[Bug 10988] New: Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Bug ID: 10988 Summary: Allow login via Google OAuth2 Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: vanoudt@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Created attachment 21740 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21740&action=edit oauth login helper Here at PBC, we use google apps for education to provide email for our students, and also koha for our library systems. Although we synchronise our koha accounts and google accounts, it would be much nicer for patrons to be able to simply login using OAuth2. I'm working on getting this going, basing my work on bug 9587. More details to come - but wanted to get this bug set up and start getting advice from the Koha experts. As it currently stands, the oauth2 authentication is working perfectly - on https. (Switching between the two causes issues with the cookies, as one would expect). opac/svc/oauthlogin handles all of the oauth2 magic. Opening this page will log you in. There is LOTS of room for improvement in the oauth2 login... mostly because perl is not my weapon of choice. More obviously: 1. the clientid, clientsecret need to be moved systempreferences (I've stripped ours from the attached file - these can be obtained from https://code.google.com/apis/console and then choosing "API Access" 2. Google recommends verifying and decrypting the id_token locally, which means caching some information and updating it daily. That would make things a lot faster, but does add to the complication. As was stated for the personas implementation: "The nice thing about it is, the user doesn't have to do anything, like linking their account. As long as the email address they are using... is the same as the one in Koha it will just work." -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #1 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 21936 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21936&action=edit Bug 10988 [ENH] Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Current status: NEW -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #2 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- The latest patch is a fully functional version of GoogleOAuth2, being used in production here at http://library.pbc.wa.edu.au/ Test Plan: 1) Apply this patch 2) Update the database (this is the bit I'm not sure about - I've added the SQL into the atomicupdates directory - is this right?) 3) Create a web app in the google cloud console: - Go to https://cloud.google.com/console - Create a project, and give it some details - Open the Project by clicking on it - Under APIs & auth menu, open "Registered Apps" and click "Register App" - Give it a name and make sure you select "Web app", click ok - Under OAuth 2.0 Client ID, - under web origin, type <your_opac_address> - in the redirect uri enter <your_opac_address>/cgi-bin/koha/svc/googleoauth2 - click Generate 4) Set the GoogleOAuth2ClientID and GoogleOAuth2ClientSecret according to the values generated above 5) Test that clicking login intiates an oauth2 login 6) Try logging in with an email that is not registered to a library user. It should fail and offer either to retry or to login manually. 7) Try logging in with an email that is registered to a library user. You should be logged in. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #3 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 21938 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21938&action=edit Bug 10988 [ENH] Allow login via Google OAuth2 This patch fixes a minor typo in the previous one regarding the oauth2 redirect uri Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 1) Apply this patch 2) Update the database (this is the bit I'm not sure about - I've added the SQL into the atomicupdates directory - is this right?) 3) Create a web app in the google cloud console: - Go to https://cloud.google.com/console - Create a project, and give it some details - Open the Project by clicking on it - Under APIs & auth menu, open "Registered Apps" and click "Register App" - Give it a name and make sure you select "Web app", click ok - Under OAuth 2.0 Client ID, - under web origin, type <your_opac_address> - in the redirect uri enter <your_opac_address>/cgi-bin/koha/svc/googleoauth2 - click Generate 4) Set the GoogleOAuth2ClientID and GoogleOAuth2ClientSecret according to the values generated above 5) Test that clicking login intiates an oauth2 login 6) Try logging in with an email that is not registered to a library user. It should fail and offer either to retry or to login manually. 7) Try logging in with an email that is registered to a library user. You should be logged in. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #4 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 21939 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=21939&action=edit Bug 10988 Fix some minor typos -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #21740|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #21936|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #5 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- When using this in a public computer, there are some nice javascripts that can be injected to make this a whole lot more secure. Basically, the following userscripts disable the google account chooser, and log a person out of their google accounts when they log out of Koha. This is not very useful or polite outside of a public terminal, hence my thinking to do it with userscripts. Just putting it here as a reference for anyone thinking to use this. -------------------------------------------------------------------------------- // ==UserScript== // @id accounts.google.com-forcenocookie@scriptish // @name Disable persistent google login // @version 1.0 // @namespace // @author // @description // @include https://accounts.google.com/* // @run-at document-end // ==/UserScript== document.getElementsByName("PersistentCookie")[0].value='no'; -------------------------------------------------------------------------------- // ==UserScript== // @id koha-full-oauth2-logout@scriptish // @name Force Full Logout // @version 1.0 // @namespace // @author // @description // @include http://OPACURLHERE/* // @run-at document-end // ==/UserScript== document.getElementById('logoutmenu').href="https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue="+document.getElementById('logoutmenu').href; document.getElementById('logout').href="https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue="+document.getElementById('logoutmenu').href; -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #21938|0 |1 is obsolete| | Attachment #21939|0 |1 is obsolete| | --- Comment #6 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 25343 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=25343&action=edit Adds Google OAuth2 Support Includes bootstrap theme support. Testing plan as above. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #7 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 25570 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=25570&action=edit For updating an INSTALLED 3.14.03 to use GoogleOAuth2 Here for the wiki to link to until this work gets committed upstream. This patch is based on an installed directory tree, and also touches no SQL. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Medium patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #25343|0 |1 is obsolete| | --- Comment #8 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 25684 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=25684&action=edit Bug 10988 [ENH] Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. This latest patch adds the new system preferences using updatedatabase.pl Test Plan: 1) Apply this patch 2) Update the database (this is the bit I'm not sure about - I've added the SQL into the atomicupdates directory - is this right?) 3) Create a web app in the google cloud console: - Go to https://cloud.google.com/console - Create a project, and give it some details - Open the Project by clicking on it - Under APIs & auth menu, open "Registered Apps" and click "Register App" - Give it a name and make sure you select "Web app", click ok - Under OAuth 2.0 Client ID, - under web origin, type <your_opac_address> - in the redirect uri enter <your_opac_address>/cgi-bin/koha/svc/googleoauth2 - click Generate 4) Set the GoogleOAuth2ClientID and GoogleOAuth2ClientSecret according to the values generated above 5) Test that clicking login intiates an oauth2 login 6) Try logging in with an email that is not registered to a library user. It should fail and offer either to retry or to login manually. 7) Try logging in with an email that is registered to a library user. You should be logged in. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |master Assignee|gmcharlt@gmail.com |vanoudt@gmail.com -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #9 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Ping on this. Anybody interested in signing this one off? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Marc Véron <veron@veron.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |veron@veron.ch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #10 from Marc Véron <veron@veron.ch> --- Patch did not apply. Merge conflict in koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #11 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Oh no! I'm on holiday for the next week, but will fix it next Tuesday. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Samuel Martin <samuel.n.martin@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |samuel.n.martin@gmail.com --- Comment #12 from Samuel Martin <samuel.n.martin@gmail.com> --- Ran a test on this patch. And I had some issues. I'm no good at programming. But a friend of mine helped me. I thought I could post this to help out others. I hope you'll understand what I mean. I'm new here and more of a librarian than a programmer. So... Here's what we found out: In the file: usr/share/koha/opac/cgi-bin/opac/svc/googleoauth2 there appeared to be some lines missing in the patch at the very beginning of the file. Though the code is available here in this bug. So that was easy to fix. And then we still had some issues. At that time I still had an error 400 straight from google this time. We had to set up the opac URL in: /etc/apache2/conf.d/ I'm not sure if this was supposed to be done before or not. But I had to do it at that time. Also: in the opac-main there is no hint where to log in with the google account. It would be a nice feature that once you use Google Oauth it would say which log in link to use to do that. Maybe even with a google logo? Other than that the patch is working perfectly though I didn't test it extensively. It's only running on my test server. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #25684|0 |1 is obsolete| | CC| |vanoudt@gmail.com --- Comment #13 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 29594 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=29594&action=edit Allow Google OAuth2 Login Fixed the patch so that it again cleanly applies. Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 1) Apply this patch 2) Update the database (this is the bit I'm not sure about - I've added the SQL into the atomicupdates directory - is this right?) 3) Create a web app in the google cloud console: - Go to https://cloud.google.com/console - Create a project, and give it some details - Open the Project by clicking on it - Under APIs & auth menu, open "Registered Apps" and click "Register App" - Give it a name and make sure you select "Web app", click ok - Under OAuth 2.0 Client ID, - under web origin, type <your_opac_address> - in the redirect uri enter <your_opac_address>/cgi-bin/koha/svc/googleoauth2 - click Generate 4) Set the GoogleOAuth2ClientID and GoogleOAuth2ClientSecret according to the values generated above 5) Test that clicking login intiates an oauth2 login 6) Try logging in with an email that is not registered to a library user. It should fail and offer either to retry or to login manually. 7) Try logging in with an email that is registered to a library user. You should be logged in. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #14 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- (In reply to Marc Véron from comment #10)
Patch did not apply. Merge conflict in koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
Should apply cleanly with the latest patch... -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #25570|0 |1 is obsolete| | --- Comment #15 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 29595 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=29595&action=edit For updating an INSTALLED 3.14.03 to use GoogleOAuth2 (In reply to Samuel Martin from comment #12) I assume you're talking about the patch to jerry-rig OAuth2 into an already installed system?
In the file: usr/share/koha/opac/cgi-bin/opac/svc/googleoauth2 there appeared to be some lines missing in the patch at the very beginning of the file. Though the code is available here in this bug. So that was easy to fix. Thanks for that. I've updated the INSTALLED patch with the missing lines!
And then we still had some issues. At that time I still had an error 400 straight from google this time. We had to set up the opac URL in: /etc/apache2/conf.d/ Hmmm - that's strange. What exactly did you change?
Also: in the opac-main there is no hint where to log in with the google account. It would be a nice feature that once you use Google Oauth it would say which log in link to use to do that. Maybe even with a google logo? Agreed. The main patch has been changed so that the top-left login link works for oauth2 if that is set up. Here at PBC we've changed our templates to show a button for OAuth2 login, and another for manual logins. I can provide the patch, if it would be useful...
Other than that the patch is working perfectly though I didn't test it extensively. It's only running on my test server. Glad to hear it!
-- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #16 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 30014 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=30014&action=edit New version of the patch - changes how the domain restriction is handled Rather than using the undocumented hl oauth2 parameter, we now manually check to see if an email is in the required domain or not. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #29594|0 |1 is obsolete| | Attachment #30014|0 |1 is obsolete| | --- Comment #17 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 30015 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=30015&action=edit Allow Google OAuth2 Login New version of the patch - changes how the domain restriction is handled Rather than using the undocumented hl oauth2 parameter, we now manually check to see if an email is in the required domain or not. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #18 from Marc Véron <veron@veron.ch> --- I tried to apply the second patch: Allow Google OAuth2 Login It did not apply with: error: patch failed: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc:74 error: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc: patch does not apply Did you hand edit your patch? It does not apply to blobs recorded in its index. Cannot fall back to three-way merge. -------------- Additionaly, I think in installer/data/mysql/updatedatabase.pl line 8573 should read: $DBversion = "XXX"; See: http://wiki.koha-community.org/wiki/System_Preferences -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com --- Comment #19 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Interesting work.. could we have this rebased for testing Nicholas? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #29595|0 |1 is obsolete| | Attachment #30015|0 |1 is obsolete| | --- Comment #20 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 36354 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36354&action=edit Bug 10988 - Allow login via Google OAuth2 This is my rework of a patch by Nicholas van Oudtshoorn. Fixed the patch so that it again cleanly applies. Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 9) In a new tab, go to https://console.developers.google.com/project 10) Click 'Create Project' 11) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 12) Click the 'Create' button. 13) Click the 'APIs & auth' in the left frame. 14) Click 'Credentials' 15) Click 'Create new Client ID' 16) Select 'Web application' and click 'Configure consent screen'. 17) Select the Email Address. 18) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 19) Fill in the other fields as desired (or not) 20) Click 'Save' 21) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 22) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/googleoauth2) 23) Click 'Create Client ID' 24) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 25) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 26) Change the GoogleOAuth2 preference to 'Use'. 27) Click 'Save all Administration preferences' 28) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 29) Run koha qa test tools I've obsoleted the two previous patches. Hopefully, I didn't miss anything. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #36354|0 |1 is obsolete| | --- Comment #21 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 36355 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36355&action=edit Bug 10988 - Allow login via Google OAuth2 This is my rework of a patch by Nicholas van Oudtshoorn. Fixed the patch so that it again cleanly applies. Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 9) In a new tab, go to https://console.developers.google.com/project 10) Click 'Create Project' 11) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 12) Click the 'Create' button. 13) Click the 'APIs & auth' in the left frame. 14) Click 'Credentials' 15) Click 'Create new Client ID' 16) Select 'Web application' and click 'Configure consent screen'. 17) Select the Email Address. 18) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 19) Fill in the other fields as desired (or not) 20) Click 'Save' 21) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 22) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/googleoauth2) 23) Click 'Create Client ID' 24) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 25) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 26) Change the GoogleOAuth2 preference to 'Use'. 27) Click 'Save all Administration preferences' 28) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 29) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtompset@hotmail.com Depends on| |5010 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #22 from M. Tompsett <mtompset@hotmail.com> --- It depends on 5010, because I cut out the hard coded 'http://' part of the code in the new googleoauth2 script. Technically, you can test it without 5010, but you need the protocol in your OPACBaseURL. :) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #23 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Thanks so much to M. Tompsett for doing this. I've been busy with other jobs (including upgrading to 3.18!), and just haven't got around to sending in our patch. :-) (In reply to M. Tompsett from comment #22)
It depends on 5010, because I cut out the hard coded 'http://' part of the code in the new googleoauth2 script. Technically, you can test it without 5010, but you need the protocol in your OPACBaseURL. :)
-- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #24 from David Cook <dcook@prosentient.com.au> --- I'm just wrapping up a local project on using OpenID Connect, which is basically a wrapper around OAuth2.0 with a few extras thrown in on top, so I'd be interested in taking a look at this at some point. Could we look at making this more extensible though? There are lots of other OAuth2.0 providers than just Google. Have yo looked at http://search.cpan.org/~kgrennan/Net-OAuth2-0.06/lib/Net/OAuth2.pm? I believe Chris Cormack took a look at that recently. Anywho, I could be interested in testing this out down the road! -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #25 from David Cook <dcook@prosentient.com.au> --- Hmm, it might be a better idea to add a parameter instead of using the $persona parameter in C4::Auth::checkauth(). C4::Auth needs a clean-up in general... which Martin (ashimema) is working on, I believe. In any case, locally I added a $external_authen hashref as a parameter after $persona. I use $external_authen->{OpenIDConnect} to store the data I need to pass to checkauth(), add some handling in the appropriate spots, and that's it. You might want to look at RFC 6749 (OAuth 2.0) http://tools.ietf.org/html/rfc6749 as well, as it might give you some more information. OpenID Connect has a lot of validation steps, which may or may not also exist in OAuth2.0... not sure. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #26 from M. Tompsett <mtompset@hotmail.com> --- (In reply to David Cook from comment #25)
Hmm, it might be a better idea to add a parameter instead of using the $persona parameter in C4::Auth::checkauth().
I would think the parameter would be better renamed to $AuthenticatedEmail, because persona and this OAuth patch both authenticate against an Email address (the primary email address is used to find the user).
C4::Auth needs a clean-up in general... which Martin (ashimema) is working on, I believe.
True, it does need clean-up.
In any case, locally I added a $external_authen hashref as a parameter after $persona. I use $external_authen->{OpenIDConnect} to store the data I need to pass to checkauth(), add some handling in the appropriate spots, and that's it.
NOOOOOO! Please hashref the parameter! If there are more than 3 parameters, you probably should use a hashref. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #27 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- (In reply to David Cook from comment #24)
I'm just wrapping up a local project on using OpenID Connect, which is basically a wrapper around OAuth2.0 with a few extras thrown in on top, so I'd be interested in taking a look at this at some point.
Could we look at making this more extensible though? There are lots of other OAuth2.0 providers than just Google.
Have yo looked at http://search.cpan.org/~kgrennan/Net-OAuth2-0.06/lib/Net/OAuth2.pm? I believe Chris Cormack took a look at that recently.
Anywho, I could be interested in testing this out down the road!
Hi David, I like the idea of making it more extensible, and when I get a chance (probably in a few weeks from now) I'll see about checking out OAuth2.pm . Since we run Google Apps for Education for our students (at library.pbc.wa.edu.au), Google's oauth2 was our priority. It's been quite a while since I wrote this, but I think google has some google-specific functionality available - like the hd parameter. (Actually, the hd parameter isn't all that useful for us, seeing as it doesn't seem to like subdomains) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #28 from David Cook <dcook@prosentient.com.au> --- (In reply to M. Tompsett from comment #26)
I would think the parameter would be better renamed to $AuthenticatedEmail, because persona and this OAuth patch both authenticate against an Email address (the primary email address is used to find the user).
Yeah, I thought about that a bit, but it also sets a "persona" key in the session, which I think might be used for persona session management, so re-using it without careful checking could lead to weirdness with Persona.
NOOOOOO! Please hashref the parameter! If there are more than 3 parameters, you probably should use a hashref.
... Yes, a single hashref would be nicer. If I were designing a new sub, I would use a single hashref. However, I'm personally not planning on refactoring C4::Auth::checkauth() and testing every use of it. Nor am I going to add checking to checkauth() so that it can use a single hashref OR a bunch of scalars. That just leads to more technical debt. Of course, I'm not planning on upstreaming my OpenID Connect work at the moment anyway, so it doesn't really matter. I'm sure whoever refactors checkauth() someday will use a single hashref instead. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #29 from M. Tompsett <mtompset@hotmail.com> --- Comment on attachment 36355 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36355 Bug 10988 - Allow login via Google OAuth2 Review of attachment 36355: --> (http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=36355) ----------------------------------------------------------------- ::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc @@ +58,4 @@
<li role="presentation"><a href="#" tabindex="-1" class="menu-inactive" role="menuitem">No private lists</a></li> <li role="presentation"><a href="/cgi-bin/koha/opac-shelves.pl?display=privateshelves" tabindex="-1" role="menuitem" class="listmenulink">New list</a></li> [% END %] + [% ELSIF ( GoogleOAuth2 ) %]
I'd be surprised if there wasn't a [% USE Koha %] at the top of the file. Why pass preferences? Koha.Preference('GoogleOAuth2') -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #36355|0 |1 is obsolete| | --- Comment #30 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 40087 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40087&action=edit Bug 10988 - Allow login via Google OAuth Modified the latest patch to cleanly apply, and also reworked the "domain restriction" methodology. Rather than utilising an undocumented parameter, we now check ourselves if the email address finishes with the right domain. This also allows for using subdomains. Also switched to using Koha.Preference('GoogleOAuth2') in masthead.inc, as suggested by M. Tompsett Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #31 from M. Tompsett <mtompset@hotmail.com> --- Comment on attachment 40087 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40087 Bug 10988 - Allow login via Google OAuth Review of attachment 40087: --> (http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=40087) ----------------------------------------------------------------- ::: C4/Auth.pm @@ +37,4 @@
use Encode qw( encode is_utf8);
# use utf8; +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $googleoauth2 $ldap $cas $caslogout $shib $shib_login);
No need to add this. @@ +55,4 @@
&get_all_subpermissions &get_user_subpermissions ); %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] ); + $googleoauth2 = C4::Context->preference('GoogleOAuth2');
Or this. @@ +471,4 @@
BranchesLoop => GetBranchesLoop($opac_name), BranchCategoriesLoop => GetBranchCategories( 'searchdomain', 1, $opac_name ), CalendarFirstDayOfWeek => ( C4::Context->preference("CalendarFirstDayOfWeek") eq "Sunday" ) ? 0 : 1, + GoogleOAuth2 => (C4::Context->preference("GoogleOAuth2")),
Or even this. @@ +1247,4 @@
); }
+ if ($googleoauth2) {
Though you will have to grab the preference directly here. ::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc @@ +58,4 @@
<li role="presentation"><a href="#" tabindex="-1" class="menu-inactive" role="menuitem">No private lists</a></li> <li role="presentation"><a href="/cgi-bin/koha/opac-shelves.pl?display=privateshelves" tabindex="-1" role="menuitem" class="listmenulink">New list</a></li> [% END %] + [% ELSIF ( KOHA.Preference('GoogleOAuth2') == 1 ) %]
Haven't tested yet, but is Template Toolkit case sensitive? Why KOHA? The top has [% Use Koha %] right? @@ +78,4 @@
[% IF Koha.Preference('casAuthentication') %] [%# CAS authentication is too complicated for modal window %] <li><a href="/cgi-bin/koha/opac-user.pl">Log in to your account</a></li> + [% ELSIF ( GoogleOAuth2 ) %]
Wasn't just the one location. I was talking about all of them. That way you could minimize touching Auth.pm in the first place. ::: opac/svc/googleoauth2 @@ +114,5 @@
+ my ( $userid, $cookie, $sessionID ) = + checkauth( $query, 1, { borrow => 1 }, 'opac', $email ); + if ($userid) { # A valid user has logged in + if ( ($restricttodomain ne '' ) + && (index($email, $restricttodomain) == -1) )
Pink spots at the end (at least that's the colour on my screen), usually indicate spaces at the end of a line. That fails koha qa test tools. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Indranil Das Gupta <indradg@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |indradg@gmail.com -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #40087|0 |1 is obsolete| | --- Comment #32 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 40252 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40252&action=edit Bug 10988 - Allow login via Google OAuth2 Modified patch to address issues found in the review. Thanks for that! Turns out in our live site, I'd already patched masthead.inc as suggested. (We run another patch on top of the one provided here to put different login buttons into Koha (library.pbc.wa.edu.au) - not sure if that's appropriate for this patch or not... And hopefully all the "pink spots" are gone now! :-) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #33 from M. Tompsett <mtompset@hotmail.com> --- I have yet to test this, but I've been thinking about it, and the comments made in comment #24 in terms of Net::OAuth2 or something similar seem to be a concern for me. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #34 from M. Tompsett <mtompset@hotmail.com> --- Comment on attachment 40252 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40252 Bug 10988 - Allow login via Google OAuth2 Review of attachment 40252: --> (http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=40252) ----------------------------------------------------------------- ::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc @@ +78,4 @@
[% IF Koha.Preference('casAuthentication') %] [%# CAS authentication is too complicated for modal window %] <li><a href="/cgi-bin/koha/opac-user.pl">Log in to your account</a></li> + [% ELSIF ( Koha.Preference(' GoogleOAuth2') == 1 ) %]
Space! Oops. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #40252|0 |1 is obsolete| | --- Comment #35 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 40442 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40442&action=edit Bug 10988: Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools NOTE: I don't like that it is specific to Google. I don't like that it does not use a library to do the authenticating portions. However, it is functional. Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #36 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Comment on attachment 40442 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40442 Bug 10988: Allow login via Google OAuth2 Review of attachment 40442: --> (http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=40442) ----------------------------------------------------------------- I don't have an installation with a public ip, so I cannot test this patch. Following a code review: 1/ Fix the patch's author (From: root <root@beta.pbcstudents.pbc.wa.edu.au>) 2/ perltidy the new file (opac/svc/googleoauth2) 3/ Maybe opac/svc/auth/googleoauth2 is more appropriate? 4/ the following: ::: opac/svc/googleoauth2 @@ +1,1 @@
+#!/usr/bin/perl -w
Remove -w @@ +36,5 @@
+# means caching some information and updating it daily. But that +# would make things a lot faster + +use Modern::Perl; +use CGI qw/escape/;
and -utf8, even if not needed. @@ +63,5 @@
+ $query->delete('code'); + $query->param( 'OAuth2Failed' => $reason ); + my ( $template, $borrowernumber, $cookie ) = get_template_and_user( + { + template_name => 'opac-user.tmpl',
Should be opac-user.tt @@ +75,5 @@
+ $template->param( 'loginprompt' => 1 ); + output_html_with_http_headers $query, $cookie, $template->output; +} + +#die $query->param('code');
To remove. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #40442|0 |1 is obsolete| | --- Comment #37 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 40979 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40979&action=edit Bug 10988: Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences. Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Updated patch to address the concerns in Comment 36. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #38 from M. Tompsett <mtompset@hotmail.com> --- (In reply to Jonathan Druart from comment #36)
I don't have an installation with a public ip, so I cannot test this patch.
You don't need a public ip, as far as I recall, since the redirect is done at the browser level. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #39 from David Cook <dcook@prosentient.com.au> --- (In reply to M. Tompsett from comment #38)
(In reply to Jonathan Druart from comment #36)
I don't have an installation with a public ip, so I cannot test this patch.
You don't need a public ip, as far as I recall, since the redirect is done at the browser level.
I'm not familiar with this patch at all, but it's true about not needing a public IP. I have a local app where I send "localhost:8888/callback" as the return uri to the OAuth 2.0 server and it works well. Not sure if that's feasible within the context of this patch, but... -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #40 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- I can take a look again with a detailed test plan using a non-public IP. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #41 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 41663 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=41663&action=edit Bug 10988: Fix the svc script path -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Mason James <mtj@kohaaloha.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtj@kohaaloha.com -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #42 from Mason James <mtj@kohaaloha.com> --- FYI: CALYX came up with a technique to force a google-auth session logout when a user logs out of Koha. (note: this may be considered optional behaviour) Unfortunately, it is a solution that exists within a Google account, therefore is outside of Koha More info to come... -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Tom Misilo <misilot@fit.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |misilot@fit.edu -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Status|Signed Off |Patch doesn't apply --- Comment #43 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Patch does not apply - please rebase! Apply? [(y)es, (n)o, (i)nteractive] y Applying: Bug 10988: Allow login via Google OAuth2 Using index info to reconstruct a base tree... M C4/Auth.pm M installer/data/mysql/sysprefs.sql M koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref M koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt Falling back to patching base and 3-way merge... Auto-merging koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt CONFLICT (content): Merge conflict in koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt Auto-merging koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref Auto-merging installer/data/mysql/sysprefs.sql Auto-merging C4/Auth.pm CONFLICT (content): Merge conflict in C4/Auth.pm Failed to merge in the changes. Patch failed at 0001 Bug 10988: Allow login via Google OAuth2 The copy of the patch that failed is found in: /home/katrin/kohaclone/.git/rebase-apply/patch When you have resolved this problem run "git bz apply --continue". If you would prefer to skip this patch, instead run "git bz apply --skip". To restore the original branch and stop patching run "git bz apply --abort". Patch left in /tmp/Bug-10988-Allow-login-via-Google-OAuth2-fFUW8a.patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #40979|0 |1 is obsolete| | --- Comment #44 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 43791 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=43791&action=edit Bug 10988: Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Updated patch to address the concerns in Comment 36. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #41663|0 |1 is obsolete| | --- Comment #45 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 43792 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=43792&action=edit Bug 10988: Fix the svc script path -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Signed Off --- Comment #46 from M. Tompsett <mtompset@hotmail.com> --- Setting back to Signed Off after this rebasing. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #47 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I have a follow-up with some suggestions for the wording - but can't test on my local Koha installation (localhost...) Also: the svc script asks for the 'borrow' permission, that has since be removed. Please take a look and fix. Bug 7976 - "Borrow Permission" is not used and can be removed -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #48 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 43938 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=43938&action=edit Bug 10988: QA Follow-up - rewording suggestions -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #49 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 45667 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45667&action=edit Bug 10988: Dealt with borrower flag issues Removed borrower flag reference in template grab, and emptied it in the checkauth call. Personal retesting worked. Also, made it perlcritic prettier. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #50 from M. Tompsett <mtompset@hotmail.com> --- Test plan is the same: Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #45667|0 |1 is obsolete| | --- Comment #51 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 45668 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45668&action=edit Bug 10988: Dealt with borrower flag issues Removed borrower flag reference in template grab, and emptied it in the checkauth call. Personal retesting worked. Also, made it perlcritic prettier. Test Plan: 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #43791|0 |1 is obsolete| | Attachment #43792|0 |1 is obsolete| | Attachment #43938|0 |1 is obsolete| | Attachment #45668|0 |1 is obsolete| | --- Comment #52 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 45895 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45895&action=edit Allow Google OAuth2 Login Combines all of the patches above into one, and rebases it to current master, so that they all cleanly apply. Works for me on this end. Test plan remains the same. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #53 from M. Tompsett <mtompset@hotmail.com> --- There are no differences between the single commit and the multi-commit versions? What was the status before the commit? I'll retest anyways. *sigh* Seems like a waste of 15 minutes. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #45895|0 |1 is obsolete| | --- Comment #54 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 46016 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46016&action=edit Bug 10988 - Allow for Google OAuth2 logins Combined all of the patches above into one, making them apply to master again. Test Plan (remains the same): 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #55 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- (In reply to M. Tompsett from comment #53)
There are no differences between the single commit and the multi-commit versions? What was the status before the commit? I'll retest anyways. *sigh* Seems like a waste of 15 minutes.
Did this a while ago, but from memory the multiple patches didn't apply cleanly to master.... -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #56 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Just reviewing the code here.. one thing partially stands out.. What your actually implimenting here is OpenID Connect (Which is OpenID over Auth2.0) which is great, as I was a bit suspicious of using OAuth 2.0 for authentication as it's an api Authorization layer, not an Authentication medium out of the box (with OpenID Connect, one can use it for Authentication too). Could we reword/rename the prefs to reflect that this is Google's implimentation of OpenID Connect, and not OAuth.. i think that will make it more clear that this is only for authentication and does not expand to using the range of api's available via OAuth. I'll get back to reading the code now -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #57 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Comment on attachment 46016 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46016 Bug 10988 - Allow for Google OAuth2 logins Combined all of the patches above into one, making them apply to master again. Review of attachment 46016: --> (http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=46016) ----------------------------------------------------------------- In general I feel this is a good start, but it's just that.. a start. We need a more thorough handling of login fallbacks and we need to add state tokens into the mix to protect our users from CRSF attacks. ::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc @@ +65,5 @@
[% IF some_private_shelves > 10 %] <li role="presentation"><a href="/cgi-bin/koha/opac-shelves.pl?op=list&category=1" tabindex="-1" role="menuitem" class="listmenulink">View All</a></li> [% END %] + [% ELSIF ( Koha.Preference('GoogleOAuth2') == 1 ) %] + <li role="presentation"><a href="/cgi-bin/koha/svc/auth/googleoauth2" tabindex="-1" class="menu-inactive" role="menuitem">Log in to create your own lists</a></li>
I disagree with this change. A) it looks to me like it won't do what your expecting (it looks like it's a level too deep in the nested IF's) but B) I don't feel adding a login link here is appropriate unless your going to add it for all available authentication mechanisms.. it's just make the interface inconsistent. ::: koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt @@ +138,2 @@
[% END # / IF casAuthentication %]
There's not enough added to this file. There should be a 'login with your google id' block somewhere which appears to be missing. @@ +139,5 @@
[% END # / IF casAuthentication %]
+ [% IF ( invalidOAuth2Login ) %] + <h4>Automatic login</h4> + <p>Sorry, your automatic login failed. <span class="error">[% invalidOAuth2Login %]</span></p>
I think this needs rewording, it's a Google Login.. it's not automagic.. it's a shared login using the email claim from a google openid connect id token. I feel the text is a little misleading. ::: opac/svc/auth/googleoauth2 @@ +147,5 @@
+ } + +} +else { + my $prompt = $query->param('reauthenticate') // q{};
I'm not seeing an state tokens in use anywhere in this Flow.. without them we are wide open to cross-site request forgery (CSRF) attacks.. we likely need to create a nice randomised string and store it between invocations of the script. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #58 from David Cook <dcook@prosentient.com.au> --- Comment on attachment 46016 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46016 Bug 10988 - Allow for Google OAuth2 logins Combined all of the patches above into one, making them apply to master again. Review of attachment 46016: --> (http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=46016) ----------------------------------------------------------------- I hadn't realized that this was OpenID Connect until Martin pointed it out and until I saw the "openid" value in the scope of the Authorization Request. I actually wrote an OpenID Connect feature for Koha for a client in 2014, but due to a lack of time and an incorrectly implemented third party OpenID Connect server, I never got around to upstreaming it to the community codebase. Perhaps I should try and remedy that one day. In any case, I've included some comments in the code review below based on my experience. Nicholas, what documentation did you use for this patch? When I look at https://developers.google.com/identity/protocols/OpenIDConnect, it specifies different endpoints than you've used here. I'd recommend consulting that webpage and http://openid.net/specs/openid-connect-core-1_0.html. The latter is what I used for making an OpenID Connect compliant server app. ::: opac/svc/auth/googleoauth2 @@ +53,5 @@
+# protocol is assumed in OPACBaseURL see bug 5010. +my $redirecturl = $host . '/cgi-bin/koha/svc/auth/googleoauth2'; +my $issuer = 'accounts.google.com'; +my $clientid = C4::Context->preference('GoogleOAuth2ClientID'); +my $clientsecret = C4::Context->preference('GoogleOAuth2ClientSecret');
Alternatively, you could put the ClientID and the ClientSecret in koha-conf.xml. While it would give less control to libraries, it would keep this information on a more "need to know" basis. @@ +86,5 @@
+elsif ( defined $query->param('code') ) { + my $code = $query->param('code'); + my $ua = LWP::UserAgent->new(); + my $request = POST( + 'https://accounts.google.com/o/oauth2/token',
How did you choose this endpoint? Both https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#discove... and https://accounts.google.com/.well-known/openid-configuration provide versioned endpoints. @@ +99,5 @@
+ ); + my $response = $ua->request($request)->decoded_content; + my $json = decode_json($response); + if ( exists( $json->{'id_token'} ) ) { + $request = POST( 'https://www.googleapis.com/oauth2/v1/tokeninfo',
tokeninfo isn't a standard OpenID Connect endpoint. It's a debugging tool that Google has available, but they discourage its use in production: https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#validat... Use of tokeninfo also makes it harder for the rest of us to read the code since a decrypted token has a standard layout, but I haven't found what a tokeninfo response contains. @@ +105,5 @@
+ $response = $ua->request($request)->decoded_content; + $json = decode_json($response); + +# Confirm (as google suggests) that the issuer and audience are what we expect them to be + if ( ( $json->{'issuer'} eq $issuer )
As noted above, a standard response should be $json->{'iss'}, but otherwise this is good as per #2 at http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. @@ +106,5 @@
+ $json = decode_json($response); + +# Confirm (as google suggests) that the issuer and audience are what we expect them to be + if ( ( $json->{'issuer'} eq $issuer ) + && ( $json->{'audience'} eq $clientid )
As noted in #3 at http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation, $json->{'aud'} (the standard claim), "may" be an array. I'm not familiar with Google's responses... it might always return a string, but the spec points out that you should check for either a string or an array (and to reject the token if it doesn't contain the expected audience or if it includes untrusted audiences). @@ +107,5 @@
+ +# Confirm (as google suggests) that the issuer and audience are what we expect them to be + if ( ( $json->{'issuer'} eq $issuer ) + && ( $json->{'audience'} eq $clientid ) + && exists( $json->{'email'} ) )
This is bizarre... the token shouldn't contain the email. That must be for debugging purposes in tokeninfo. You should have to get it from https://www.googleapis.com/oauth2/v3/userinfo or a similar endpoint, which also need its "sub" claim to be validated. @@ +108,5 @@
+# Confirm (as google suggests) that the issuer and audience are what we expect them to be + if ( ( $json->{'issuer'} eq $issuer ) + && ( $json->{'audience'} eq $clientid ) + && exists( $json->{'email'} ) ) + {
At this point, you must also verify that the token type is "Bearer" (case insensitive as per RFC 6749 Section 5.1). At this point, you must also be verifying that the token isn't expired. You must also validate the "azp" claim if it's present in the response. For more on validation, consult http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation and RFC 6749 (https://tools.ietf.org/html/rfc6749) @@ +148,5 @@
+ +} +else { + my $prompt = $query->param('reauthenticate') // q{}; +
I agree with Martin. Even on Google's page, it states "You must protect the security of your users by preventing request forgery attacks." (https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#createx...). As developers, we have a responsibility to the users of Koha to ensure their security and their privacy. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #59 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- All insightful stuff David, thanks :) Just to make sure I wasn't coming accross too negative; I'm really pleased someone is working on adding this functionality.. nice start Nicholas. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #60 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- https://developers.google.com/identity/protocols/OpenIDConnect is the documentation I would likely use to implement this authentication. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #46016|0 |1 is obsolete| | --- Comment #61 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 46473 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46473&action=edit Bug 10988 - Rewrite and renamed to OpenIDConnect Fixes the concerns raised in comments 57 and 58. Renamed the settings to OpenID Connect, as opposed to OAuth2, since that better reflects what this is. Detailed comments on the changes: ** MARTIN: Comment #57 **
koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc I disagree with this change.... I take your point - and have removed the offending lines
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt There's not enough added to this file. There should be a 'login with your google id' block somewhere which appears to be missing. You're right - that's in our customisations for our local site, but it makes sense to do it here! Done!
I think this needs rewording, it's a Google Login.. it's not automagic.. Fair point - reword to "Google login"
I'm not seeing an state tokens in use anywhere in this Flow.. without them we are wide open to cross-site request forgery (CSRF) attacks.. we likely need to create a nice randomised string and store it between invocations of the script. Done - I think. What do people think about the technique used. Wasn't too sure about how Koha does session handling, but think it's working now...
** David: Comment #58 **
Alternatively, you could put the ClientID and the ClientSecret in koha-conf.xml. While it would give less control to libraries, it would keep this information on a more "need to know" basis.
I personally think that it's better to put this in the preferences, since it's possible to regenerate these at any time. It makes it easier for these to be updated. Also, although they might be able to be changed, they can't be stolen since they are only valid for the redirect_url for koha.
How did you choose this endpoint? Both https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#discove... and https://accounts.google.com/.well-known/openid-configuration provide versioned endpoints. Good question - no idea. Fixed this now.
tokeninfo isn't a standard OpenID Connect endpoint. Moved to the proper endpoints now.
As noted above, a standard response should be $json->{'iss'}, but otherwise this is good as per #2 at http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation. Fixed now As noted in #3 at http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation, $json->{'aud'} (the standard claim), "may" be an array. I'm not familiar with Google's responses... it might always return a string, but the spec points out that you should check for either a string or an array (and to reject the token if it doesn't contain the expected audience or if it includes untrusted audiences). Put in a check to make sure that we're the only audience - but it looks like google only sends us a string
This is bizarre... the token shouldn't contain the email. That must be for debugging purposes in tokeninfo. You should have to get it from https://www.googleapis.com/oauth2/v3/userinfo or a similar endpoint, which also need its "sub" claim to be validated. Moved to a different endpoint. Not sure that we need to validate "sub", since we don't actually use it anywhere (Besides which, Google doesn't even think we need to validate the token as much as we are - see https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinf... for rationale)
At this point, you must also verify that the token type is "Bearer" (case insensitive as per RFC 6749 Section 5.1). Done At this point, you must also be verifying that the token isn't expired. Done You must also validate the "azp" claim if it's present in the response. Done Oh, and as in reply to Martin, Forgery protection is also done
Test Plan (remains the same): 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleO%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleO%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleopenidconnect) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOpenIDConnect preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Allow login via Google |Allow login via Google |OAuth2 |OAuth2 (OpenID Connect) -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #62 from Nicholas van Oudtshoorn <vanoudt@gmail.com> --- Created attachment 46474 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46474&action=edit Remove some outdated wording from googleopenidconnect -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn <vanoudt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #63 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Nice work Nick! I will be eagerly looking at this, hopefully this afternoon. Thanks for putting in all the hard work, so glad you followed through. :-D -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org