REST API authentication for external clients
Hi all, As you may know [1], BibLibre is working on an interface between Koha and Coral. To achieve that, Coral uses the Koha REST API. But we are facing a problem that is becoming really blocking : the lack of a proper authentication system for the REST API. At the moment, the only way to authenticate to the API is based on cookies. It works well for client-side javascript inside Koha, but it's not really usable by external clients. Is there someone here who use this API outside of Koha ? If so, how do you authenticate to it ? I think we really need an authentication mechanism other than cookies, so people can actually start using the API. There is bug 13920 [2] that hasn't moved since 8 months. I remember that some people disagreed with this patchset because it is crafting a custom authentication system instead of using some "standard" one (I remember OAuth was mentioned). Do you know of any "standard" auth system that we can implement, or existing Perl libraries we can use ? [1]: http://lists.koha-community.org/pipermail/koha-devel/2017-January/043430.htm... [2]: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920 -- Julian Maurice <julian.maurice@biblibre.com> BibLibre
Hi Julian, we need to implement an OAuth2 server inside Koha, using Mojolicious::Plugin::OAuth2::Server [1]. I've worked on an endpoint for authenticating the API against a generic OAuth2 server (as a way to be able to test it :-D). I will file a bug very soon for that. My idea was then to implement the server... OAuth2 proposes several authorization flows, and the plugin (actually the server library) implements all of them. [2] Hope it helps. I haven't managed to have the time to do it! [1] https://metacpan.org/pod/Mojolicious::Plugin::OAuth2::Server [2] https://auth0.com/docs/api-auth/which-oauth-flow-to-use El mar., 27 feb. 2018 a las 12:04, Julian Maurice (< julian.maurice@biblibre.com>) escribió:
Hi all,
As you may know [1], BibLibre is working on an interface between Koha and Coral. To achieve that, Coral uses the Koha REST API. But we are facing a problem that is becoming really blocking : the lack of a proper authentication system for the REST API.
At the moment, the only way to authenticate to the API is based on cookies. It works well for client-side javascript inside Koha, but it's not really usable by external clients.
Is there someone here who use this API outside of Koha ? If so, how do you authenticate to it ?
I think we really need an authentication mechanism other than cookies, so people can actually start using the API.
There is bug 13920 [2] that hasn't moved since 8 months. I remember that some people disagreed with this patchset because it is crafting a custom authentication system instead of using some "standard" one (I remember OAuth was mentioned). Do you know of any "standard" auth system that we can implement, or existing Perl libraries we can use ?
[1]:
http://lists.koha-community.org/pipermail/koha-devel/2017-January/043430.htm... [2]: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920
-- Julian Maurice <julian.maurice@biblibre.com> BibLibre _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Tomás Cohen Arazi Theke Solutions (https://theke.io <http://theke.io/>) ✆ +54 9351 3513384 GPG: B2F3C15F
Julian, could you say more about how you want to authenticate with Koha? I’ve struggled in the past using OAuth2 for machine-to-machine authorization… although that Auth0 link that Tomas provided seems to suggest it is possible. Spotify uses OAuth2 for its REST API, and I had to do a bit of a workaround to get it working for machine-to-machine auth, but maybe that was an issue with their OAuth2 server or my lack of knowledge at the time. I’m guessing you might want to look at https://auth0.com/docs/api-auth/grant/client-credentials, although it depends on whether you want the end user to access their account in Koha interactively or if you’re just looking for a way of authenticating with Koha on the backend I think. I hadn’t heard of this flow before so I think I’ll have to look at it again when I one day have time for hobbies… David Cook Systems Librarian Prosentient Systems 72/330 Wattle St Ultimo, NSW 2007 Australia Office: 02 9212 0899 Direct: 02 8005 0595 From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of Tomas Cohen Arazi Sent: Wednesday, 28 February 2018 2:15 AM To: Julian Maurice <julian.maurice@biblibre.com> Cc: koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] REST API authentication for external clients Hi Julian, we need to implement an OAuth2 server inside Koha, using Mojolicious::Plugin::OAuth2::Server [1]. I've worked on an endpoint for authenticating the API against a generic OAuth2 server (as a way to be able to test it :-D). I will file a bug very soon for that. My idea was then to implement the server... OAuth2 proposes several authorization flows, and the plugin (actually the server library) implements all of them. [2] Hope it helps. I haven't managed to have the time to do it! [1] https://metacpan.org/pod/Mojolicious::Plugin::OAuth2::Server [2] https://auth0.com/docs/api-auth/which-oauth-flow-to-use El mar., 27 feb. 2018 a las 12:04, Julian Maurice (<julian.maurice@biblibre.com <mailto:julian.maurice@biblibre.com> >) escribió: Hi all, As you may know [1], BibLibre is working on an interface between Koha and Coral. To achieve that, Coral uses the Koha REST API. But we are facing a problem that is becoming really blocking : the lack of a proper authentication system for the REST API. At the moment, the only way to authenticate to the API is based on cookies. It works well for client-side javascript inside Koha, but it's not really usable by external clients. Is there someone here who use this API outside of Koha ? If so, how do you authenticate to it ? I think we really need an authentication mechanism other than cookies, so people can actually start using the API. There is bug 13920 [2] that hasn't moved since 8 months. I remember that some people disagreed with this patchset because it is crafting a custom authentication system instead of using some "standard" one (I remember OAuth was mentioned). Do you know of any "standard" auth system that we can implement, or existing Perl libraries we can use ? [1]: http://lists.koha-community.org/pipermail/koha-devel/2017-January/043430.htm... [2]: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920 -- Julian Maurice <julian.maurice@biblibre.com <mailto:julian.maurice@biblibre.com> > BibLibre _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/ -- Tomás Cohen Arazi Theke Solutions (https://theke.io <http://theke.io/> ) ✆ +54 9351 3513384 GPG: B2F3C15F
I think a machine-to-machine authentication is what fits better for Koha-Coral interface, but anything that doesn't require end-user interaction would be good. I guess I'll have to do some reading about OAuth :) Thanks. Le 27/02/2018 à 23:21, David Cook a écrit :
Julian, could you say more about how you want to authenticate with Koha?
I’ve struggled in the past using OAuth2 for machine-to-machine authorization… although that Auth0 link that Tomas provided seems to suggest it is possible. Spotify uses OAuth2 for its REST API, and I had to do a bit of a workaround to get it working for machine-to-machine auth, but maybe that was an issue with their OAuth2 server or my lack of knowledge at the time.
I’m guessing you might want to look at https://auth0.com/docs/api-auth/grant/client-credentials, although it depends on whether you want the end user to access their account in Koha interactively or if you’re just looking for a way of authenticating with Koha on the backend I think.
I hadn’t heard of this flow before so I think I’ll have to look at it again when I one day have time for hobbies…
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Direct: 02 8005 0595
*From:*koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] *On Behalf Of *Tomas Cohen Arazi *Sent:* Wednesday, 28 February 2018 2:15 AM *To:* Julian Maurice <julian.maurice@biblibre.com> *Cc:* koha-devel@lists.koha-community.org *Subject:* Re: [Koha-devel] REST API authentication for external clients
Hi Julian, we need to implement an OAuth2 server inside Koha, using Mojolicious::Plugin::OAuth2::Server [1]. I've worked on an endpoint for authenticating the API against a generic OAuth2 server (as a way to be able to test it :-D). I will file a bug very soon for that. My idea was then to implement the server...
OAuth2 proposes several authorization flows, and the plugin (actually the server library) implements all of them. [2]
Hope it helps. I haven't managed to have the time to do it!
[1] https://metacpan.org/pod/Mojolicious::Plugin::OAuth2::Server
[2] https://auth0.com/docs/api-auth/which-oauth-flow-to-use
El mar., 27 feb. 2018 a las 12:04, Julian Maurice (<julian.maurice@biblibre.com <mailto:julian.maurice@biblibre.com>>) escribió:
Hi all,
As you may know [1], BibLibre is working on an interface between Koha and Coral. To achieve that, Coral uses the Koha REST API. But we are facing a problem that is becoming really blocking : the lack of a proper authentication system for the REST API.
At the moment, the only way to authenticate to the API is based on cookies. It works well for client-side javascript inside Koha, but it's not really usable by external clients.
Is there someone here who use this API outside of Koha ? If so, how do you authenticate to it ?
I think we really need an authentication mechanism other than cookies, so people can actually start using the API.
There is bug 13920 [2] that hasn't moved since 8 months. I remember that some people disagreed with this patchset because it is crafting a custom authentication system instead of using some "standard" one (I remember OAuth was mentioned). Do you know of any "standard" auth system that we can implement, or existing Perl libraries we can use ?
[1]: http://lists.koha-community.org/pipermail/koha-devel/2017-January/043430.htm... [2]: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920
-- Julian Maurice <julian.maurice@biblibre.com <mailto:julian.maurice@biblibre.com>> BibLibre _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
--
Tomás Cohen Arazi
Theke Solutions (https://theke.io <http://theke.io/>) ✆+54 9351 3513384 GPG: B2F3C15F
-- Julian Maurice <julian.maurice@biblibre.com> BibLibre
nOn Tue, 27 Feb 2018, Julian Maurice wrote:
I think we really need an authentication mechanism other than cookies, so people can actually start using the API.
There is bug 13920 [2] that hasn't moved since 8 months. I remember that some people disagreed with this patchset because it is crafting a custom authentication system instead of using some "standard" one (I remember OAuth was mentioned). Do you know of any "standard" auth system that we can implement, or existing Perl libraries we can use ?
How about the Perl OAuth2.0 libraries? http://search.cpan.org/~markov/Net-OAuth2-0.63/lib/Net/OAuth2.pod OAuth2.0 is pretty much becoming the standard for talking to various RESTful APIs - I've used it against Google calendars, Microsoft Graph API, etc, etc. Admittedly I've often crafted my own OAuth2.0 support for those though. Jon
participants (4)
-
David Cook -
Jon Knight -
Julian Maurice -
Tomas Cohen Arazi