https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41671 Bug ID: 41671 Summary: OAuth2 authorization code grant for REST API Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: new feature Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com At the moment, we only allow app-to-app access via HTTP Basic Auth or OAuth2 client credentials. This gives third-party apps access to a lot of functionality and data across all users. This has data privacy/security implications. Ideally, it would be great if third-party apps could require users to integrate with Koha using an OAuth2 authorization code grant, so that the third-party app could get access tokens scoped to the individual user which authenticates against Koha (and not via the third-party app). The scopes applied to to the token could be limited and the user could give consent for those scopes. And most of all... the third-party app would only be able to use that token for that user. This limits what the third-party app can do and what it can see. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.