[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #16 from David Cook --- Just noting that I've signed off Bug 30988 so it would be great to get some QA eyes on it. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #15 from David Cook --- While this patch has more functionality than bug 30988, it was originally written for a buggy OIDC IdP 8 years ago and it's outdated in a number of ways. While I run a newer local version in prod (and I probably will keep running it locally), I actually want to re-write this functionality using Mojolicious. In fact, there's already a plugin to take care of the majority of it: https://metacpan.org/pod/Mojolicious::Plugin::OAuth2 But I'm not planning on doing that any time soon, so I'm happy to endorse bug 30988 as the replacement for bug 21586, since Shi Yao Wang is actively working on that one. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 David Cook changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |DUPLICATE --- Comment #14 from David Cook --- *** This bug has been marked as a duplicate of bug 30988 *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=28420 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 David Cook changed: What|Removed |Added CC||mark.jaro...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=25796 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #13 from Michal Denar --- Great news, David. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #12 from David Cook --- I decided to make some strides on generic authentication and opened https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24539 I've refactored my OpenID Connect code to take advantage of a standard generic interface in Auth.pm and opac-auth.tt. I still have some work to do on the endpoint that triggers the login, but I have some ideas about that. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #11 from David Cook --- Created attachment 97684 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=97684&action=edit Local login plus external login Example of local login plus external logins. The links/buttons are for URLs like this: https://gitlab.com/users/auth/google_oauth2 https://gitlab.com/users/auth/twitter It would be interesting to have plugins so that we could do things like: https://koha/users/auth/google https://koha/users/auth/custom_idp1 https://koha/users/auth/custom_idp2 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #10 from David Cook --- I don't have plans to work on this at present, but it is an interest of mine, so if I find myself with spare time, I would work on it (although the OAI-PMH harvester is a competing albeit much more complex interest). -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #9 from David Cook --- Actually, this one would be great to add as an "Authentication Plugin" for Koha. Looking at my code, the only part of it which doesn't lend itself to a plugin architecture are the changes to Auth.pm and opac-auth.tt. However, we could probably remove the necessity for opac-auth.tt changes. And we could add hooks into Auth.pm for login and logout. Looking at my code, those shouldn't be that hard to add. -- One of the interesting things with this work was setting up multiple OpenID Connect providers. I'm not sure how often that would actually be a requirement (as I think people sometimes use another IdP to federate others together) but it was originally a requirement for my work, and it's something I've seen other people ask for online. -- Really we should be able to use OpenID Connect against Google and any other compliant IdP (like Keycloak). -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #8 from David Cook --- This code is out of date, and has a few known problems. However, I have a newer version, which I actually have working with the Keycloak OpenID Connect Identity Provider. For testing purposes, I very easily ran up an instance in Docker (https://hub.docker.com/r/jboss/keycloak/), and after resolving a bug in my code, I was able to successfully authenticate and auto-add a patron to Koha. It's worth noting that I have used Keycloak for other projects for a while now, so the server configuration was trivial for me, but it might not be obvious at a glance. There is lots of documentation though. Might also be worth noting that Keycloak is sponsored by Red Hat and forms the core of RH-SSO, which Red Hat actually uses for all its own AuthN purposes. Note that even though I have a new version of the code that works, I'd actually like to redo my code for this one. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 Stefan Berndtsson changed: What|Removed |Added CC||stefan.berndts...@ub.gu.se -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 Katrin Fischer changed: What|Removed |Added CC||o...@critfc.org --- Comment #7 from Katrin Fischer --- *** Bug 3237 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #6 from David Cook --- Happy for other people to work on this. This isn't really a priority for me at the moment, although it would be a great addition to Koha! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #5 from David Cook --- I've recently been looking at Keycloak https://www.keycloak.org and I'm thinking it could be something that we use for testing this. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #4 from David Cook --- Comment on attachment 80689 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=80689 Bug 21586: Add generic OpenIDConnect client implementation Review of attachment 80689: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=21586&attachment=80689) - ::: C4/Auth.pm @@ +1789,4 @@ > } > else { > # catch all defaults to tmp should work on all systems > +my $dir = C4::Context::temporary_directory(); Ooops. This was a local fix that I did so that C4::Auth would compile for my client side git hook...I should take that out. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 Martin Renvoize changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #3 from David Cook --- login_openidc is a bit outdated with its POD... Additional configuration options to consider as children of the "provider" element: client_secret_post form https://provider/openidconnect/destroy_session Another optional child of the "mapping" element: company_name (I added this since OpenIDConnect technically allows providers to provide non-typical claims too. This could use a better mechanism for configuration.) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #2 from David Cook --- To test: 1) View the =head1 DESCRIPTION in opac/svc/login_openidc. It tells you to write a large chunk of XML into koha-conf.xml. (NOTE: The "prosentient" element is a subling to the "config" element. The only parent to the "prosentient" element is the "yazgfs" element. This is very important.) 2) Configure koha-conf.xml to point to the OpenIDConnect server to which you want to connect. 3) Change $debugging in opac/svc/login_openidc from 0 to 1. This will help you with your troubleshooting considerably. 4) On your Koha OPAC, using a system preference, add a URL like http://your-koha-host/cgi-bin/koha/svc/login_openidc?pid=foo 5) Click on that link and it should redirect you to a login page for your upstream authentication provider. After you fill that you, you should be returned to your Koha as a logged in user (NOTE: email address is used for matching... if your email address already exists in Koha, you'll be logged in as that user. If your email address doesn't exist, a new user will be created with your details from your upstream provider.) -- If I've missed anything, comment here or reach me on IRC, and I can provide more details! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 --- Comment #1 from David Cook --- Created attachment 80689 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=80689&action=edit Bug 21586: Add generic OpenIDConnect client implementation BEWARE: This patch is not ready sign off! This is partially since it exists within Prosentient namespaces, and partially because a lot of things could probably be improved, since I originally wrote this code 4 years ago for 1 specific client. I'm adding this patch so that others can look at this work, and either adapt it themselves, or test it and give me feedback so that I can update it. I can't guarantee that it works in its current state, as the latest version I support with this code is 17.05, and I've touched up a few things here and there that differ from my running code. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 David Cook changed: What|Removed |Added Assignee|koha-b...@lists.koha-commun |dc...@prosentient.com.au |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 21586] Add generic OpenIDConnect client implementation
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21586 Josef Moravec changed: What|Removed |Added CC||blac...@gmail.com, ||josef.mora...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/