[Koha-bugs] [Bug 20340] Ability to use authentication plugin

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Apr 24 11:02:14 CEST 2019


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20340

--- Comment #48 from Alex Arnaud <alex.arnaud at biblibre.com> ---
(In reply to David Cook from comment #41)
> Anyone else think that it's a terrible idea to have authentication plugins
> that non-technical staff can load into Koha? Sounds like a massive security
> problem waiting to happen.
> 
> That said, I'm in favour of authentication "plugins" that administrators can
> add to the system via system packages or CPAN.

I do understand this argument. I even agree that plugins (and not only
authentication ones) could contain security issues. 
For "our" hosted libraries, we disabled writing permission on plugins
directory.
Looks like a tricky solution and we probably need a better one but it means
that administrators have the final word.

> I think we should ask ourselves what we're trying to achieve here. Are we
> adding authentication plugins via the Staff UI, because it's too difficult to
> get changes into Koha, especially around authentication?
> I would love for there to be more authentication methods for Koha. In fact, I
> wrote a generic OpenID Connect client for Koha, which I support locally.

IMO plugins are useful (even essential) to satisfy specific libraries requests
and not to avoid community processes.
i wrote this patch in order to create an authentication plugins that can
request many LDAP backends and fallback on an other one.
Seems too specific to be suggested to the community.
To go further, as discussed above, i think we should consider generally LDAP,
CAS etc... as specific feature that would become plugins (may be another
debate).

To return to security topic:
Today, many free plugable systems provide repositories with a large amount of
plugins that have been reviewed, tested and validated by their community as
safe. Users can easily download ones from other sources but they know it's at
their own risk.
Maybe we should be inspired by that.

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list