[Bug 32354] New: Handle session_state param given by OAuth identity provider
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Bug ID: 32354 Summary: Handle session_state param given by OAuth identity provider Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: blocker Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: aleisha@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org We're trying Bug 31378 in production with OpenID Connect and Azure AD. Azure is passing back a parameter session_state which causes Koha to throw a 'malformed query string' error [{"message":"Malformed query string","path":"\/query\/session_state"}] Believe this means we need to add session_state to the list of parameters Koha can expect from the IdP. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |31378 Status|NEW |Needs Signoff Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 [Bug 31378] Add a generic OAuth2/OIDC client implementation -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #1 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Created attachment 144274 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144274&action=edit Bug 32354: Accept session_state param given by OAuth IdP This patch ensures Koha doesn't throw an error if the IdP hands back a session_state parameter. To test: 1) Set up an identity provider 2) On the IdP's configuration, make it hand back a session_state 3) Confirm authentication using OIDC works with and without the session_state Sponsored-by: Plant & Food Research -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This patch ensures Koha release notes| |doesn't throw an error if | |the IdP hands back a | |session_state parameter. Patch complexity|--- |Trivial patch Change sponsored?|--- |Sponsored Assignee|koha-bugs@lists.koha-commun |aleisha@catalyst.net.nz |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #2 from David Cook <dcook@prosentient.com.au> --- I noticed this during testing as well. I was able to turn off session management in Keycloak, but that might not be possible in all identity providers. I'll come back to this one. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #3 from Tomás Cohen Arazi <tomascohen@gmail.com> --- We need to document it better. Understand if the param name is standard, if it needs to be carried around in responses as well, etc. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #3)
We need to document it better. Understand if the param name is standard, if it needs to be carried around in responses as well, etc.
I'm not 100% sure what you mean, but I think I agree. I've got a deadline tomorrow, but I'm hoping to look at this in December. I'll be testing with Keycloak. That said, from what I've read so far at https://openid.net/specs/openid-connect-session-1_0.html, it looks like the session_state is just used by optional client side iframes for checking the user's session status with the IdP. So I think we can accept session_state in the IdP's AuthN response without actually supporting OIDC session management ourselves. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Currently testing this and using the following to point to the Keycloak provided by my customized docker-compose.sso.yml http://host.docker.internal:8082/realms/test/.well-known/openid-configuratio... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #5)
Currently testing this and using the following to point to the Keycloak provided by my customized docker-compose.sso.yml
http://host.docker.internal:8082/realms/test/.well-known/openid-configuratio...
Note that this is me using Docker Desktop on Windows, so your mileage may vary... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144274|0 |1 is obsolete| | --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Created attachment 144388 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144388&action=edit Bug 32354: Accept session_state param given by OAuth IdP This patch ensures Koha doesn't throw an error if the IdP hands back a session_state parameter. To test: 1) Set up an identity provider 2) On the IdP's configuration, make it hand back a session_state 3) Confirm authentication using OIDC works with and without the session_state Sponsored-by: Plant & Food Research Signed-off-by: David Cook <dcook@prosentient.com.au> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #8 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to David Cook from comment #5)
Currently testing this and using the following to point to the Keycloak provided by my customized docker-compose.sso.yml
http://host.docker.internal:8082/realms/test/.well-known/openid-configuratio...
The one in KTD, documented in the README should be usable as well. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- I'm happy with this patch. If anyone needs help QAing this or wants to add their signoff and count mine towards QA, just let me know... -- Out of scope side note: It doesn't look like /oauth/login/{provider_code}/{interface} actually gets used. It looks like the staff interface uses the /public/oauth/login/{provider_code}/{interface} endpoint same as the OPAC. I don't know whether or not this is by design. Agustin and Tomas might be able to clarify that one... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #10 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #8)
The one in KTD, documented in the README should be usable as well.
That's true. I don't like meddling with my /etc/hosts too much but maybe I should just for the sake of consistency with other KTD users... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #8)
The one in KTD, documented in the README should be usable as well.
Hmmm that doesn't seem to work, since on the workstation it's sso:8082 but in koha-testing-docker it's sso:8080 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #11)
Hmmm that doesn't seem to work, since on the workstation it's sso:8082 but in koha-testing-docker it's sso:8080
Ah, I'm using an old docker-compose.sso.yml. Nevermind me ;) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #13 from David Cook <dcook@prosentient.com.au> --- Pulled the latest koha-testing-docker and the http://sso:8082/auth/ URL works well, so a "test" realm would be http://sso:8082/auth/realms/test/.well-known/openid-configuration -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://openid.net/specs/op | |enid-connect-session-1_0.ht | |ml#CreatingUpdatingSessions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144388|0 |1 is obsolete| | --- Comment #14 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 144477 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144477&action=edit Bug 32354: Accept session_state param given by OAuth IdP This patch ensures Koha doesn't throw an error if the IdP hands back a session_state parameter. To test: 1) Set up an identity provider 2) On the IdP's configuration, make it hand back a session_state 3) Confirm authentication using OIDC works with and without the session_state Sponsored-by: Plant & Food Research Signed-off-by: David Cook <dcook@prosentient.com.au> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |23.05.00 released in| | Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #15 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_22_11_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Jacob O'Mara <jacob.omara@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable Version(s)|23.05.00 |23.05.00,22.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 --- Comment #16 from Jacob O'Mara <jacob.omara@ptfs-europe.com> --- Nice work, thanks everyone! Pushed to 22.11.x for the next release. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Jacob O'Mara <jacob.omara@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.05.00,22.11.00 |23.05.00,22.11.01 released in| | CC| |jacob.omara@ptfs-europe.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to stable |RESOLVED CC| |lucas@bywatersolutions.com --- Comment #17 from Lucas Gass <lucas@bywatersolutions.com> --- Not needed in 22.05.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32354 Bug 32354 depends on bug 31378, which changed state. Bug 31378 Summary: Add a generic OAuth2/OIDC client implementation https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org