https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #68 from David Cook <dcook@prosentient.com.au> --- I'll shortly add a follow-up to catch the error of the missing database update. In theory, with a package install, the database will be automatically upgraded before the web app is started up. But some people will still need to use the web installer, so we don't want it to fail. (Those people will need to restart their Koha before they're able to use the new auth functionality of course.) Test plan 1: 1. apt install libmojolicious-plugin-oauth2-perl 2. restart_all 3. koha-upgrade-schema kohadev 4. koha-plack --restart kohadev 5. prove t/db_dependent/Koha/Auth/Provider.t So far so good. Test plan 2: 1. Go to http://localhost:8081/cgi-bin/koha/admin/admin-home.pl 2. Click on "Authentication providers" (#NOTE: I would've preferred "Identity Providers" since that's a more common industry term.) 3. Click "New authentication provider" (#NOTE: The UI looks poorly formatted, but I think that's probably a symptom of the new staff interface styling. Not a blocker for me. This can be fixed later...) (#NOTE: There is a bug with the "Configuration" where "Add new X configuration" doesn't work if you've manually changed anything in the text box. Not a blocker for me, but will need to be fixed at some point. Same goes for "Add default OIDC mapping.) (#NOTE: There's not enough documentation/help text on how to use this UI. I'm figuring it out through trial and error, but a bit of help text for "Code", "Description", and "Icon URL" at a minimum would be good.) (#NOTE: With the new Staff Interface, there should be a "Help" link on the right hand side, but I don't see it for this new functionality. I think that's a blocker.) (#NOTE: I don't really like having to include raw JSON in this UI. This could be made more beautiful.) (#NOTE: "Code" doesn't appear to be restricted or validated in any way. We should stick to alphanumeric codes. This is borderline... but I think it's a blocker. We need to set the rule before people start using it.) (#NOTE: We need to add help text at the bottom of this page that says this auth provider won't be available until after a Koha restart.) 4. Click on "Manage Domains" 5. Click "Edit" for first and only line (#NOTE: It's not clear what a "Domain" is in this context. This needs more help text/documentation. I'd say that's a blocker. From past code review in Koha for OIDC, "Domain" referred to email domain. That really should spelled out clearly. ) 6. The breadcrumb doesn't show the auth provider code on the "Edit authentication provider domain" like it does on the "Authentication provider domains" page 4. koha-plack --restart kohadev (#NOTE: This is an unfortunate step but necessary because of the plugin being used. Auth providers are rarely set up, so not a big drama.) 4. In an Incognito tab or different browser, go to http://localhost:8081/ (#NOTE: In my opinion, we should *not* be allowing staff login by default. While "Auto register" is "Don't allow" by default, we should keep the staff interface as locked down as possible. Not a blocker but an observation...) 5. When I try to login with Keycloak, I get the following error in Koha: [{"message":"Malformed query string","path":"\/query\/session_state"}] (#NOTE: Newer OIDC providers will provide session_state in the authentication response. I'll turn this off in Keycloak. Folks can read more about session_state at https://openid.net/specs/openid-connect-session-1_0.html) 6. Now I'm getting this error on the Koha Staff Interface login page (since the user doesn't exist in Koha and I have auto-register turned off): There was an error authenticating to external identity provider Exception 'Koha::Exceptions::Auth::Unauthorized' thrown 'External auth user cannot access resource' with code => 401 (#NOTE: I don't think printing the exception on the staff interface is a good idea. Let's remove that.) 7. After adding my user to Koha and giving staff permissions, I'm able to log in. Very nice! 8. Go to http://localhost:8080/ and click "Log in with Keycloak IdP" 9. Since I already have a session in Keycloak, I'm logged into the OPAC with no login. Very good! 10. If I logout of Keycloak and try to log back into http://localhost:8080/ via Keycloak, I get the following: There was an error authenticating to external identity provider Can't call method "auto_register" on an undefined value at /kohadevbox/koha/Koha/REST/Plugin/Auth.pm line 66. (#NOTE: In the code I see "tranverse_hash" but it should be "traverse_hash" in English.) 11. Turn on auto register for all blank domain... 12. restart_all in ktd 13. Try to log into OPAC and Staff Interface 14. Neither works... (#NOTE: In Koha/REST/Plugin/Auth.pm, it looks like auto-register should only work for OPAC. In theory, I like that, although I suppose the workaround would be to auto-register for the OPAC, and then your account would exist for the Staff Interface anyway...) 15. I tried "Update on login" using the blank domain and a domain of "prosentient.com.au" and both failed to update my firstname and surname on login. That's a blocker... -- You are receiving this mail because: You are watching all bug changes.