[Koha-bugs] [Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Mar 14 16:56:05 CET 2018


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <julian.maurice at biblibre.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72865|0                           |1
        is obsolete|                            |

--- Comment #3 from Julian Maurice <julian.maurice at biblibre.com> ---
Created attachment 72886
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72886&action=edit
Bug 20402: Implement OAuth2 authentication for REST API

It implements only the "client credentials" flow with basic scopes
support (only one is defined, "patrons.read").
API Clients are defined in $KOHA_CONF.

Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16
1. In $KOHA_CONF, add an <api_client> element under <config>:
     <api_client>
       <client_id>$CLIENT_ID</client_id>
       <client_secret>$CLIENT_SECRET</client_secret>
       <scope>patrons.read</scope>
     </api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
   configuration:
   - OAuth flow: Client credentials
   - Access Token Request Method: POST
   - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
   - Access Token Request Client Authentication: Credentials in request
     body
   - Client ID: $CLIENT_ID
   - Client Secret: $CLIENT_SECRET
   - Scopes: patrons.read
5. Click on the newly created configuration to generate a new token
   (which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
   http://$KOHA_URL/api/v1/patrons then click on SEND
   It should return 200 OK with the list of patrons
7. Remove or change the <scope> from $KOHA_CONF (reload starman &
   memcached) and see that you cannot generate a new token.
   Then reset the scope to its initial value
8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2
   occurences) and change the values to something else. Reload starman.
   Repeat step 6 and see that you receive a 403 Forbidden status
   Undo your changes in api/v1/swagger/paths/patrons.json and reload
   starman again.
9. Wait an hour (or run the following SQL query:
   UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
   You should have a 403 Forbidden status, and the token must have been
   removed from the database.

[1] https://addons.mozilla.org/en-US/firefox/addon/rester/

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list