[Koha-patches] [PATCH] Bug 10988 [ENH] Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled.
Nicholas van Oudtshoorn
vanoudt at gmail.com
Thu Oct 10 10:38:12 CEST 2013
---
C4/Auth.pm | 10 +-
.../atomicupdate/bug_10988_add_GoogleOAuth.sql | 3 +
installer/data/mysql/sysprefs.sql | 3 +
.../prog/en/modules/admin/preferences/admin.pref | 15 +++
koha-tmpl/opac-tmpl/ccsr/en/includes/top-bar.inc | 6 +-
koha-tmpl/opac-tmpl/prog/en/includes/masthead.inc | 6 +-
koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tt | 9 ++
opac/svc/googleoauth2 | 127 +++++++++++++++++++++
8 files changed, 176 insertions(+), 3 deletions(-)
create mode 100644 installer/data/mysql/atomicupdate/bug_10988_add_GoogleOAuth.sql
create mode 100755 opac/svc/googleoauth2
diff --git a/C4/Auth.pm b/C4/Auth.pm
index d73edaf..1dc0bf1 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -34,7 +34,7 @@ use POSIX qw/strftime/;
use List::MoreUtils qw/ any /;
# use utf8;
-use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout);
+use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $googleoauth2 $ldap $cas $caslogout);
BEGIN {
sub psgi_env { any { /^psgi\./ } keys %ENV }
@@ -52,6 +52,7 @@ BEGIN {
ParseSearchHistoryCookie
);
%EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions get_user_subpermissions)] );
+ $googleoauth2= C4::Context->preference('GoogleOAuth2');
$ldap = C4::Context->config('useldapserver') || 0;
$cas = C4::Context->preference('casAuthentication');
$caslogout = C4::Context->preference('casLogout');
@@ -394,6 +395,7 @@ sub get_template_and_user {
BranchesLoop => GetBranchesLoop($opac_name),
BranchCategoriesLoop => GetBranchCategories( 'searchdomain', 1, $opac_name ),
CalendarFirstDayOfWeek => (C4::Context->preference("CalendarFirstDayOfWeek") eq "Sunday")?0:1,
+ GoogleOAuth2 => (C4::Context->preference("GoogleOAuth2")),
LibraryName => "" . C4::Context->preference("LibraryName"),
LibraryNameTitle => "" . $LibraryNameTitle,
LoginBranchname => C4::Context->userenv?C4::Context->userenv->{"branchname"}:"",
@@ -1078,6 +1080,12 @@ sub checkauth {
invalidCasLogin => $info{'invalidCasLogin'}
);
}
+ if ($googleoauth2) {
+ if ($query->param("OAuth2Failed")) {
+ my $reason = $query->param('OAuth2Failed');
+ $template->param(invalidOAuth2Login => $reason);
+ }
+ }
my $self_url = $query->url( -absolute => 1 );
$template->param(
diff --git a/installer/data/mysql/atomicupdate/bug_10988_add_GoogleOAuth.sql b/installer/data/mysql/atomicupdate/bug_10988_add_GoogleOAuth.sql
new file mode 100644
index 0000000..d02d9b3
--- /dev/null
+++ b/installer/data/mysql/atomicupdate/bug_10988_add_GoogleOAuth.sql
@@ -0,0 +1,3 @@
+-- Adding GoogleOAuth2 support
+INSERT INTO `systempreferences` (`variable`, `value`, `options`, `explanation`, `type`) VALUES ('GoogleOAuth2', '0', NULL, 'if ON, allows the use of Google OAuth2 for login', 'YesNo'), ('GoogleOAuth2ClientID', '', NULL, 'Client ID for the web app registered with google', 'Free'), ('GoogleOAuth2ClientSecret', '', NULL, 'Client Secret for the web app registered with google', 'Free');
+
diff --git a/installer/data/mysql/sysprefs.sql b/installer/data/mysql/sysprefs.sql
index 4b0f364..3445025 100644
--- a/installer/data/mysql/sysprefs.sql
+++ b/installer/data/mysql/sysprefs.sql
@@ -115,6 +115,9 @@ INSERT INTO systempreferences ( `variable`, `value`, `options`, `explanation`, `
('FRBRizeEditions','0','','If ON, Koha will query one or more ISBN web services for associated ISBNs and display an Editions tab on the details pages','YesNo'),
('gist','0','','Default Goods and Services tax rate NOT in %, but in numeric form (0.12 for 12%), set to 0 to disable GST','Integer'),
('GoogleJackets','0',NULL,'if ON, displays jacket covers from Google Books API','YesNo'),
+('GoogleOAuth2', '0', NULL, 'if ON, allows the use of Google OAuth2 for login', 'YesNo'),
+('GoogleOAuth2ClientID', '', NULL, 'Client ID for the web app registered with google', 'Free'),
+('GoogleOAuth2ClientSecret', '', NULL, 'Client Secret for the web app registered with google', 'Free'),
('hidelostitems','0','','If ON, disables display of\"lost\" items in OPAC.','YesNo'),
('HidePatronName','0','','If this is switched on, patron\'s cardnumber will be shown instead of their name on the holds and catalog screens','YesNo'),
('hide_marc','0',NULL,'If ON, disables display of MARC fields, subfield codes & indicators (still shows data)','YesNo'),
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
index 1215ac1..14b53e9 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref
@@ -113,3 +113,18 @@ Administration:
Solr: Solr
Zebra: Zebra
- is the search engine used.
+ Google OAuth2:
+ -
+ - pref: GoogleOAuth2
+ choices:
+ yes: Use
+ no: "Don't Use"
+ - Google OAuth2 login.
+ - You will need to select OAuth2 when creating an app in the google cloud console, and set the web origin to your_opac_url and the redirect url to your_opac_url/cgi-bin/koha/svc/oauthlogin .
+
+ -
+ - Google OAuth2 Client ID
+ - pref: GoogleOAuth2ClientID
+ -
+ - Google OAuth2 Client Secret
+ - pref: GoogleOAuth2ClientSecret
diff --git a/koha-tmpl/opac-tmpl/ccsr/en/includes/top-bar.inc b/koha-tmpl/opac-tmpl/ccsr/en/includes/top-bar.inc
index 42d9576..f832cc4 100644
--- a/koha-tmpl/opac-tmpl/ccsr/en/includes/top-bar.inc
+++ b/koha-tmpl/opac-tmpl/ccsr/en/includes/top-bar.inc
@@ -55,7 +55,11 @@
[% IF ( opacuserlogin ) %]
<ul>
[% UNLESS ( loggedinusername ) %]
- <li><a href="/cgi-bin/koha/opac-user.pl">Log in to your account</a></li>[% END %]
+ [% IF ( GoogleOAuth2 ) %]
+ <li><a href="/cgi-bin/koha/svc/googleoauth2">Log in to your account</a></li>
+ [% ELSE %]
+ <li><a href="/cgi-bin/koha/opac-user.pl">Log in to your account</a></li>
+ [% END %][% END %]
[% IF ( loggedinusername ) %]
<li><span class="members">Welcome, <a href="/cgi-bin/koha/opac-user.pl"><span class="loggedinusername">[% FOREACH USER_INF IN USER_INFO %][% USER_INF.title %] [% USER_INF.firstname %] [% USER_INF.surname %][% END %]</span></a></span></li>
diff --git a/koha-tmpl/opac-tmpl/prog/en/includes/masthead.inc b/koha-tmpl/opac-tmpl/prog/en/includes/masthead.inc
index 79eb1a1..48c78bb 100644
--- a/koha-tmpl/opac-tmpl/prog/en/includes/masthead.inc
+++ b/koha-tmpl/opac-tmpl/prog/en/includes/masthead.inc
@@ -2,7 +2,11 @@
[% IF ( opacuserlogin ) %]
<ul>
[% UNLESS ( loggedinusername ) %]
- <li><a href="/cgi-bin/koha/opac-user.pl">Log in to your account</a></li>[% END %]
+ [% IF ( GoogleOAuth2 ) %]
+ <li><a href="/cgi-bin/koha/svc/googleoauth2">Log in to your account</a></li>
+ [% ELSE %]
+ <li><a href="/cgi-bin/koha/opac-user.pl">Log in to your account</a></li>
+ [% END %][% END %]
[% IF ( loggedinusername ) %]
<li><span class="members">Welcome, <a href="/cgi-bin/koha/opac-user.pl"><span class="loggedinusername">[% FOREACH USER_INF IN USER_INFO %][% USER_INF.title %] [% USER_INF.firstname %] [% USER_INF.surname %][% END %]</span></a></span></li>
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tt
index 7b8b8f9..af7153c 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-auth.tt
@@ -73,6 +73,15 @@ please choose against which one you would like to authenticate: </p>
[% END %]
+[% IF ( invalidOAuth2Login ) %]
+<h4>Automatic Login</h4>
+<p>Sorry, your automatic login failed. <span class="error">[% invalidOAuth2Login %]</span></p>
+<p>Please note that automatic login will only work if you are using the email address registered with this library.</p>
+<p>If you want to, you can try to <a href="/cgi-bin/koha/svc/googleoauth2?reauthenticate=select_account">login using a differen account</a>
+<h4>Local login</h4>
+<p>If you can't login automatically, you can still login in manually: </p>
+
+[% END %]
<form action="[% url %]" name="auth" id="auth" method="post">
<input type="hidden" name="koha_login_context" value="opac" />
<fieldset class="brief">[% FOREACH INPUT IN INPUTS %]
diff --git a/opac/svc/googleoauth2 b/opac/svc/googleoauth2
new file mode 100755
index 0000000..f94636e
--- /dev/null
+++ b/opac/svc/googleoauth2
@@ -0,0 +1,127 @@
+#!/bin/perl -w
+# Copyright chris at bigballofwax.co.nz 2013
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it under the
+# terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 3 of the License, or (at your option) any later
+# version.
+#
+# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with Koha; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+# Basic OAuth2 authentication for google goes like this
+# First: get your clientid, clientsecret from google. At this stage, tell google that
+# your redirect url is /cgi-bin/koha/svc/oauthlogin
+#
+# The first thing that happens when this script is called is that one gets redirected
+# to an authentication url from google
+#
+# If successful, that then redirects back to this script, setting a CODE parameter
+# which we use to look up a json authentication token. This token includes an encrypted
+# json id_token, which we round-trip back to google to decrypt. Finally, we can extract
+# the email address from this.
+#
+# There is LOTS of room for improvement here.
+# 1. move the clientid, clientsecret to systempreferences
+# 2. use the OPACBaseURL preference to compute the redirecturl
+# 4. Google recommends verifying and decrypting the id_token locally, which means caching
+# some information and updating it daily. But that would make things a lot faster
+
+use strict;
+use warnings;
+use CGI qw/escape/;
+use C4::Auth;
+use C4::Context;
+use C4::Output;
+
+use LWP::UserAgent;
+use HTTP::Request::Common qw{ POST };
+use JSON;
+
+my $scope="openid email";
+my $host = C4::Context->preference('OPACBaseURL');
+my $redirecturl = 'http://' . $host . '/cgi-bin/koha/svc/oauthlogin';
+my $issuer = 'accounts.google.com';
+my $clientid = C4::Context->preference('GoogleOAuth2ClientID');
+my $clientsecret = C4::Context->preference('GoogleOAuth2ClientSecret');
+
+my $query = new CGI;
+
+sub loginfailed {
+ my $query = shift;
+ my $reason = shift;
+ $query->delete('code');
+ $query->param('OAuth2Failed'=>$reason);
+ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
+ {
+ template_name => 'opac-user.tmpl',
+ query => $query,
+ type => 'opac',
+ authnotrequired => 0,
+ flagsrequired => { borrow => 1 },
+ }
+ );
+ $template->param( 'invalidOAuth2Login' => $reason );
+ $template->param( 'loginprompt' => 1);
+ output_html_with_http_headers $query, $cookie, $template->output;
+}
+#die $query->param('code');
+if (defined $query->param('error')) {
+ loginfailed($query, 'An authentication error occurred. (Error:' . $query->param('error') . ')');
+} elsif (defined $query->param('code')) {
+ my $code=$query->param('code');
+ my $ua = LWP::UserAgent->new();
+ my $request = POST('https://accounts.google.com/o/oauth2/token', [
+ code => $code,
+ client_id => $clientid,
+ client_secret => $clientsecret,
+ redirect_uri => $redirecturl,
+ grant_type => 'authorization_code',
+ $scope => $scope
+ ]);
+ my $response = $ua->request($request)->decoded_content ;
+ my $json = decode_json ( $response);
+ if ( exists($json->{'id_token'}) ) {
+ $request = POST('https://www.googleapis.com/oauth2/v1/tokeninfo', [
+ id_token => $json->{'id_token'}
+ ]);
+ $response = $ua->request($request)->decoded_content;
+ $json = decode_json ( $response);
+ # Confirm (as google suggests) that the issuer and audience are what we expect them to be
+ if (($json->{'issuer'} eq $issuer) && ($json->{'audience'} eq $clientid) && exists($json->{'email'})) {
+ my $email = $json->{'email'};
+ my ( $userid, $cookie, $sessionID ) =
+ checkauth( $query, 1, { borrow => 1 }, 'opac', $email );
+ if ($userid) { # A valid user has logged in
+ print $query->redirect( -uri => '/cgi-bin/koha/opac-user.pl', -cookie => $cookie );
+ } else {
+ loginfailed($query, 'The email address you are trying to use is not associated with a borrower in this library.');
+ }
+ } else { # something went wrong with getting appropriate credentials
+ loginfailed($query, 'Failed to get proper credentials from google.');
+ }
+ } else { # Failed to get ID Token
+ loginfailed($query, 'An authentication error occurred. (Error: No ID Token was supplied)');
+ }
+
+} else {
+ my $prompt = '';
+ $prompt = $query->param('reauthenticate') unless not (defined $query->param('reauthenticate'));
+
+ my $authorisationurl = 'https://accounts.google.com/o/oauth2/auth?' .
+ 'response_type=code&' .
+ 'redirect_uri=' . escape ( $redirecturl ) . '&' .
+ 'client_id=' . escape ( $clientid ) . '&' .
+ 'scope=' . escape ( $scope ) . '&';
+ $authorisationurl .= 'prompt=' . escape ( $query->param('reauthenticate') );
+ print $query->redirect($authorisationurl);
+}
+
--
1.8.1.4
More information about the Koha-patches
mailing list