[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Michaela Sieber changed: What|Removed |Added CC||clemens.tub...@kit.edu, ||lukasz.kos...@kit.edu, ||michaela.sie...@kit.edu -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #16 from Matt Blenkinsop --- Nice work everyone! Pushed to stable for 22.11.x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Matt Blenkinsop changed: What|Removed |Added Status|Pushed to master|Pushed to stable Version(s)|23.05.00|23.05.00,22.11.07 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Jonathan Druart changed: What|Removed |Added Keywords|rel_23_05_candidate | CC||jonathan.druart+koha@gmail. ||com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #15 from Tomás Cohen Arazi --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added Version(s)||23.05.00 released in|| Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #14 from David Cook --- (In reply to David Cook from comment #10) > (In reply to Tomás Cohen Arazi from comment #9) > > They look great. I was really tired last night when I submitted. Thanks! > > No worries. How do we want to do the sign offs for these? I've added my sign off to the patches. If you want to do the same for my last two, then I think we could move this to "Signed Off"? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 David Cook changed: What|Removed |Added Attachment #150919|0 |1 is obsolete|| --- Comment #13 from David Cook --- Created attachment 151039 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151039&action=edit Bug 33708: Allow anonymous access to OAuth endpoints Users needs anonymous access to OAuth endpoints so that they can login, and then use authenticated access for other endpoints. Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 David Cook changed: What|Removed |Added Attachment #150918|0 |1 is obsolete|| --- Comment #12 from David Cook --- Created attachment 151038 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151038&action=edit Bug 33708: Provide non-public endpoint for OAuth/OIDC for staff interface This change fixes the definition for the non-public endpoint for the OAuth/OIDC implementation. It also uses the non-public endpoint for the staff interface UI. Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 David Cook changed: What|Removed |Added Attachment #150905|0 |1 is obsolete|| --- Comment #11 from David Cook --- Created attachment 151037 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=151037&action=edit Bug 33708: Make staff interface login not require public API (OAuth/OIDC) This patch makes the URL for staff login not point to the `/public` namespace. The behavior is not changed for the protocol, but as `/public` requires several settings to be available, it effectively requires to enable the OPAC, the public API, etc. This patch diferentiates both to solve the problem. I've tested following the Wiki instructions to set keycloak [1] using the *--sso* switch for `ktd` as well [2]. It is important to set the following URLs as allowed redirect in order to replicate the issue and verify the fix: http://localhost:8080/api/v1/public/oauth/login/test/opac http://localhost:8081/api/v1/oauth/login/test/staff To test: 1. Login into the staff interface using the SSO link: => FAIL: Results in a 'Bad redirect URL' error 2. Apply this patch and repeat 1 => SUCCESS: You get a permission denied error or you just login, depending on your setup. [1] https://wiki.koha-community.org/wiki/Testing_SSO [2] ktd --sso up -d Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 David Cook changed: What|Removed |Added Blocks||33675 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33675 [Bug 33675] Add CSRF protection to OAuth/OIDC authentication -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #10 from David Cook --- (In reply to Tomás Cohen Arazi from comment #9) > They look great. I was really tired last night when I submitted. Thanks! No worries. How do we want to do the sign offs for these? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #9 from Tomás Cohen Arazi --- (In reply to David Cook from comment #8) > Tomas, take a look at my patches and let me know what you think. > > With all 3 patches, I've tested OIDC on staff interface and OPAC, and gotten > them working with their respective URLs. They look great. I was really tired last night when I submitted. Thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #8 from David Cook --- Tomas, take a look at my patches and let me know what you think. With all 3 patches, I've tested OIDC on staff interface and OPAC, and gotten them working with their respective URLs. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #7 from David Cook --- Created attachment 150919 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=150919&action=edit Bug 33708: Allow anonymous access to OAuth endpoints Users needs anonymous access to OAuth endpoints so that they can login, and then use authenticated access for other endpoints. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 David Cook changed: What|Removed |Added Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #6 from David Cook --- Created attachment 150918 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=150918&action=edit Bug 33708: Provide non-public endpoint for OAuth/OIDC for staff interface This change fixes the definition for the non-public endpoint for the OAuth/OIDC implementation. It also uses the non-public endpoint for the staff interface UI. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #5 from David Cook --- If I fix the URL and the Swagger, then I get a 401 trying to access http://localhost:8081/api/v1/oauth/login/keycloak/staff I think I thought about this a bit when the OAuth/OIDC functionality was being developed. -- (The public endpoint actually has a similar problem. If you have disabled OpacPublic, you have to enable RESTPublicAnonymousRequests in order to use the OAuth/OIDC for the OPAC.) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #4 from David Cook --- If I fix the URL, then I get a 404. I see the paths in api/v1/swagger/paths/oauth.yaml but it doesn't appear in http://localhost:8081/api/v1/.html Ah because it's missing from api/v1/swagger/swagger.yaml -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 David Cook changed: What|Removed |Added Status|Needs Signoff |Failed QA --- Comment #3 from David Cook --- Not all URLs are updated it seems. The path for the URL for the button "Log in with Keycloak" on the staff interface is still /api/v1/public/oauth/login/keycloak/staff If you disable the sysprefs "RESTPublicAnonymousRequests" and "RESTPublicAPI", you'll see the following error {"error":"Configuration prevents the usage of this endpoint by unprivileged users"} -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #2 from David Cook --- Looking at this now... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added CC||agustinmoy...@theke.io -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added CC||dc...@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added Status|NEW |Needs Signoff Keywords||rel_23_05_candidate -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 --- Comment #1 from Tomás Cohen Arazi --- Created attachment 150905 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=150905&action=edit Bug 33708: Make staff interface login not require public API (OAuth/OIDC) This patch makes the URL for staff login not point to the `/public` namespace. The behavior is not changed for the protocol, but as `/public` requires several settings to be available, it effectively requires to enable the OPAC, the public API, etc. This patch diferentiates both to solve the problem. I've tested following the Wiki instructions to set keycloak [1] using the *--sso* switch for `ktd` as well [2]. It is important to set the following URLs as allowed redirect in order to replicate the issue and verify the fix: http://localhost:8080/api/v1/public/oauth/login/test/opac http://localhost:8081/api/v1/oauth/login/test/staff To test: 1. Login into the staff interface using the SSO link: => FAIL: Results in a 'Bad redirect URL' error 2. Apply this patch and repeat 1 => SUCCESS: You get a permission denied error or you just login, depending on your setup. [1] https://wiki.koha-community.org/wiki/Testing_SSO [2] ktd --sso up -d Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 33708] OAuth/OIDC authentication for the staff interface requires OPAC enabled
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33708 Tomás Cohen Arazi changed: What|Removed |Added Assignee|koha-b...@lists.koha-commun |tomasco...@gmail.com |ity.org | CC||martin.renvoize@ptfs-europe ||.com, ||n...@bywatersolutions.com, ||tomasco...@gmail.com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/