>
> 7. After adding my user to Koha and giving staff permissions, I'm able to
> log in. Very nice!
>
> 8. Go to http://localhost:8080/ and click "Log in with Keycloak IdP"
> 9. Since I already have a session in Keycloak, I'm logged into the OPAC with
> no login. Very good!
>
> 10. If I logout of Keycloak and try to log back into http://localhost:8080/
> via Keycloak, I get the following:
> There was an error authenticating to external identity provider
> Can't call method "auto_register" on an undefined value at
> /kohadevbox/koha/Koha/REST/Plugin/Auth.pm line 66.
Strange, I'll have to check that out
>
> (#NOTE: In the code I see "tranverse_hash" but it should be "traverse_hash"
> in English.)
typo... sorry
>
> 11. Turn on auto register for all blank domain...
> 12. restart_all in ktd
> 13. Try to log into OPAC and Staff Interface
> 14. Neither works...
> (#NOTE: In Koha/REST/Plugin/Auth.pm, it looks like auto-register should only
> work for OPAC. In theory, I like that, although I suppose the workaround
> would be to auto-register for the OPAC, and then your account would exist
> for the Staff Interface anyway...)
>
> 15. I tried "Update on login" using the blank domain and a domain of
> "prosentient.com.au" and both failed to update my firstname and surname on
> login. That's a blocker...
Yep, I think I forgot to code that part
Thanks!
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list