[Bug 20402] New: Implement OAuth2 authentication for REST API
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Bug ID: 20402 Summary: Implement OAuth2 authentication for REST API Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: ASSIGNED Severity: enhancement Priority: P5 - low Component: REST api Assignee: julian.maurice@biblibre.com Reporter: julian.maurice@biblibre.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #1 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 72865 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72865&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with basic scopes support (only one is defined, "patrons.read"). API Clients are defined in $KOHA_CONF. Test plan: 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <scope>patrons.read</scope> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://koha/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET - Scopes: patrons.read 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. Set method to GET and url to http://koha/api/v1/patrons It should return 200 OK with the list of patrons 7. Remove or change the <scope> from $KOHA_CONF (reload starman & memcached) and see that you cannot generate a new token. Then reset the scope to its initial value 8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2 occurences) and change the values to something else. Reload starman. Repeat step 6 and see that you receive a 403 Forbidden status Undo your changes in api/v1/swagger/paths/patrons.json and reload starman again. 9. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moravec@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #2 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72874 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72874&action=edit Bug 20402: Follow-up to correct uninitialized failures Added type => 'access' to the token request line in Koha/REST/V1/OAuth.pm based on my quick skim of /usr/share/perl5/Net/OAuth2/AuthorizationServer/Defaults.pm which was complaining, and seemed to allow valid values of 'auth', 'refresh', and 'access'. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72865|0 |1 is obsolete| | --- Comment #3 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 72886 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72886&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with basic scopes support (only one is defined, "patrons.read"). API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <scope>patrons.read</scope> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET - Scopes: patrons.read 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND It should return 200 OK with the list of patrons 7. Remove or change the <scope> from $KOHA_CONF (reload starman & memcached) and see that you cannot generate a new token. Then reset the scope to its initial value 8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2 occurences) and change the values to something else. Reload starman. Repeat step 6 and see that you receive a 403 Forbidden status Undo your changes in api/v1/swagger/paths/patrons.json and reload starman again. 9. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #4 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 72887 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72887&action=edit Bug 20402: Add Net::OAuth2::AuthorizationServer to perl deps -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72874|0 |1 is obsolete| | --- Comment #5 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 72888 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72888&action=edit Bug 20402: Follow-up to correct uninitialized failures Added type => 'access' to the token request line in Koha/REST/V1/OAuth.pm based on my quick skim of /usr/share/perl5/Net/OAuth2/AuthorizationServer/Defaults.pm which was complaining, and seemed to allow valid values of 'auth', 'refresh', and 'access'. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #6 from Julian Maurice <julian.maurice@biblibre.com> --- Note: you can add as many API clients as you want by adding additional <api_client> elements. I'm sure it would be better for API clients to be stored in database with a nice interface to manage them in Koha. But I think that can come later. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72886|0 |1 is obsolete| | --- Comment #7 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72892 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72892&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with basic scopes support (only one is defined, "patrons.read"). API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <scope>patrons.read</scope> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET - Scopes: patrons.read 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND It should return 200 OK with the list of patrons 7. Remove or change the <scope> from $KOHA_CONF (reload starman & memcached) and see that you cannot generate a new token. Then reset the scope to its initial value 8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2 occurences) and change the values to something else. Reload starman. Repeat step 6 and see that you receive a 403 Forbidden status Undo your changes in api/v1/swagger/paths/patrons.json and reload starman again. 9. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72887|0 |1 is obsolete| | --- Comment #8 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72893 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72893&action=edit Bug 20402: Add Net::OAuth2::AuthorizationServer to perl deps Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72888|0 |1 is obsolete| | --- Comment #9 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72894 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72894&action=edit Bug 20402: Follow-up to correct uninitialized failures Added type => 'access' to the token request line in Koha/REST/V1/OAuth.pm based on my quick skim of /usr/share/perl5/Net/OAuth2/AuthorizationServer/Defaults.pm which was complaining, and seemed to allow valid values of 'auth', 'refresh', and 'access'. Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |mtompset@hotmail.com --- Comment #10 from M. Tompsett <mtompset@hotmail.com> --- Only concern is if the authorization isn't attempted after it expires, the oauth_access_tokens record will lay in the table indefinitely. But works nicely otherwise. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #11 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Julian: Unit tests ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #12 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 73086 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=73086&action=edit Bug 20402: Add unit tests Also, avoid some Perl warnings about undefined variables, and check that grant_type parameter is set correctly Test plan: 1. prove t/db_dependent/api/v1/oauth.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #13 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 73087 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=73087&action=edit Bug 20402: Add cronjob script to delete expired tokens Test plan: 1. Generate X tokens (X > 1) 2. mysql> UPDATE oauth_access_tokens SET expires = 0 3. Generate Y tokens (Y > 1) 4. Run the script 5. Verify that only Y tokens remains -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #14 from Tomás Cohen Arazi <tomascohen@gmail.com> --- A couple remarks: - I like it - I think the way scopes are defined needs more thinking, also its relation to permissions. The patchset adds patrons.read but I'm sure we need a spec on how this are defined and documented. - The cleanup script could just be replaced by an addition to the (already configured for everyone) cleanup_database.pl script. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dependency -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #15 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Tomás Cohen Arazi from comment #14)
- I think the way scopes are defined needs more thinking, also its relation to permissions. The patchset adds patrons.read but I'm sure we need a spec on how this are defined and documented. I agree. It looks like OpenAPI spec covers that (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#sec...) but I'm not sure if we can and should use this.
About relation to permissions, do you think we should have 1:1 relationship between scopes and permissions ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #16 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Julian Maurice from comment #15)
(In reply to Tomás Cohen Arazi from comment #14)
- I think the way scopes are defined needs more thinking, also its relation to permissions. The patchset adds patrons.read but I'm sure we need a spec on how this are defined and documented. I agree. It looks like OpenAPI spec covers that (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0. md#securityDefinitionsObject) but I'm not sure if we can and should use this.
About relation to permissions, do you think we should have 1:1 relationship between scopes and permissions ?
I think our permissions granularity is not enough for that. But I would like to see a spec to discuss about how scopes would be defined, having a catalog of them, etc. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #17 from Tomás Cohen Arazi <tomascohen@gmail.com> --- I think we should tie api id and keys to patrons to take advantage of the current permission system. And introduce the use of scopes at a later stage. Julian: can you do it? i.e. pick the code you once wrote for having patrons create api keys on the staff interface? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #18 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Tomás Cohen Arazi from comment #17)
I think we should tie api id and keys to patrons to take advantage of the current permission system. And introduce the use of scopes at a later stage.
Julian: can you do it? i.e. pick the code you once wrote for having patrons create api keys on the staff interface? I think it's not needed if you only want to tie an API client with a patron. We could add a <userid>xxx</userid> in $KOHA_CONF, and act as if that user was authenticated.
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |ASSIGNED --- Comment #19 from Julian Maurice <julian.maurice@biblibre.com> --- It has been decided during the IRC meeting to make it possible to tie an API client with an existing patron and to use their permissions. We give up the scopes for now, as it would require much more discussions and we want OAuth2 in 18.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #20 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74009 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74009&action=edit Bug 20402: Tie client with patron, remove scopes, use mojo plugin, ... ... and move cleanup code into misc/cronjobs/cleanup_database.pl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #21 from Julian Maurice <julian.maurice@biblibre.com> --- A few notes about the last patch: - I attached it only as an easy way to see the last changes, beacause I will squash all patches into one clean patch. - The use of Mojolicious::Plugin::OAuth2::Server was suggested on IRC, but it only helps removing a few lines of code. I'm not sure it's worth it (new non-packaged dependency) - The test plan in comment 7 is not correct anymore. Before testing, please wait until I squash all patch and write a new test plan (or use your brain to guess a new test plan :)) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72892|0 |1 is obsolete| | Attachment #72893|0 |1 is obsolete| | Attachment #72894|0 |1 is obsolete| | Attachment #73086|0 |1 is obsolete| | Attachment #73087|0 |1 is obsolete| | Attachment #74009|0 |1 is obsolete| | --- Comment #22 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74018 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74018&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 and Mojolicious::Plugin::OAuth2::Server 0.40 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'edit_borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. 8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff --- Comment #23 from Julian Maurice <julian.maurice@biblibre.com> --- All patches squashed and rebased on master. Please test ! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #24 from Josef Moravec <josef.moravec@gmail.com> --- (In reply to Julian Maurice from comment #22)
Created attachment 74018 [details] [review] Bug 20402: Implement OAuth2 authentication for REST API
It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF.
Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 and Mojolicious::Plugin::OAuth2::Server 0.40 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'edit_borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database.
Token is removed, but i got status 500
8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t
One test is failing for me: not ok 19 - 200 OK # Failed test '200 OK' # at t/db_dependent/api/v1/oauth.t line 98. # got: '403' # expected: '200' # Looks like you failed 1 test of 19.
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #25 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Julian Maurice from comment #21)
A few notes about the last patch: - I attached it only as an easy way to see the last changes, beacause I will squash all patches into one clean patch. - The use of Mojolicious::Plugin::OAuth2::Server was suggested on IRC, but it only helps removing a few lines of code. I'm not sure it's worth it (new non-packaged dependency) - The test plan in comment 7 is not correct anymore. Before testing, please wait until I squash all patch and write a new test plan (or use your brain to guess a new test plan :))
When I tested using the Mojo plugin, I didn't find a clear way to implement several grant flows. And my guess was that sticking to using the core lib was easier. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |20568 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20568 [Bug 20568] Add API key management interface for patrons -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #26 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Josef Moravec from comment #24)
Token is removed, but i got status 500 Can you check the logs? I just tested and for me it returns 401 as expected
One test is failing for me I didn't launch the tests after the rebase and I missed that required permissions for /patrons have changed. I will fix that in a follow-up
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74018|0 |1 is obsolete| | --- Comment #27 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74050 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74050&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 and Mojolicious::Plugin::OAuth2::Server 0.40 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. 8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #28 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74051 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74051&action=edit Bug 20402: Fix oauth.t GET /patrons now requires { "borrowers": 1 } instead of { "borrowers": "edit_borrowers" } -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #29 from Josef Moravec <josef.moravec@gmail.com> --- Tested on another devbox, now I got 401 Unauthorized. I have an idea of what is going on: This only adds new authorization method, but the authorization with cookies (eg. when you are normally logged into koha) is still taken into account. But yesterday I used the koha database user to change permission of api user - so token was expired and oauth say unauthorized, then cookie was found bud the logged in user was database user and that's the reason why it exploded -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74050|0 |1 is obsolete| | Attachment #74051|0 |1 is obsolete| | --- Comment #30 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 74069 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74069&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 and Mojolicious::Plugin::OAuth2::Server 0.40 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. 8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #31 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 74070 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74070&action=edit Bug 20402: Fix oauth.t GET /patrons now requires { "borrowers": 1 } instead of { "borrowers": "edit_borrowers" } Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #32 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Josef Moravec from comment #29)
Tested on another devbox, now I got 401 Unauthorized.
I have an idea of what is going on:
This only adds new authorization method, but the authorization with cookies (eg. when you are normally logged into koha) is still taken into account.
But yesterday I used the koha database user to change permission of api user - so token was expired and oauth say unauthorized, then cookie was found bud the logged in user was database user and that's the reason why it exploded
Then maybe we should not try cookie authentication if oauth fail and we have an Authorization header containing 'Bearer' ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #33 from Josef Moravec <josef.moravec@gmail.com> --- (In reply to Julian Maurice from comment #32)
(In reply to Josef Moravec from comment #29)
Tested on another devbox, now I got 401 Unauthorized.
I have an idea of what is going on:
This only adds new authorization method, but the authorization with cookies (eg. when you are normally logged into koha) is still taken into account.
But yesterday I used the koha database user to change permission of api user - so token was expired and oauth say unauthorized, then cookie was found bud the logged in user was database user and that's the reason why it exploded
Then maybe we should not try cookie authentication if oauth fail and we have an Authorization header containing 'Bearer' ?
+1 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #34 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74088 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74088&action=edit Bug 20402: Don't look at cookies if OAuth2 is attempted and has failed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Mike <black23@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |black23@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|20568 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20568 [Bug 20568] Add API key management interface for patrons -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74069|0 |1 is obsolete| | --- Comment #35 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74365 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74365&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. 8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74070|0 |1 is obsolete| | --- Comment #36 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74366 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74366&action=edit Bug 20402: Fix oauth.t GET /patrons now requires { "borrowers": 1 } instead of { "borrowers": "edit_borrowers" } Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74088|0 |1 is obsolete| | --- Comment #37 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74367 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74367&action=edit Bug 20402: Don't look at cookies if OAuth2 is attempted and has failed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #38 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74368 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74368&action=edit Bug 20402: Remove dependency on Mojo::Plugin::OAuth2::Server -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #39 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74369 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74369&action=edit Bug 20402: Use TestBuilder->build_object in oauth.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74365|0 |1 is obsolete| | --- Comment #40 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. 8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74366|0 |1 is obsolete| | --- Comment #41 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74381 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74381&action=edit Bug 20402: Fix oauth.t GET /patrons now requires { "borrowers": 1 } instead of { "borrowers": "edit_borrowers" } Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74367|0 |1 is obsolete| | --- Comment #42 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74382 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74382&action=edit Bug 20402: Don't look at cookies if OAuth2 is attempted and has failed Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74368|0 |1 is obsolete| | --- Comment #43 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74383 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74383&action=edit Bug 20402: Remove dependency on Mojo::Plugin::OAuth2::Server Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74369|0 |1 is obsolete| | --- Comment #44 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74384 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74384&action=edit Bug 20402: Use TestBuilder->build_object in oauth.t Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #45 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74385 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74385&action=edit Bug 20402: Atomic update and kohastructure.sql fixes Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #46 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 74386 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74386&action=edit Bug 20402: Add missing POD Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #47 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Only minor fixes were needed. Works as expected. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This development adds the release notes| |OAuth2 client credentials | |grant support to Koha. This | |way, securitizing the REST | |api for using it from other | |systems gets easier as it | |follows current standards. Severity|enhancement |new feature -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Text to go in the|This development adds the |This development adds the release notes|OAuth2 client credentials |OAuth2 client credentials |grant support to Koha. This |grant support to Koha. This |way, securitizing the REST |way securing the REST API |api for using it from other |for using it from other |systems gets easier as it |systems gets easier as it |follows current standards. |follows current standards. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |20612 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20612 [Bug 20612] Make OAuth2 use patron's client_id/secret pairs -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #48 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- How hard will it be to package Net::OAuth2::AuthorizationServer and deps? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #49 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- It the key is revoked or deleted, the token is still valid, is it expected? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |20624 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624 [Bug 20624] Allow switching off the OAuth2 client credentials grant -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #50 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- Generally looks good.. moving onto the next patchset ::: Koha/OAuth.pm @@ +21,5 @@
+ return (0, 'unauthorized_client') unless $client_id; + + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $client_id } @$clients;
'any' would be more performant than 'grep' here: https://perldoc.perl.org/List/Util.html#any @@ +50,5 @@
+ my (%args) = @_; + + my $access_token = $args{access_token}; + + my $at = Koha::OAuthAccessTokens->find($access_token);
Personally, I would wrap this in caching.. this will be called with literally every API request and as such will become a fairly heavy use of the DB. ::: Koha/REST/V1/Auth.pm @@ +115,5 @@
+ + if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients;
Another case where 'any' would be more performant than 'grep' ;) ::: Koha/REST/V1/OAuth.pm @@ +47,5 @@
+ access_token => $token, + expires_in => $expires_in, + ); + + my $at = Koha::OAuthAccessTokens->search({ access_token => $token })->next;
search->next is generally a bad idiom when changed.. `->next` should really only be used inside a loop where you're expecting a set of results.. when chained it it raises warning signals to me that you really want to use either ->find or ->search( {},{order_by => 'something', rows => 1})->single to get THE explicit result you're after. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #51 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +128,5 @@
+ validate_query_parameters( $c, $spec ); + + # Everything is ok + return 1; + }
This 'scope' validation would normally be done within the _verify_access_token_cb for the usual case with the ::OAuth2::Server Plugin. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #52 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #52 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'? --- Comment #53 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #52 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'? --- Comment #53 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'? --- Comment #54 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 74380 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74380 Bug 20402: Implement OAuth2 authentication for REST API Review of attachment 74380: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=20402&attachment=74380) ----------------------------------------------------------------- ::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #55 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Martin Renvoize from comment #50)
Comment on attachment 74380 [details] [review] ::: Koha/OAuth.pm @@ +21,5 @@
+ return (0, 'unauthorized_client') unless $client_id; + + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $client_id } @$clients;
'any' would be more performant than 'grep' here: https://perldoc.perl.org/List/Util.html#any
'any' returns a boolean value, we're looking for the $client hashref here
@@ +50,5 @@
+ my (%args) = @_; + + my $access_token = $args{access_token}; + + my $at = Koha::OAuthAccessTokens->find($access_token);
Personally, I would wrap this in caching.. this will be called with literally every API request and as such will become a fairly heavy use of the DB. I don't think we should cache the access token, because it can expire
::: Koha/REST/V1/OAuth.pm @@ +47,5 @@
+ access_token => $token, + expires_in => $expires_in, + ); + + my $at = Koha::OAuthAccessTokens->search({ access_token => $token })->next;
search->next is generally a bad idiom when changed.. `->next` should really only be used inside a loop where you're expecting a set of results.. when chained it it raises warning signals to me that you really want to use either ->find or ->search( {},{order_by => 'something', rows => 1})->single to get THE explicit result you're after.
Actually, we should use ->find, since access_token is a primary key (->find is used at other places in the code, I forgot to change this one) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #56 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Martin Renvoize from comment #51)
Comment on attachment 74380 [details] [review] Bug 20402: Implement OAuth2 authentication for REST API
Review of attachment 74380 [details] [review]: -----------------------------------------------------------------
::: Koha/REST/V1/Auth.pm @@ +128,5 @@
+ validate_query_parameters( $c, $spec ); + + # Everything is ok + return 1; + }
This 'scope' validation would normally be done within the _verify_access_token_cb for the usual case with the ::OAuth2::Server Plugin.
scopes are not implemented, we'll use patron's permissions for now -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #57 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Martin Renvoize from comment #54)
Comment on attachment 74380 [details] [review] Bug 20402: Implement OAuth2 authentication for REST API
Review of attachment 74380 [details] [review]: -----------------------------------------------------------------
::: Koha/REST/V1/Auth.pm @@ +116,5 @@
+ if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; +
Actually.. I'm confused.. why do we check against the clients array for a second time.. We've already tested against this at the 'issue a token' stage.. or is this your idea of 'revoking a client'?
We need the $client hashref to get the patron_id defined in $KOHA_CONF. Please note that this code is removed by bug 20612, which allows to define client_id/secret pairs in the interface instead of in $KOHA_CONF -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #58 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 74600 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74600&action=edit Bug 20402: Remove useless call to Koha::OAuthAccessTokens->search -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #59 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Julian Maurice from comment #55)
Actually, we should use ->find, since access_token is a primary key (->find is used at other places in the code, I forgot to change this one) It was not even needed, so I removed it in the last patch
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com --- Comment #60 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- (In reply to Julian Maurice from comment #55)
'any' returns a boolean value, we're looking for the $client hashref here
'first' would be more appropriate, sorry, you are totally right, 'any' is not appropriate here at all.
I don't think we should cache the access token, because it can expire
Ah, you're using the 'random string' approach for the tokens so the expiry isn't embedded within the token. I've always used JWT's. Apologies, you can't cache it in that case then.
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #61 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Martin Renvoize from comment #60)
(In reply to Julian Maurice from comment #55)
'any' returns a boolean value, we're looking for the $client hashref here
'first' would be more appropriate, sorry, you are totally right, 'any' is not appropriate here at all.
I don't think we should cache the access token, because it can expire
Ah, you're using the 'random string' approach for the tokens so the expiry isn't embedded within the token. I've always used JWT's. Apologies, you can't cache it in that case then.
Martin, please review with all applied: https://bugs.koha-community.org/bugzilla3/showdependencygraph.cgi?id=20612 Thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Implement OAuth2 |OAuth2 client credentials |authentication for REST API |grant for REST API -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74380|0 |1 is obsolete| | --- Comment #62 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75026 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75026&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with no scopes support. API clients are tied to an existing patron and have the same permissions as the patron they are tied to. API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND If patron X has permission 'borrowers', it should return 200 OK with the list of patrons Otherwise it should return 403 with the list of required permissions (Please test both cases) 7. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. 8. Create a bunch of tokens using RESTer, make some of them expires using the previous SQL query, and run the following command: misc/cronjobs/cleanup_database.pl --oauth-tokens Verify that expired tokens were removed, and that the others are still there 9. prove t/db_dependent/api/v1/oauth.t [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74381|0 |1 is obsolete| | --- Comment #63 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75027 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75027&action=edit Bug 20402: Fix oauth.t GET /patrons now requires { "borrowers": 1 } instead of { "borrowers": "edit_borrowers" } Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74382|0 |1 is obsolete| | --- Comment #64 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75028 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75028&action=edit Bug 20402: Don't look at cookies if OAuth2 is attempted and has failed Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74383|0 |1 is obsolete| | --- Comment #65 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75029 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75029&action=edit Bug 20402: Remove dependency on Mojo::Plugin::OAuth2::Server Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74384|0 |1 is obsolete| | --- Comment #66 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75030 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75030&action=edit Bug 20402: Use TestBuilder->build_object in oauth.t Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74385|0 |1 is obsolete| | --- Comment #67 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75031 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75031&action=edit Bug 20402: Atomic update and kohastructure.sql fixes Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74386|0 |1 is obsolete| | --- Comment #68 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75032 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75032&action=edit Bug 20402: Add missing POD Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74600|0 |1 is obsolete| | --- Comment #69 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 75033 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75033&action=edit Bug 20402: Remove useless call to Koha::OAuthAccessTokens->search -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #70 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Rebased. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|20624 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624 [Bug 20624] Disable the OAuth2 client credentials grant by default -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |20624 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624 [Bug 20624] Disable the OAuth2 client credentials grant by default -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #71 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 75189 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75189&action=edit Bug 20402: only output if verbose flag is set -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #72 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 18.05, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #73 from David Cook <dcook@prosentient.com.au> --- I know this has already been pushed... but it looks like this allows for only 1 API client? What if you want to have multiple API clients? BibLibre might have Coral talking to Koha's REST API, but maybe a client's Drupal website wants to talk to Koha's REST API too? Right now, I suppose you could share the credentials amongst all the clients, but that doesn't seem like a great long-term option? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #74 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to David Cook from comment #73)
I know this has already been pushed... but it looks like this allows for only 1 API client? What if you want to have multiple API clients?
You could define as many API clients as you want in $KOHA_CONF. But this has been replaced by bug 20568 and bug 20612. You can now define API keys in the interface. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 --- Comment #75 from David Cook <dcook@prosentient.com.au> --- (In reply to Julian Maurice from comment #74)
You could define as many API clients as you want in $KOHA_CONF. But this has been replaced by bug 20568 and bug 20612. You can now define API keys in the interface.
Oooh awesome! I've wanted that feature for so long :D. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=25796 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=41671 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org