[Koha-bugs] [Bug 20402] Implement OAuth2 authentication for REST API
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Mar 14 17:49:41 CET 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
M. Tompsett <mtompset at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #72886|0 |1
is obsolete| |
--- Comment #7 from M. Tompsett <mtompset at hotmail.com> ---
Created attachment 72892
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72892&action=edit
Bug 20402: Implement OAuth2 authentication for REST API
It implements only the "client credentials" flow with basic scopes
support (only one is defined, "patrons.read").
API Clients are defined in $KOHA_CONF.
Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16
1. In $KOHA_CONF, add an <api_client> element under <config>:
<api_client>
<client_id>$CLIENT_ID</client_id>
<client_secret>$CLIENT_SECRET</client_secret>
<scope>patrons.read</scope>
</api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
configuration:
- OAuth flow: Client credentials
- Access Token Request Method: POST
- Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
- Access Token Request Client Authentication: Credentials in request
body
- Client ID: $CLIENT_ID
- Client Secret: $CLIENT_SECRET
- Scopes: patrons.read
5. Click on the newly created configuration to generate a new token
(which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
http://$KOHA_URL/api/v1/patrons then click on SEND
It should return 200 OK with the list of patrons
7. Remove or change the <scope> from $KOHA_CONF (reload starman &
memcached) and see that you cannot generate a new token.
Then reset the scope to its initial value
8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2
occurences) and change the values to something else. Reload starman.
Repeat step 6 and see that you receive a 403 Forbidden status
Undo your changes in api/v1/swagger/paths/patrons.json and reload
starman again.
9. Wait an hour (or run the following SQL query:
UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
You should have a 403 Forbidden status, and the token must have been
removed from the database.
[1] https://addons.mozilla.org/en-US/firefox/addon/rester/
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list