https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25796 Bug ID: 25796 Summary: Allow REST API to use external OAuth2 authorization server Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au At the moment, Koha's REST API only validates tokens using the embedded authorization server Net::OAuth2::AuthorizationServer. It would be great if Koha were configured to use an external authorization server (like Keycloak). We could redirect the /token endpoint to Keycloak, or just require consumers to query Keycloak directly for access tokens I suppose. Then we'd set up Koha to either embed (or more sustainably fetch) Keycloak's public key in order to verify that the access token is coming from Keycloak. We'd then do further token validation (to make sure it's not expired, it's for the correct audience, etc). -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.