[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=31378 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #79 from David Cook --- I suspect eventually this will be deprecated and removed now that we have bug 31378 in master. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #78 from David Cook --- Just noting that I've signed off Bug 30988 so it would be great to get some QA eyes on it. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #77 from David Cook --- When bug 30988 is ready, which will be very soon, I think that it could replace this Google-specific functionality. Then we could just maintain the 1 generic OpenID Connect client. In the past, I've had libraries that need multiple Open ID Connect clients supported and I used bug 21586 for that, but I could develop that functionality later for bug 30988 if necessary. Actually, if I did that, then we could seamlessly migrate the googleopenidconnect to the generic model just by adding it as a generic provider. Something to think about at some point... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=30988 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Owen Leonard changed: What|Removed |Added Blocks||29006 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29006 [Bug 29006] Make GoogleOpenIDConnect options consistent in the OPAC -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Owen Leonard changed: What|Removed |Added Blocks||29004 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29004 [Bug 29004] Update GoogleOpenIDConnect preference to make it clear that it is OPAC-only -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=25436 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #76 from M. Tompsett --- (In reply to Marian from comment #75) > Does this solution is still working on Koha 17, I have tried to apply the > patches but I receive the fallowing error > Hunk #1 FAILED at 137. > 1 out of 1 hunk FAILED -- saving rejects to file > /usr/share/koha/opac/htdocs/opac-tmpl/bootstrap/en/modules/opac-auth.tt.rej > patching file opac/svc/auth/googleopenidconnect > patch unexpectedly ends in middle of line It's already in Koha 17.05, so no need to apply. It was pushed (see comment #72). Changing status. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 mari...@newro.co changed: What|Removed |Added Ever confirmed|1 |0 Status|RESOLVED|UNCONFIRMED CC||mari...@newro.co Resolution|FIXED |--- --- Comment #75 from mari...@newro.co --- Does this solution is still working on Koha 17, I have tried to apply the patches but I receive the fallowing error Hunk #1 FAILED at 137. 1 out of 1 hunk FAILED -- saving rejects to file /usr/share/koha/opac/htdocs/opac-tmpl/bootstrap/en/modules/opac-auth.tt.rej patching file opac/svc/auth/googleopenidconnect patch unexpectedly ends in middle of line -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Katrin Fischer changed: What|Removed |Added Status|Pushed to Master|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Blocks||18144 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18144 [Bug 18144] Removal of persona broke openidconnect -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Mason James changed: What|Removed |Added Blocks||18118 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18118 [Bug 18118] Unexpected behaviour with 'GoogleOpenIDConnect' and 'OpacPublic' syspref combination -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicole C. Engard changed: What|Removed |Added CC|neng...@gmail.com | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Blocks||16892 See Also|https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=16892 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=16892 [Bug 16892] Add automatic patron registration via OAuth2 login -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=16892 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #74 from David Cook --- (In reply to Brendan Gallagher from comment #72) > Pushed to Master - Should be in the May 2016 release. Thanks! Neato! I should take a look at this again. I haven't had time/money to upstream my generic OpenID Connect stuff, but maybe I can use this to replace some of my homespun code... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #73 from Nicholas van Oudtshoorn --- Thanks Martin, Mark and Brendan! It feels great to have this done! đŸ˜ƒ -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Brendan Gallagher changed: What|Removed |Added CC||bren...@bywatersolutions.co ||m Status|Passed QA |Pushed to Master --- Comment #72 from Brendan Gallagher --- Pushed to Master - Should be in the May 2016 release. Thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize changed: What|Removed |Added Attachment #47782|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize changed: What|Removed |Added Attachment #47780|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize changed: What|Removed |Added Status|Signed Off |Passed QA --- Comment #71 from Martin Renvoize --- Looks great, works great, good enhancement.. well done! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize changed: What|Removed |Added Attachment #47781|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #69 from Martin Renvoize --- Created attachment 49786 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=49786&action=edit Bug 10988 - Fix some wording Fix some outdated wording in googleopenidconnect Signed-off-by: Mark Tompsett Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #70 from Martin Renvoize --- Created attachment 49787 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=49787&action=edit Bug 10988: Tabs vs Spaces qa failure patch Run Koha QA Test tools and discovered this failed because of tabs. Rather than fail this and wait forever for it to get fixed, this patches it, and I'll mark it as signed off anyways. Signed-off-by: Mark Tompsett Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #68 from Martin Renvoize --- Created attachment 49785 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=49785&action=edit Bug 10988 - Fixes for comments 57 and 58 Test Plan (remains the same): 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleO%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleO%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleopenidconnect) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOpenIDConnect preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools Signed-off-by: Mark Tompsett Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicole C. Engard changed: What|Removed |Added CC||neng...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Status|Needs Signoff |Signed Off --- Comment #67 from M. Tompsett --- I wasn't attempting to gauge the prettiness of the UI for this sign off. :) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #46473|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #46474|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #66 from M. Tompsett --- Created attachment 47782 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47782&action=edit [SIGNED-OFF] Bug 10988: Tabs vs Spaces qa failure patch Run Koha QA Test tools and discovered this failed because of tabs. Rather than fail this and wait forever for it to get fixed, this patches it, and I'll mark it as signed off anyways. Signed-off-by: Mark Tompsett -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #65 from M. Tompsett --- Created attachment 47781 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47781&action=edit [SIGNED-OFF] Bug 10988 - Fix some wording Fix some outdated wording in googleopenidconnect Signed-off-by: Mark Tompsett -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #64 from M. Tompsett --- Created attachment 47780 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47780&action=edit [SIGNED-OFF] Bug 10988 - Fixes for comments 57 and 58 Test Plan (remains the same): 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleO%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleO%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleopenidconnect) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOpenIDConnect preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools Signed-off-by: Mark Tompsett -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #63 from Martin Renvoize --- Nice work Nick! I will be eagerly looking at this, hopefully this afternoon. Thanks for putting in all the hard work, so glad you followed through. :-D -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #62 from Nicholas van Oudtshoorn --- Created attachment 46474 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46474&action=edit Remove some outdated wording from googleopenidconnect -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2 (OpenID Connect)
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Summary|Allow login via Google |Allow login via Google |OAuth2 |OAuth2 (OpenID Connect) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
Nicholas van Oudtshoorn changed:
What|Removed |Added
Attachment #46016|0 |1
is obsolete||
--- Comment #61 from Nicholas van Oudtshoorn ---
Created attachment 46473
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46473&action=edit
Bug 10988 - Rewrite and renamed to OpenIDConnect
Fixes the concerns raised in comments 57 and 58.
Renamed the settings to OpenID Connect, as opposed to OAuth2, since that better
reflects what this is.
Detailed comments on the changes:
** MARTIN: Comment #57 **
> koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
> I disagree with this change
I take your point - and have removed the offending lines
>> koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
> There's not enough added to this file. There should be a 'login with your
> google id' block somewhere which appears to be missing.
You're right - that's in our customisations for our local site, but it makes
sense to do it here! Done!
> I think this needs rewording, it's a Google Login.. it's not automagic..
Fair point - reword to "Google login"
> I'm not seeing an state tokens in use anywhere in this Flow.. without them we
> are wide open to cross-site request forgery (CSRF) attacks.. we likely need
> to create a nice randomised string and store it between invocations of the
> script.
Done - I think. What do people think about the technique used. Wasn't too sure
about how Koha does session handling, but think it's working now...
** David: Comment #58 **
> Alternatively, you could put the ClientID and the ClientSecret in
> koha-conf.xml. While it would give less control to libraries, it would keep
> this information on a more "need to know" basis.
I personally think that it's better to put this in the preferences, since it's
possible to regenerate these at any time. It makes it easier for these to be
updated. Also, although they might be able to be changed, they can't be stolen
since they are only valid for the redirect_url for koha.
> How did you choose this endpoint? Both
> https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#discovery
> and https://accounts.google.com/.well-known/openid-configuration provide
> versioned endpoints.
Good question - no idea. Fixed this now.
>tokeninfo isn't a standard OpenID Connect endpoint.
Moved to the proper endpoints now.
> As noted above, a standard response should be $json->{'iss'}, but otherwise
> this is good as per #2 at
> http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
Fixed now
> As noted in #3 at
> http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation,
> $json->{'aud'} (the standard claim), "may" be an array. I'm not familiar with
> Google's responses... it might always return a string, but the spec points
> out that you should check for either a string or an array (and to reject the
> token if it doesn't contain the expected audience or if it includes untrusted
> audiences).
Put in a check to make sure that we're the only audience - but it looks like
google only sends us a string
> This is bizarre... the token shouldn't contain the email. That must be for
> debugging purposes in tokeninfo. You should have to get it from
> https://www.googleapis.com/oauth2/v3/userinfo or a similar endpoint, which
> also need its "sub" claim to be validated.
Moved to a different endpoint. Not sure that we need to validate "sub", since
we don't actually use it anywhere (Besides which, Google doesn't even think we
need to validate the token as much as we are - see
https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
for rationale)
> At this point, you must also verify that the token type is "Bearer" (case
> insensitive as per RFC 6749 Section 5.1).
Done
> At this point, you must also be verifying that the token isn't expired.
Done
> You must also validate the "azp" claim if it's present in the response.
Done
Oh, and as in reply to Martin, Forgery protection is also done
Test Plan (remains the same):
0) Back up your database
1) Apply all these patches
2) In your mysql client use your Koha database and execute:
> DELETE FROM systempreferences;
> SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql;
-- Should be no errors.
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see 4 entries.
> QUIT;
3) Restore your database
4) Run ./installer/data/mysql/updatedatabase.pl;
5) In your mysql client use your Koha database and execute:
> SELECT * FROM systempreferences LIKE 'GoogleO%';
-- Should see the same 4 entries.
6) Log into the staff client
7) Home -> Koha administration -> Global system preferences
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #60 from Martin Renvoize --- https://developers.google.com/identity/protocols/OpenIDConnect is the documentation I would likely use to implement this authentication. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #59 from Martin Renvoize --- All insightful stuff David, thanks :) Just to make sure I wasn't coming accross too negative; I'm really pleased someone is working on adding this functionality.. nice start Nicholas. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #58 from David Cook ---
Comment on attachment 46016
--> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46016
Bug 10988 - Allow for Google OAuth2 logins Combined all of the patches above
into one, making them apply to master again.
Review of attachment 46016:
-->
(http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=46016)
-
I hadn't realized that this was OpenID Connect until Martin pointed it out and
until I saw the "openid" value in the scope of the Authorization Request.
I actually wrote an OpenID Connect feature for Koha for a client in 2014, but
due to a lack of time and an incorrectly implemented third party OpenID Connect
server, I never got around to upstreaming it to the community codebase. Perhaps
I should try and remedy that one day. In any case, I've included some comments
in the code review below based on my experience.
Nicholas, what documentation did you use for this patch? When I look at
https://developers.google.com/identity/protocols/OpenIDConnect, it specifies
different endpoints than you've used here. I'd recommend consulting that
webpage and http://openid.net/specs/openid-connect-core-1_0.html. The latter is
what I used for making an OpenID Connect compliant server app.
::: opac/svc/auth/googleoauth2
@@ +53,5 @@
> +# protocol is assumed in OPACBaseURL see bug 5010.
> +my $redirecturl = $host . '/cgi-bin/koha/svc/auth/googleoauth2';
> +my $issuer = 'accounts.google.com';
> +my $clientid = C4::Context->preference('GoogleOAuth2ClientID');
> +my $clientsecret = C4::Context->preference('GoogleOAuth2ClientSecret');
Alternatively, you could put the ClientID and the ClientSecret in
koha-conf.xml. While it would give less control to libraries, it would keep
this information on a more "need to know" basis.
@@ +86,5 @@
> +elsif ( defined $query->param('code') ) {
> +my $code= $query->param('code');
> +my $ua = LWP::UserAgent->new();
> +my $request = POST(
> +'https://accounts.google.com/o/oauth2/token',
How did you choose this endpoint? Both
https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#discovery
and https://accounts.google.com/.well-known/openid-configuration provide
versioned endpoints.
@@ +99,5 @@
> +);
> +my $response = $ua->request($request)->decoded_content;
> +my $json = decode_json($response);
> +if ( exists( $json->{'id_token'} ) ) {
> +$request = POST( 'https://www.googleapis.com/oauth2/v1/tokeninfo',
tokeninfo isn't a standard OpenID Connect endpoint. It's a debugging tool that
Google has available, but they discourage its use in production:
https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#validatinganidtoken
Use of tokeninfo also makes it harder for the rest of us to read the code since
a decrypted token has a standard layout, but I haven't found what a tokeninfo
response contains.
@@ +105,5 @@
> +$response = $ua->request($request)->decoded_content;
> +$json = decode_json($response);
> +
> +# Confirm (as google suggests) that the issuer and audience are what we
> expect them to be
> +if ( ( $json->{'issuer'} eq $issuer )
As noted above, a standard response should be $json->{'iss'}, but otherwise
this is good as per #2 at
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
@@ +106,5 @@
> +$json = decode_json($response);
> +
> +# Confirm (as google suggests) that the issuer and audience are what we
> expect them to be
> +if ( ( $json->{'issuer'} eq $issuer )
> +&& ( $json->{'audience'} eq $clientid )
As noted in #3 at
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation,
$json->{'aud'} (the standard claim), "may" be an array. I'm not familiar with
Google's responses... it might always return a string, but the spec points out
that you should check for either a string or an array (and to reject the token
if it doesn't contain the expected audience or if it includes untrusted
audiences).
@@ +107,5 @@
> +
> +# Confirm (as google suggests) that the issuer and audience are what we
> expect them to be
> +if ( ( $json->{'issuer'} eq $issuer )
> +&& ( $json->{'audience'} eq $clientid )
> +&& exists( $json->{'email'} ) )
This is bizarre... the token shouldn't contain the email. That must be for
debugging purposes in tokeninfo. You should have to get it from
https://www.googleapis.com/oauth2/v3/userinfo or a similar endpoint, which also
need its "sub" claim to be validated.
@@ +108,5 @@
> +# Confirm (as google suggests) that the issuer and audience are what we
> expect them to be
> +if ( ( $json->{'issuer'} eq $issuer )
> +&& ( $json->{'audience'} eq $clientid )
> +&& exists( $json->{'email'} ) )
> +{
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize changed: What|Removed |Added Status|Signed Off |Failed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #57 from Martin Renvoize ---
Comment on attachment 46016
--> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46016
Bug 10988 - Allow for Google OAuth2 logins Combined all of the patches above
into one, making them apply to master again.
Review of attachment 46016:
-->
(http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=46016)
-
In general I feel this is a good start, but it's just that.. a start. We need
a more thorough handling of login fallbacks and we need to add state tokens
into the mix to protect our users from CRSF attacks.
::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
@@ +65,5 @@
> [% IF some_private_shelves > 10
> %]
> href="/cgi-bin/koha/opac-shelves.pl?op=list&category=1" tabindex="-1"
> role="menuitem" class="listmenulink">View All
> [% END %]
> +[% ELSIF (
> Koha.Preference('GoogleOAuth2') == 1 ) %]
> + href="/cgi-bin/koha/svc/auth/googleoauth2" tabindex="-1"
> class="menu-inactive" role="menuitem">Log in to create your own lists
I disagree with this change. A) it looks to me like it won't do what your
expecting (it looks like it's a level too deep in the nested IF's) but B) I
don't feel adding a login link here is appropriate unless your going to add it
for all available authentication mechanisms.. it's just make the interface
inconsistent.
::: koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
@@ +138,2 @@
>
> [% END # / IF casAuthentication %]
There's not enough added to this file. There should be a 'login with your
google id' block somewhere which appears to be missing.
@@ +139,5 @@
> [% END # / IF casAuthentication %]
>
> +[% IF ( invalidOAuth2Login ) %]
> +Automatic login
> +Sorry, your automatic login failed. class="error">[% invalidOAuth2Login %]
I think this needs rewording, it's a Google Login.. it's not automagic.. it's a
shared login using the email claim from a google openid connect id token. I
feel the text is a little misleading.
::: opac/svc/auth/googleoauth2
@@ +147,5 @@
> +}
> +
> +}
> +else {
> +my $prompt = $query->param('reauthenticate') // q{};
I'm not seeing an state tokens in use anywhere in this Flow.. without them we
are wide open to cross-site request forgery (CSRF) attacks.. we likely need to
create a nice randomised string and store it between invocations of the script.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #56 from Martin Renvoize --- Just reviewing the code here.. one thing partially stands out.. What your actually implimenting here is OpenID Connect (Which is OpenID over Auth2.0) which is great, as I was a bit suspicious of using OAuth 2.0 for authentication as it's an api Authorization layer, not an Authentication medium out of the box (with OpenID Connect, one can use it for Authentication too). Could we reword/rename the prefs to reflect that this is Google's implimentation of OpenID Connect, and not OAuth.. i think that will make it more clear that this is only for authentication and does not expand to using the range of api's available via OAuth. I'll get back to reading the code now -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #55 from Nicholas van Oudtshoorn --- (In reply to M. Tompsett from comment #53) > There are no differences between the single commit and the multi-commit > versions? What was the status before the commit? I'll retest anyways. *sigh* > Seems like a waste of 15 minutes. Did this a while ago, but from memory the multiple patches didn't apply cleanly to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #45895|0 |1 is obsolete|| --- Comment #54 from M. Tompsett --- Created attachment 46016 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=46016&action=edit Bug 10988 - Allow for Google OAuth2 logins Combined all of the patches above into one, making them apply to master again. Test Plan (remains the same): 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools Signed-off-by: Mark Tompsett -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #53 from M. Tompsett --- There are no differences between the single commit and the multi-commit versions? What was the status before the commit? I'll retest anyways. *sigh* Seems like a waste of 15 minutes. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #43791|0 |1 is obsolete|| Attachment #43792|0 |1 is obsolete|| Attachment #43938|0 |1 is obsolete|| Attachment #45668|0 |1 is obsolete|| --- Comment #52 from Nicholas van Oudtshoorn --- Created attachment 45895 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45895&action=edit Allow Google OAuth2 Login Combines all of the patches above into one, and rebases it to current master, so that they all cleanly apply. Works for me on this end. Test plan remains the same. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Status|Failed QA |Needs Signoff --- Comment #50 from M. Tompsett --- Test plan is the same: Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #45667|0 |1 is obsolete|| --- Comment #51 from M. Tompsett --- Created attachment 45668 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45668&action=edit Bug 10988: Dealt with borrower flag issues Removed borrower flag reference in template grab, and emptied it in the checkauth call. Personal retesting worked. Also, made it perlcritic prettier. Test Plan: 0) Back up your database 1) Apply all these patches 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #49 from M. Tompsett --- Created attachment 45667 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=45667&action=edit Bug 10988: Dealt with borrower flag issues Removed borrower flag reference in template grab, and emptied it in the checkauth call. Personal retesting worked. Also, made it perlcritic prettier. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #48 from Katrin Fischer --- Created attachment 43938 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=43938&action=edit Bug 10988: QA Follow-up - rewording suggestions -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Katrin Fischer changed: What|Removed |Added Status|Signed Off |Failed QA --- Comment #47 from Katrin Fischer --- I have a follow-up with some suggestions for the wording - but can't test on my local Koha installation (localhost...) Also: the svc script asks for the 'borrow' permission, that has since be removed. Please take a look and fix. Bug 7976 - "Borrow Permission" is not used and can be removed -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Status|Patch doesn't apply |Signed Off --- Comment #46 from M. Tompsett --- Setting back to Signed Off after this rebasing. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #41663|0 |1 is obsolete|| --- Comment #45 from M. Tompsett --- Created attachment 43792 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=43792&action=edit Bug 10988: Fix the svc script path -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #40979|0 |1 is obsolete|| --- Comment #44 from M. Tompsett --- Created attachment 43791 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=43791&action=edit Bug 10988: Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Updated patch to address the concerns in Comment 36. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/auth/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Katrin Fischer changed: What|Removed |Added CC||katrin.fisc...@bsz-bw.de Status|Signed Off |Patch doesn't apply --- Comment #43 from Katrin Fischer --- Patch does not apply - please rebase! Apply? [(y)es, (n)o, (i)nteractive] y Applying: Bug 10988: Allow login via Google OAuth2 Using index info to reconstruct a base tree... M C4/Auth.pm M installer/data/mysql/sysprefs.sql M koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref M koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt Falling back to patching base and 3-way merge... Auto-merging koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt CONFLICT (content): Merge conflict in koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt Auto-merging koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences/admin.pref Auto-merging installer/data/mysql/sysprefs.sql Auto-merging C4/Auth.pm CONFLICT (content): Merge conflict in C4/Auth.pm Failed to merge in the changes. Patch failed at 0001 Bug 10988: Allow login via Google OAuth2 The copy of the patch that failed is found in: /home/katrin/kohaclone/.git/rebase-apply/patch When you have resolved this problem run "git bz apply --continue". If you would prefer to skip this patch, instead run "git bz apply --skip". To restore the original branch and stop patching run "git bz apply --abort". Patch left in /tmp/Bug-10988-Allow-login-via-Google-OAuth2-fFUW8a.patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Tom Misilo changed: What|Removed |Added CC||misi...@fit.edu -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #42 from Mason James --- FYI: CALYX came up with a technique to force a google-auth session logout when a user logs out of Koha. (note: this may be considered optional behaviour) Unfortunately, it is a solution that exists within a Google account, therefore is outside of Koha More info to come... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Mason James changed: What|Removed |Added CC||m...@kohaaloha.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #41 from Jonathan Druart --- Created attachment 41663 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=41663&action=edit Bug 10988: Fix the svc script path -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Jonathan Druart changed: What|Removed |Added CC||jonathan.dru...@bugs.koha-c ||ommunity.org --- Comment #40 from Jonathan Druart --- I can take a look again with a detailed test plan using a non-public IP. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #39 from David Cook --- (In reply to M. Tompsett from comment #38) > (In reply to Jonathan Druart from comment #36) > > I don't have an installation with a public ip, > > so I cannot test this patch. > > You don't need a public ip, as far as I recall, since the redirect is done > at the browser level. I'm not familiar with this patch at all, but it's true about not needing a public IP. I have a local app where I send "localhost:/callback" as the return uri to the OAuth 2.0 server and it works well. Not sure if that's feasible within the context of this patch, but... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #38 from M. Tompsett --- (In reply to Jonathan Druart from comment #36) > I don't have an installation with a public ip, > so I cannot test this patch. You don't need a public ip, as far as I recall, since the redirect is done at the browser level. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #40442|0 |1 is obsolete|| --- Comment #37 from Nicholas van Oudtshoorn --- Created attachment 40979 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40979&action=edit Bug 10988: Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences. Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Updated patch to address the concerns in Comment 36. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #36 from Jonathan Druart
---
Comment on attachment 40442
--> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40442
Bug 10988: Allow login via Google OAuth2
Review of attachment 40442:
-->
(http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=40442)
-
I don't have an installation with a public ip, so I cannot test this patch.
Following a code review:
1/ Fix the patch's author (From: root )
2/ perltidy the new file (opac/svc/googleoauth2)
3/ Maybe opac/svc/auth/googleoauth2 is more appropriate?
4/ the following:
::: opac/svc/googleoauth2
@@ +1,1 @@
> +#!/usr/bin/perl -w
Remove -w
@@ +36,5 @@
> +# means caching some information and updating it daily. But that
> +# would make things a lot faster
> +
> +use Modern::Perl;
> +use CGI qw/escape/;
and -utf8, even if not needed.
@@ +63,5 @@
> +$query->delete('code');
> +$query->param( 'OAuth2Failed' => $reason );
> +my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
> +{
> +template_name => 'opac-user.tmpl',
Should be opac-user.tt
@@ +75,5 @@
> +$template->param( 'loginprompt'=> 1 );
> +output_html_with_http_headers $query, $cookie, $template->output;
> +}
> +
> +#die $query->param('code');
To remove.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #40252|0 |1 is obsolete|| --- Comment #35 from M. Tompsett --- Created attachment 40442 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40442&action=edit Bug 10988: Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> OPAC -- make sure your OPACBaseURL is set (e.g. https://opac.koha.ca) 9) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 10) In a new tab, go to https://console.developers.google.com/project 11) Click 'Create Project' 12) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 13) Click the 'Create' button. 14) Click the 'APIs & auth' in the left frame. 15) Click 'Credentials' 16) Click 'Create new Client ID' 17) Select 'Web application' and click 'Configure consent screen'. 18) Select the Email Address. 19) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 20) Fill in the other fields as desired (or not) 21) Click 'Save' 22) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 23) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/googleoauth2) 24) Click 'Create Client ID' 25) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 26) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 27) Change the GoogleOAuth2 preference to 'Use'. 28) Click 'Save all Administration preferences' 29) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 30) Run koha qa test tools NOTE: I don't like that it is specific to Google. I don't like that it does not use a library to do the authenticating portions. However, it is functional. Signed-off-by: Mark Tompsett -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #34 from M. Tompsett ---
Comment on attachment 40252
--> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40252
Bug 10988 - Allow login via Google OAuth2
Review of attachment 40252:
-->
(http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=40252)
-
::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
@@ +78,4 @@
> [% IF
> Koha.Preference('casAuthentication') %]
> [%# CAS authentication is too
> complicated for modal window %]
> href="/cgi-bin/koha/opac-user.pl">Log in to your account
> +[% ELSIF ( Koha.Preference('
> GoogleOAuth2') == 1 ) %]
Space! Oops.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #33 from M. Tompsett --- I have yet to test this, but I've been thinking about it, and the comments made in comment #24 in terms of Net::OAuth2 or something similar seem to be a concern for me. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #40087|0 |1 is obsolete|| --- Comment #32 from Nicholas van Oudtshoorn --- Created attachment 40252 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40252&action=edit Bug 10988 - Allow login via Google OAuth2 Modified patch to address issues found in the review. Thanks for that! Turns out in our live site, I'd already patched masthead.inc as suggested. (We run another patch on top of the one provided here to put different login buttons into Koha (library.pbc.wa.edu.au) - not sure if that's appropriate for this patch or not... And hopefully all the "pink spots" are gone now! :-) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Indranil Das Gupta changed: What|Removed |Added CC||indr...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #31 from M. Tompsett ---
Comment on attachment 40087
--> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40087
Bug 10988 - Allow login via Google OAuth
Review of attachment 40087:
-->
(http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=40087)
-
::: C4/Auth.pm
@@ +37,4 @@
> use Encode qw( encode is_utf8);
>
> # use utf8;
> +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug
> $googleoauth2 $ldap $cas $caslogout $shib $shib_login);
No need to add this.
@@ +55,4 @@
>&get_all_subpermissions &get_user_subpermissions
> );
> %EXPORT_TAGS = ( EditPermissions => [qw(get_all_subpermissions
> get_user_subpermissions)] );
> +$googleoauth2 = C4::Context->preference('GoogleOAuth2');
Or this.
@@ +471,4 @@
> BranchesLoop =>
> GetBranchesLoop($opac_name),
> BranchCategoriesLoop => GetBranchCategories(
> 'searchdomain', 1, $opac_name ),
> CalendarFirstDayOfWeek=> (
> C4::Context->preference("CalendarFirstDayOfWeek") eq "Sunday" ) ? 0 : 1,
> +GoogleOAuth2 =>
> (C4::Context->preference("GoogleOAuth2")),
Or even this.
@@ +1247,4 @@
> );
> }
>
> +if ($googleoauth2) {
Though you will have to grab the preference directly here.
::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
@@ +58,4 @@
> href="#" tabindex="-1" class="menu-inactive" role="menuitem">No private
> lists
> href="/cgi-bin/koha/opac-shelves.pl?display=privateshelves" tabindex="-1"
> role="menuitem" class="listmenulink">New list
> [% END %]
> +[% ELSIF (
> KOHA.Preference('GoogleOAuth2') == 1 ) %]
Haven't tested yet, but is Template Toolkit case sensitive? Why KOHA? The top
has [% Use Koha %] right?
@@ +78,4 @@
> [% IF
> Koha.Preference('casAuthentication') %]
> [%# CAS authentication is too
> complicated for modal window %]
> href="/cgi-bin/koha/opac-user.pl">Log in to your account
> +[% ELSIF ( GoogleOAuth2 ) %]
Wasn't just the one location. I was talking about all of them. That way you
could minimize touching Auth.pm in the first place.
::: opac/svc/googleoauth2
@@ +114,5 @@
> +my ( $userid, $cookie, $sessionID ) =
> + checkauth( $query, 1, { borrow => 1 }, 'opac', $email );
> +if ($userid) {# A valid user has logged in
> + if ( ($restricttodomain ne '' )
> +&& (index($email, $restricttodomain) == -1) )
Pink spots at the end (at least that's the colour on my screen), usually
indicate spaces at the end of a line. That fails koha qa test tools.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
Nicholas van Oudtshoorn changed:
What|Removed |Added
Attachment #36355|0 |1
is obsolete||
--- Comment #30 from Nicholas van Oudtshoorn ---
Created attachment 40087
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40087&action=edit
Bug 10988 - Allow login via Google OAuth
Modified the latest patch to cleanly apply, and also reworked the "domain
restriction" methodology. Rather than utilising an undocumented parameter, we
now check ourselves if the email address finishes with the right domain. This
also allows for using subdomains.
Also switched to using Koha.Preference('GoogleOAuth2') in masthead.inc, as
suggested by M. Tompsett
Adds googleoauth2 login to koha. Adds applicable system
preferences Modifies templates to support oauth2 login
failures changes the login links to use googleoauth2 when
oauth2 is enabled.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #29 from M. Tompsett ---
Comment on attachment 36355
--> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36355
Bug 10988 - Allow login via Google OAuth2
Review of attachment 36355:
-->
(http://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=10988&attachment=36355)
-
::: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc
@@ +58,4 @@
> href="#" tabindex="-1" class="menu-inactive" role="menuitem">No private
> lists
> href="/cgi-bin/koha/opac-shelves.pl?display=privateshelves" tabindex="-1"
> role="menuitem" class="listmenulink">New list
> [% END %]
> +[% ELSIF ( GoogleOAuth2 ) %]
I'd be surprised if there wasn't a [% USE Koha %] at the top of the file. Why
pass preferences? Koha.Preference('GoogleOAuth2')
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #28 from David Cook --- (In reply to M. Tompsett from comment #26) > I would think the parameter would be better renamed to $AuthenticatedEmail, > because persona and this OAuth patch both authenticate against an Email > address (the primary email address is used to find the user). > Yeah, I thought about that a bit, but it also sets a "persona" key in the session, which I think might be used for persona session management, so re-using it without careful checking could lead to weirdness with Persona. > NOO! Please hashref the parameter! > If there are more than 3 parameters, you probably should use a hashref. ... Yes, a single hashref would be nicer. If I were designing a new sub, I would use a single hashref. However, I'm personally not planning on refactoring C4::Auth::checkauth() and testing every use of it. Nor am I going to add checking to checkauth() so that it can use a single hashref OR a bunch of scalars. That just leads to more technical debt. Of course, I'm not planning on upstreaming my OpenID Connect work at the moment anyway, so it doesn't really matter. I'm sure whoever refactors checkauth() someday will use a single hashref instead. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #27 from Nicholas van Oudtshoorn --- (In reply to David Cook from comment #24) > I'm just wrapping up a local project on using OpenID Connect, which is > basically a wrapper around OAuth2.0 with a few extras thrown in on top, so > I'd be interested in taking a look at this at some point. > > Could we look at making this more extensible though? There are lots of other > OAuth2.0 providers than just Google. > > Have yo looked at > http://search.cpan.org/~kgrennan/Net-OAuth2-0.06/lib/Net/OAuth2.pm? I > believe Chris Cormack took a look at that recently. > > Anywho, I could be interested in testing this out down the road! Hi David, I like the idea of making it more extensible, and when I get a chance (probably in a few weeks from now) I'll see about checking out OAuth2.pm . Since we run Google Apps for Education for our students (at library.pbc.wa.edu.au), Google's oauth2 was our priority. It's been quite a while since I wrote this, but I think google has some google-specific functionality available - like the hd parameter. (Actually, the hd parameter isn't all that useful for us, seeing as it doesn't seem to like subdomains) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #26 from M. Tompsett ---
(In reply to David Cook from comment #25)
> Hmm, it might be a better idea to add a parameter instead of using the
> $persona parameter in C4::Auth::checkauth().
I would think the parameter would be better renamed to $AuthenticatedEmail,
because persona and this OAuth patch both authenticate against an Email address
(the primary email address is used to find the user).
> C4::Auth needs a clean-up in general... which Martin (ashimema) is working
> on, I believe.
True, it does need clean-up.
> In any case, locally I added a $external_authen hashref as a parameter after
> $persona. I use $external_authen->{OpenIDConnect} to store the data I need
> to pass to checkauth(), add some handling in the appropriate spots, and
> that's it.
NOO! Please hashref the parameter!
If there are more than 3 parameters, you probably should use a hashref.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988
--- Comment #25 from David Cook ---
Hmm, it might be a better idea to add a parameter instead of using the $persona
parameter in C4::Auth::checkauth().
C4::Auth needs a clean-up in general... which Martin (ashimema) is working on,
I believe.
In any case, locally I added a $external_authen hashref as a parameter after
$persona. I use $external_authen->{OpenIDConnect} to store the data I need to
pass to checkauth(), add some handling in the appropriate spots, and that's it.
You might want to look at RFC 6749 (OAuth 2.0)
http://tools.ietf.org/html/rfc6749 as well, as it might give you some more
information.
OpenID Connect has a lot of validation steps, which may or may not also exist
in OAuth2.0... not sure.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 David Cook changed: What|Removed |Added CC||dc...@prosentient.com.au --- Comment #24 from David Cook --- I'm just wrapping up a local project on using OpenID Connect, which is basically a wrapper around OAuth2.0 with a few extras thrown in on top, so I'd be interested in taking a look at this at some point. Could we look at making this more extensible though? There are lots of other OAuth2.0 providers than just Google. Have yo looked at http://search.cpan.org/~kgrennan/Net-OAuth2-0.06/lib/Net/OAuth2.pm? I believe Chris Cormack took a look at that recently. Anywho, I could be interested in testing this out down the road! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #23 from Nicholas van Oudtshoorn --- Thanks so much to M. Tompsett for doing this. I've been busy with other jobs (including upgrading to 3.18!), and just haven't got around to sending in our patch. :-) (In reply to M. Tompsett from comment #22) > It depends on 5010, because I cut out the hard coded 'http://' part of the > code in the new googleoauth2 script. Technically, you can test it without > 5010, but you need the protocol in your OPACBaseURL. :) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #22 from M. Tompsett --- It depends on 5010, because I cut out the hard coded 'http://' part of the code in the new googleoauth2 script. Technically, you can test it without 5010, but you need the protocol in your OPACBaseURL. :) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #36354|0 |1 is obsolete|| --- Comment #21 from M. Tompsett --- Created attachment 36355 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36355&action=edit Bug 10988 - Allow login via Google OAuth2 This is my rework of a patch by Nicholas van Oudtshoorn. Fixed the patch so that it again cleanly applies. Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 9) In a new tab, go to https://console.developers.google.com/project 10) Click 'Create Project' 11) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 12) Click the 'Create' button. 13) Click the 'APIs & auth' in the left frame. 14) Click 'Credentials' 15) Click 'Create new Client ID' 16) Select 'Web application' and click 'Configure consent screen'. 17) Select the Email Address. 18) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 19) Fill in the other fields as desired (or not) 20) Click 'Save' 21) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 22) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/googleoauth2) 23) Click 'Create Client ID' 24) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 25) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 26) Change the GoogleOAuth2 preference to 'Use'. 27) Click 'Save all Administration preferences' 28) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 29) Run koha qa test tools -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added CC||mtomp...@hotmail.com Depends on||5010 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 M. Tompsett changed: What|Removed |Added Attachment #29595|0 |1 is obsolete|| Attachment #30015|0 |1 is obsolete|| --- Comment #20 from M. Tompsett --- Created attachment 36354 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=36354&action=edit Bug 10988 - Allow login via Google OAuth2 This is my rework of a patch by Nicholas van Oudtshoorn. Fixed the patch so that it again cleanly applies. Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 0) Back up your database 1) Apply this patch 2) In your mysql client use your Koha database and execute: > DELETE FROM systempreferences; > SOURCE ~/kohaclone/installer/data/mysql/sysprefs.sql; -- Should be no errors. > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see 4 entries. > QUIT; 3) Restore your database 4) Run ./installer/data/mysql/updatedatabase.pl; 5) In your mysql client use your Koha database and execute: > SELECT * FROM systempreferences LIKE 'GoogleOAuth%'; -- Should see the same 4 entries. 6) Log into the staff client 7) Home -> Koha administration -> Global system preferences 8) -> Administration -- There should be a 'Google OAuth2' section with the ability to set those 4 system preferences. 9) In a new tab, go to https://console.developers.google.com/project 10) Click 'Create Project' 11) Type in a project name that won't freak users out, like your library name (e.g. South Pole Library). 12) Click the 'Create' button. 13) Click the 'APIs & auth' in the left frame. 14) Click 'Credentials' 15) Click 'Create new Client ID' 16) Select 'Web application' and click 'Configure consent screen'. 17) Select the Email Address. 18) Put it a meaningful string into the Product Name (e.g. South Pole Library Authentication) 19) Fill in the other fields as desired (or not) 20) Click 'Save' 21) Change the 'AUTHORIZED JAVASCRIPT ORIGINS' to your OPACBaseURL. (http://library.yourDNS.org) 22) Change the 'AUTHORIZED REDIRECT URIS' to point to the new googleoauth2 script (http://library.yourDNS.org/cgi-bin/koha/svc/googleoauth2) 23) Click 'Create Client ID' 24) Copy and paste the 'CLIENT ID' into the GoogleOAuth2ClientID system preference. 25) Copy and paste the 'CLIENT SECRET' into the GoogleOAuth2ClientSecret system preference. 26) Change the GoogleOAuth2 preference to 'Use'. 27) Click 'Save all Administration preferences' 28) In the OPAC, click 'Log in to your account'. -- You should get a confirmation request, if you are already logged in, OR a login screen if you are not. -- You need to have the primary email address set to one authenticated by Google in order to log in. 29) Run koha qa test tools I've obsoleted the two previous patches. Hopefully, I didn't miss anything. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Martin Renvoize changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com --- Comment #19 from Martin Renvoize --- Interesting work.. could we have this rebased for testing Nicholas? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #18 from Marc VĂ©ron --- I tried to apply the second patch: Allow Google OAuth2 Login It did not apply with: error: patch failed: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc:74 error: koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc: patch does not apply Did you hand edit your patch? It does not apply to blobs recorded in its index. Cannot fall back to three-way merge. -- Additionaly, I think in installer/data/mysql/updatedatabase.pl line 8573 should read: $DBversion = "XXX"; See: http://wiki.koha-community.org/wiki/System_Preferences -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #29594|0 |1 is obsolete|| Attachment #30014|0 |1 is obsolete|| --- Comment #17 from Nicholas van Oudtshoorn --- Created attachment 30015 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=30015&action=edit Allow Google OAuth2 Login New version of the patch - changes how the domain restriction is handled Rather than using the undocumented hl oauth2 parameter, we now manually check to see if an email is in the required domain or not. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #16 from Nicholas van Oudtshoorn --- Created attachment 30014 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=30014&action=edit New version of the patch - changes how the domain restriction is handled Rather than using the undocumented hl oauth2 parameter, we now manually check to see if an email is in the required domain or not. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #25570|0 |1 is obsolete|| --- Comment #15 from Nicholas van Oudtshoorn --- Created attachment 29595 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=29595&action=edit For updating an INSTALLED 3.14.03 to use GoogleOAuth2 (In reply to Samuel Martin from comment #12) I assume you're talking about the patch to jerry-rig OAuth2 into an already installed system? > In the file: usr/share/koha/opac/cgi-bin/opac/svc/googleoauth2 > there appeared to be some lines missing in the patch at the very beginning > of the file. Though the code is available here in this bug. So that was easy > to fix. Thanks for that. I've updated the INSTALLED patch with the missing lines! > > And then we still had some issues. At that time I still had an error 400 > straight from google this time. We had to set up the opac URL in: > /etc/apache2/conf.d/ Hmmm - that's strange. What exactly did you change? > Also: in the opac-main there is no hint where to log in with the google > account. It would be a nice feature that once you use Google Oauth it would > say which log in link to use to do that. Maybe even with a google logo? Agreed. The main patch has been changed so that the top-left login link works for oauth2 if that is set up. Here at PBC we've changed our templates to show a button for OAuth2 login, and another for manual logins. I can provide the patch, if it would be useful... > Other than that the patch is working perfectly though I didn't test it > extensively. It's only running on my test server. Glad to hear it! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #14 from Nicholas van Oudtshoorn --- (In reply to Marc VĂ©ron from comment #10) > Patch did not apply. Merge conflict in > koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc Should apply cleanly with the latest patch... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #25684|0 |1 is obsolete|| CC||vano...@gmail.com --- Comment #13 from Nicholas van Oudtshoorn --- Created attachment 29594 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=29594&action=edit Allow Google OAuth2 Login Fixed the patch so that it again cleanly applies. Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. Test Plan: 1) Apply this patch 2) Update the database (this is the bit I'm not sure about - I've added the SQL into the atomicupdates directory - is this right?) 3) Create a web app in the google cloud console: - Go to https://cloud.google.com/console - Create a project, and give it some details - Open the Project by clicking on it - Under APIs & auth menu, open "Registered Apps" and click "Register App" - Give it a name and make sure you select "Web app", click ok - Under OAuth 2.0 Client ID, - under web origin, type - in the redirect uri enter /cgi-bin/koha/svc/googleoauth2 - click Generate 4) Set the GoogleOAuth2ClientID and GoogleOAuth2ClientSecret according to the values generated above 5) Test that clicking login intiates an oauth2 login 6) Try logging in with an email that is not registered to a library user. It should fail and offer either to retry or to login manually. 7) Try logging in with an email that is registered to a library user. You should be logged in. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Samuel Martin changed: What|Removed |Added CC||samuel.n.mar...@gmail.com --- Comment #12 from Samuel Martin --- Ran a test on this patch. And I had some issues. I'm no good at programming. But a friend of mine helped me. I thought I could post this to help out others. I hope you'll understand what I mean. I'm new here and more of a librarian than a programmer. So... Here's what we found out: In the file: usr/share/koha/opac/cgi-bin/opac/svc/googleoauth2 there appeared to be some lines missing in the patch at the very beginning of the file. Though the code is available here in this bug. So that was easy to fix. And then we still had some issues. At that time I still had an error 400 straight from google this time. We had to set up the opac URL in: /etc/apache2/conf.d/ I'm not sure if this was supposed to be done before or not. But I had to do it at that time. Also: in the opac-main there is no hint where to log in with the google account. It would be a nice feature that once you use Google Oauth it would say which log in link to use to do that. Maybe even with a google logo? Other than that the patch is working perfectly though I didn't test it extensively. It's only running on my test server. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #11 from Nicholas van Oudtshoorn --- Oh no! I'm on holiday for the next week, but will fix it next Tuesday. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #10 from Marc VĂ©ron --- Patch did not apply. Merge conflict in koha-tmpl/opac-tmpl/bootstrap/en/includes/masthead.inc -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Marc VĂ©ron changed: What|Removed |Added CC||ve...@veron.ch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 --- Comment #9 from Nicholas van Oudtshoorn --- Ping on this. Anybody interested in signing this one off? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Owen Leonard changed: What|Removed |Added Version|unspecified |master Assignee|gmcha...@gmail.com |vano...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 10988] Allow login via Google OAuth2
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10988 Nicholas van Oudtshoorn changed: What|Removed |Added Attachment #25343|0 |1 is obsolete|| --- Comment #8 from Nicholas van Oudtshoorn --- Created attachment 25684 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=25684&action=edit Bug 10988 [ENH] Allow login via Google OAuth2 Adds googleoauth2 login to koha. Adds applicable system preferences Modifies templates to support oauth2 login failures changes the login links to use googleoauth2 when oauth2 is enabled. This latest patch adds the new system preferences using updatedatabase.pl Test Plan: 1) Apply this patch 2) Update the database (this is the bit I'm not sure about - I've added the SQL into the atomicupdates directory - is this right?) 3) Create a web app in the google cloud console: - Go to https://cloud.google.com/console - Create a project, and give it some details - Open the Project by clicking on it - Under APIs & auth menu, open "Registered Apps" and click "Register App" - Give it a name and make sure you select "Web app", click ok - Under OAuth 2.0 Client ID, - under web origin, type - in the redirect uri enter /cgi-bin/koha/svc/googleoauth2 - click Generate 4) Set the GoogleOAuth2ClientID and GoogleOAuth2ClientSecret according to the values generated above 5) Test that clicking login intiates an oauth2 login 6) Try logging in with an email that is not registered to a library user. It should fail and offer either to retry or to login manually. 7) Try logging in with an email that is registered to a library user. You should be logged in. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
