[Koha-bugs] [Bug 17004] REST API: add route to authenticate patron ( Single Sign On - SSO)

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17004

--- Comment #22 from Benjamin Rokseth <benjamin.rokseth at kul.oslo.kommune.no> ---
(In reply to Martin Renvoize from comment #21)
> I don't like this much.. We're in-explicitly mixing Authentication (Are you
> who you say you are) and Authorization (What can this person/application on
> behalf of person do)
>

I believe the main point here is authenticating a service outside koha against
its userbase and services, although of course Koha intra and opac should profit
from this.

> At the very least I believe these functions should be made distinct to
> prevent leaking security context.
> 
No problem with that, as long as authorization is handled one place only.

> The second reason I don't like this is that we're inventing out own wheel.
> There are lots of solid standards out there to do this sort of thing. We
> should really be leaning on the shoulders of giants and using an off the
> shelf standard. OAuth and OpenID connect would be my preferred option
> personally.

Now this could be debated, openID and oAuth are easy to integrate against and
are well formed standards, and would of course lower the barrier to use koha
services outside the library without handling login in koha.

But to be sure, local login needs to be handled anyways, and to use our library
as an example, having a local patron base is a strength rather than a weekness.
Being a user of the library implies a presence and represents a place outside
the web, and I'm not sure SSO with oauth gives the same sensation.

Just my two cent thoughts :) Now to rebase this against master...

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.