[Bug 25797] New: REST API using OAuth doesn't actually authorize
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 Bug ID: 25797 Summary: REST API using OAuth doesn't actually authorize Change sponsored?: --- Product: Koha Version: 20.05 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: vanoudt@gmail.com Created attachment 105997 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=105997&action=edit Authorise on the x-koha-authorization header, not the authorization header Just spent a whole bunch of time on this - and think I have a solution. The rest api, is looking for the authorization header - but for some reason, koha is rewriting this header to be "x-koha-authorization". The attached patch fixes things for me here, finally allowing me to make API calls! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@libriotech.no --- Comment #1 from Magnus Enger <magnus@libriotech.no> --- Looks like this patch needs a commit messge? https://wiki.koha-community.org/wiki/Version_Control_Using_Git#Commit_messag... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #2 from David Cook <dcook@prosentient.com.au> --- This patch looks definitely incorrect. (It also updates Auth.pm.old rather than Auth.pm) But interesting bug report. I'm planning to use the OAuth setup in the near future so I'll keep an eye out. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arthur.suzuki@biblibre.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 --- Comment #3 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Sorry about the bad patch! I'll take a look at it when I'm next at the job where I work on this stuff! :-) (Having said that, with things manually patched, everything works great! We are able to use the API to create student accounts from our centralised student management system (creates google,local computer and koha accounts). The only thing that is missing from the API is the ability to upload patron photos. At some point, I should get around to adding a bug report about that!) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to Nicholas van Oudtshoorn from comment #0)
Just spent a whole bunch of time on this - and think I have a solution. The rest api, is looking for the authorization header - but for some reason, koha is rewriting this header to be "x-koha-authorization".
What do you mean by "koha is rewriting this header to be "x-koha-authorization". Your API client is sending the Authorization header. It sounds like your API client is putting the Authorization header into "x-koha-authorization" instead of "Authorization". Sounds to me like a bug with your API client and not Koha. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Nicholas van Oudtshoorn from comment #3)
(Having said that, with things manually patched, everything works great! We are able to use the API to create student accounts from our centralised student management system (creates google,local computer and koha accounts). The only thing that is missing from the API is the ability to upload patron photos. At some point, I should get around to adding a bug report about that!)
I suspect that it might be working as expected but not working correctly. But would need more information. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aleisha@catalyst.net.nz --- Comment #6 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Is this still valid? Noting Bug 31378 has now been pushed upstream. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Aleisha Amohia from comment #6)
Is this still valid? Noting Bug 31378 has now been pushed upstream.
Bug 31378 is unrelated. This bug is about using OAuth tokens from the /api/v1/oauth/token endpoint. I don't think this bug was ever valid. I've only used the Cookie auth and HTTP Basic auth for the REST API, so I can't really speak to the OAuth2 auth for the REST API, but the issue report and patch don't really make sense. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #7)
(In reply to Aleisha Amohia from comment #6)
Is this still valid? Noting Bug 31378 has now been pushed upstream.
Bug 31378 is unrelated
That said, I have thought about how it would be cool to use tokens from an OIDC IdP to allow access to Koha's REST API. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #9 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I wonder if this could be closed? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25797 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #10 from Aleisha Amohia <aleisha@catalyst.net.nz> --- Let's close it for the sake of cleanup and if it turns out to still be valid a new one can be opened. :) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org