https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 --- Comment #78 from Agustín Moyano <agustinmoyano@theke.io> --- Hi everyone, it's been a long time since I wrote to you! Thanks so much David for so extensive testing.. I'll try to address as much points as possible. (In reply to David Cook from comment #68)
(#NOTE: I would've preferred "Identity Providers" since that's a more common industry term.)
Nice point. I'll talk to Tomas if we change it
(#NOTE: The UI looks poorly formatted, but I think that's probably a symptom of the new staff interface styling. Not a blocker for me. This can be fixed later...)
Sorry, it's been a long time since I've done anything related to Koha.. If you could point me to a well formated page, I'll try to stick to the style as much as possible
(#NOTE: There is a bug with the "Configuration" where "Add new X configuration" doesn't work if you've manually changed anything in the text box. Not a blocker for me, but will need to be fixed at some point. Same goes for "Add default OIDC mapping.)
I do not believe this patches are at the latest version.. I've added a jquery-validator to check if your jsons are valid before saving. I imagine this is a patch for now, and we need a way to edit a json in a proper way
(#NOTE: There's not enough documentation/help text on how to use this UI.
Yes, I've been coding this between jobs so I had no time to document, but surely we will add some follow-ups.
I'm figuring it out through trial and error, but a bit of help text for "Code", "Description", and "Icon URL" at a minimum would be good.)
Code should be a unique name for your Identity Provider, the Description is the text that will appear in the login button, and Icon URL should be a URL where we can fetch an icon for login button
(#NOTE: With the new Staff Interface, there should be a "Help" link on the right hand side, but I don't see it for this new functionality. I think that's a blocker.)
Ok, I'll ask Tomas for help about how this shoul be done
(#NOTE: I don't really like having to include raw JSON in this UI. This could be made more beautiful.)
Me neither, there should be a JSON editor or something.. does Koha have one?
(#NOTE: "Code" doesn't appear to be restricted or validated in any way. We should stick to alphanumeric codes. This is borderline... but I think it's a blocker. We need to set the rule before people start using it.)
Good point. Will be done
(#NOTE: We need to add help text at the bottom of this page that says this auth provider won't be available until after a Koha restart.)
Yes, but we have plans to make it so that you wont need to restart Koha for the provider to be available (a PR to Mojolicious::Plugin::OAuth2 project)
4. Click on "Manage Domains" 5. Click "Edit" for first and only line (#NOTE: It's not clear what a "Domain" is in this context. This needs more help text/documentation. I'd say that's a blocker. From past code review in Koha for OIDC, "Domain" referred to email domain. That really should spelled out clearly. )
Agree. Domain in this case is, as you said, email domain.
6. The breadcrumb doesn't show the auth provider code on the "Edit authentication provider domain" like it does on the "Authentication provider domains" page
I'll check it
4. koha-plack --restart kohadev (#NOTE: This is an unfortunate step but necessary because of the plugin being used. Auth providers are rarely set up, so not a big drama.)
4. In an Incognito tab or different browser, go to http://localhost:8081/ (#NOTE: In my opinion, we should *not* be allowing staff login by default. While "Auto register" is "Don't allow" by default, we should keep the staff interface as locked down as possible. Not a blocker but an observation...)
Ok, that's easily done
5. When I try to login with Keycloak, I get the following error in Koha: [{"message":"Malformed query string","path":"\/query\/session_state"}] (#NOTE: Newer OIDC providers will provide session_state in the authentication response. I'll turn this off in Keycloak. Folks can read more about session_state at https://openid.net/specs/openid-connect-session-1_0.html)
6. Now I'm getting this error on the Koha Staff Interface login page (since the user doesn't exist in Koha and I have auto-register turned off): There was an error authenticating to external identity provider Exception 'Koha::Exceptions::Auth::Unauthorized' thrown 'External auth user cannot access resource' with code => 401 (#NOTE: I don't think printing the exception on the staff interface is a good idea. Let's remove that.)
As I said, I do not believe these patches to be at the latest version.. now the user gets redirected to the login page (staff or opac) with error message
7. After adding my user to Koha and giving staff permissions, I'm able to log in. Very nice!
8. Go to http://localhost:8080/ and click "Log in with Keycloak IdP" 9. Since I already have a session in Keycloak, I'm logged into the OPAC with no login. Very good!
10. If I logout of Keycloak and try to log back into http://localhost:8080/ via Keycloak, I get the following: There was an error authenticating to external identity provider Can't call method "auto_register" on an undefined value at /kohadevbox/koha/Koha/REST/Plugin/Auth.pm line 66.
Strange, I'll have to check that out
(#NOTE: In the code I see "tranverse_hash" but it should be "traverse_hash" in English.)
typo... sorry
11. Turn on auto register for all blank domain... 12. restart_all in ktd 13. Try to log into OPAC and Staff Interface 14. Neither works... (#NOTE: In Koha/REST/Plugin/Auth.pm, it looks like auto-register should only work for OPAC. In theory, I like that, although I suppose the workaround would be to auto-register for the OPAC, and then your account would exist for the Staff Interface anyway...)
15. I tried "Update on login" using the blank domain and a domain of "prosentient.com.au" and both failed to update my firstname and surname on login. That's a blocker...
Yep, I think I forgot to code that part Thanks! -- You are receiving this mail because: You are watching all bug changes.