[Bug 20402] New: Implement OAuth2 authentication for REST API

classic Classic list List threaded Threaded
76 messages Options
123
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] New: Implement OAuth2 authentication for REST API

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

            Bug ID: 20402
           Summary: Implement OAuth2 authentication for REST API
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: ASSIGNED
          Severity: enhancement
          Priority: P5 - low
         Component: REST api
          Assignee: [hidden email]
          Reporter: [hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #1 from Julian Maurice <[hidden email]> ---
Created attachment 72865
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72865&action=edit
Bug 20402: Implement OAuth2 authentication for REST API

It implements only the "client credentials" flow with basic scopes
support (only one is defined, "patrons.read").
API Clients are defined in $KOHA_CONF.

Test plan:
1. In $KOHA_CONF, add an <api_client> element under <config>:
     <api_client>
       <client_id>$CLIENT_ID</client_id>
       <client_secret>$CLIENT_SECRET</client_secret>
       <scope>patrons.read</scope>
     </api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
   configuration:
   - OAuth flow: Client credentials
   - Access Token Request Method: POST
   - Access Token Request Endpoint: http://koha/api/v1/oauth/token
   - Access Token Request Client Authentication: Credentials in request
     body
   - Client ID: $CLIENT_ID
   - Client Secret: $CLIENT_SECRET
   - Scopes: patrons.read
5. Click on the newly created configuration to generate a new token
   (which will be valid only for an hour)
6. Set method to GET and url to http://koha/api/v1/patrons
   It should return 200 OK with the list of patrons
7. Remove or change the <scope> from $KOHA_CONF (reload starman &
   memcached) and see that you cannot generate a new token.
   Then reset the scope to its initial value
8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2
   occurences) and change the values to something else. Reload starman.
   Repeat step 6 and see that you receive a 403 Forbidden status
   Undo your changes in api/v1/swagger/paths/patrons.json and reload
   starman again.
9. Wait an hour (or run the following SQL query:
   UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
   You should have a 403 Forbidden status, and the token must have been
   removed from the database.

[1] https://addons.mozilla.org/en-US/firefox/addon/rester/

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Josef Moravec <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #2 from M. Tompsett <[hidden email]> ---
Created attachment 72874
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72874&action=edit
Bug 20402: Follow-up to correct uninitialized failures

Added type => 'access' to the token request line in
Koha/REST/V1/OAuth.pm based on my quick skim of
/usr/share/perl5/Net/OAuth2/AuthorizationServer/Defaults.pm
which was complaining, and seemed to allow valid values of
'auth', 'refresh', and 'access'.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72865|0                           |1
        is obsolete|                            |

--- Comment #3 from Julian Maurice <[hidden email]> ---
Created attachment 72886
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72886&action=edit
Bug 20402: Implement OAuth2 authentication for REST API

It implements only the "client credentials" flow with basic scopes
support (only one is defined, "patrons.read").
API Clients are defined in $KOHA_CONF.

Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16
1. In $KOHA_CONF, add an <api_client> element under <config>:
     <api_client>
       <client_id>$CLIENT_ID</client_id>
       <client_secret>$CLIENT_SECRET</client_secret>
       <scope>patrons.read</scope>
     </api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
   configuration:
   - OAuth flow: Client credentials
   - Access Token Request Method: POST
   - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
   - Access Token Request Client Authentication: Credentials in request
     body
   - Client ID: $CLIENT_ID
   - Client Secret: $CLIENT_SECRET
   - Scopes: patrons.read
5. Click on the newly created configuration to generate a new token
   (which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
   http://$KOHA_URL/api/v1/patrons then click on SEND
   It should return 200 OK with the list of patrons
7. Remove or change the <scope> from $KOHA_CONF (reload starman &
   memcached) and see that you cannot generate a new token.
   Then reset the scope to its initial value
8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2
   occurences) and change the values to something else. Reload starman.
   Repeat step 6 and see that you receive a 403 Forbidden status
   Undo your changes in api/v1/swagger/paths/patrons.json and reload
   starman again.
9. Wait an hour (or run the following SQL query:
   UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
   You should have a 403 Forbidden status, and the token must have been
   removed from the database.

[1] https://addons.mozilla.org/en-US/firefox/addon/rester/

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #4 from Julian Maurice <[hidden email]> ---
Created attachment 72887
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72887&action=edit
Bug 20402: Add Net::OAuth2::AuthorizationServer to perl deps

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72874|0                           |1
        is obsolete|                            |

--- Comment #5 from Julian Maurice <[hidden email]> ---
Created attachment 72888
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72888&action=edit
Bug 20402: Follow-up to correct uninitialized failures

Added type => 'access' to the token request line in
Koha/REST/V1/OAuth.pm based on my quick skim of
/usr/share/perl5/Net/OAuth2/AuthorizationServer/Defaults.pm
which was complaining, and seemed to allow valid values of
'auth', 'refresh', and 'access'.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #6 from Julian Maurice <[hidden email]> ---
Note: you can add as many API clients as you want by adding additional
<api_client> elements.

I'm sure it would be better for API clients to be stored in database with a
nice interface to manage them in Koha. But I think that can come later.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

M. Tompsett <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72886|0                           |1
        is obsolete|                            |

--- Comment #7 from M. Tompsett <[hidden email]> ---
Created attachment 72892
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72892&action=edit
Bug 20402: Implement OAuth2 authentication for REST API

It implements only the "client credentials" flow with basic scopes
support (only one is defined, "patrons.read").
API Clients are defined in $KOHA_CONF.

Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16
1. In $KOHA_CONF, add an <api_client> element under <config>:
     <api_client>
       <client_id>$CLIENT_ID</client_id>
       <client_secret>$CLIENT_SECRET</client_secret>
       <scope>patrons.read</scope>
     </api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
   configuration:
   - OAuth flow: Client credentials
   - Access Token Request Method: POST
   - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
   - Access Token Request Client Authentication: Credentials in request
     body
   - Client ID: $CLIENT_ID
   - Client Secret: $CLIENT_SECRET
   - Scopes: patrons.read
5. Click on the newly created configuration to generate a new token
   (which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
   http://$KOHA_URL/api/v1/patrons then click on SEND
   It should return 200 OK with the list of patrons
7. Remove or change the <scope> from $KOHA_CONF (reload starman &
   memcached) and see that you cannot generate a new token.
   Then reset the scope to its initial value
8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2
   occurences) and change the values to something else. Reload starman.
   Repeat step 6 and see that you receive a 403 Forbidden status
   Undo your changes in api/v1/swagger/paths/patrons.json and reload
   starman again.
9. Wait an hour (or run the following SQL query:
   UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
   You should have a 403 Forbidden status, and the token must have been
   removed from the database.

[1] https://addons.mozilla.org/en-US/firefox/addon/rester/

Signed-off-by: Mark Tompsett <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

M. Tompsett <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72887|0                           |1
        is obsolete|                            |

--- Comment #8 from M. Tompsett <[hidden email]> ---
Created attachment 72893
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72893&action=edit
Bug 20402: Add Net::OAuth2::AuthorizationServer to perl deps

Signed-off-by: Mark Tompsett <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

M. Tompsett <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72888|0                           |1
        is obsolete|                            |

--- Comment #9 from M. Tompsett <[hidden email]> ---
Created attachment 72894
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72894&action=edit
Bug 20402: Follow-up to correct uninitialized failures

Added type => 'access' to the token request line in
Koha/REST/V1/OAuth.pm based on my quick skim of
/usr/share/perl5/Net/OAuth2/AuthorizationServer/Defaults.pm
which was complaining, and seemed to allow valid values of
'auth', 'refresh', and 'access'.

Signed-off-by: Mark Tompsett <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

M. Tompsett <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off
                 CC|                            |[hidden email]

--- Comment #10 from M. Tompsett <[hidden email]> ---
Only concern is if the authorization isn't attempted after it expires, the
oauth_access_tokens record will lay in the table indefinitely. But works nicely
otherwise.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #11 from Marcel de Rooy <[hidden email]> ---
Julian: Unit tests ?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #12 from Julian Maurice <[hidden email]> ---
Created attachment 73086
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=73086&action=edit
Bug 20402: Add unit tests

Also, avoid some Perl warnings about undefined variables, and check that
grant_type parameter is set correctly

Test plan:
1. prove t/db_dependent/api/v1/oauth.t

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #13 from Julian Maurice <[hidden email]> ---
Created attachment 73087
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=73087&action=edit
Bug 20402: Add cronjob script to delete expired tokens

Test plan:
1. Generate X tokens (X > 1)
2. mysql> UPDATE oauth_access_tokens SET expires = 0
3. Generate Y tokens (Y > 1)
4. Run the script
5. Verify that only Y tokens remains

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #14 from Tomás Cohen Arazi <[hidden email]> ---
A couple remarks:

- I like it
- I think the way scopes are defined needs more thinking, also its relation to
permissions. The patchset adds patrons.read but I'm sure we need a spec on how
this are defined and documented.
- The cleanup script could just be replaced by an addition to the (already
configured for everyone) cleanup_database.pl script.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         QA Contact|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |dependency

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #15 from Julian Maurice <[hidden email]> ---
(In reply to Tomás Cohen Arazi from comment #14)
> - I think the way scopes are defined needs more thinking, also its relation
> to permissions. The patchset adds patrons.read but I'm sure we need a spec
> on how this are defined and documented.
I agree. It looks like OpenAPI spec covers that
(https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitionsObject)
but I'm not sure if we can and should use this.

About relation to permissions, do you think we should have 1:1 relationship
between scopes and permissions ?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #16 from Tomás Cohen Arazi <[hidden email]> ---
(In reply to Julian Maurice from comment #15)

> (In reply to Tomás Cohen Arazi from comment #14)
> > - I think the way scopes are defined needs more thinking, also its relation
> > to permissions. The patchset adds patrons.read but I'm sure we need a spec
> > on how this are defined and documented.
> I agree. It looks like OpenAPI spec covers that
> (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.
> md#securityDefinitionsObject) but I'm not sure if we can and should use this.
>
> About relation to permissions, do you think we should have 1:1 relationship
> between scopes and permissions ?

I think our permissions granularity is not enough for that. But I would like to
see a spec to discuss about how scopes would be defined, having a catalog of
them, etc.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Failed QA

--- Comment #17 from Tomás Cohen Arazi <[hidden email]> ---
I think we should tie api id and keys to patrons to take advantage of the
current permission system. And introduce the use of scopes at a later stage.

Julian: can you do it? i.e. pick the code you once wrote for having patrons
create api keys on the staff interface?

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #18 from Julian Maurice <[hidden email]> ---
(In reply to Tomás Cohen Arazi from comment #17)
> I think we should tie api id and keys to patrons to take advantage of the
> current permission system. And introduce the use of scopes at a later stage.
>
> Julian: can you do it? i.e. pick the code you once wrote for having patrons
> create api keys on the staff interface?
I think it's not needed if you only want to tie an API client with a patron. We
could add a <userid>xxx</userid> in $KOHA_CONF, and act as if that user was
authenticated.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Failed QA                   |ASSIGNED

--- Comment #19 from Julian Maurice <[hidden email]> ---
It has been decided during the IRC meeting to make it possible to tie an API
client with an existing patron and to use their permissions.
We give up the scopes for now, as it would require much more discussions and we
want OAuth2 in 18.05

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #20 from Julian Maurice <[hidden email]> ---
Created attachment 74009
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74009&action=edit
Bug 20402: Tie client with patron, remove scopes, use mojo plugin, ...

... and move cleanup code into misc/cronjobs/cleanup_database.pl

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #21 from Julian Maurice <[hidden email]> ---
A few notes about the last patch:
- I attached it only as an easy way to see the last changes, beacause I will
squash all patches into one clean patch.
- The use of Mojolicious::Plugin::OAuth2::Server was suggested on IRC, but it
only helps removing a few lines of code. I'm not sure it's worth it (new
non-packaged dependency)
- The test plan in comment 7 is not correct anymore. Before testing, please
wait until I squash all patch and write a new test plan (or use your brain to
guess a new test plan :))

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #72892|0                           |1
        is obsolete|                            |
  Attachment #72893|0                           |1
        is obsolete|                            |
  Attachment #72894|0                           |1
        is obsolete|                            |
  Attachment #73086|0                           |1
        is obsolete|                            |
  Attachment #73087|0                           |1
        is obsolete|                            |
  Attachment #74009|0                           |1
        is obsolete|                            |

--- Comment #22 from Julian Maurice <[hidden email]> ---
Created attachment 74018
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74018&action=edit
Bug 20402: Implement OAuth2 authentication for REST API

It implements only the "client credentials" flow with no scopes
support. API clients are tied to an existing patron and have the same
permissions as the patron they are tied to.
API Clients are defined in $KOHA_CONF.

Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16 and
   Mojolicious::Plugin::OAuth2::Server 0.40
1. In $KOHA_CONF, add an <api_client> element under <config>:
     <api_client>
       <client_id>$CLIENT_ID</client_id>
       <client_secret>$CLIENT_SECRET</client_secret>
       <patron_id>X</patron_id> <!-- X is an existing borrowernumber -->
     </api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
   configuration:
   - OAuth flow: Client credentials
   - Access Token Request Method: POST
   - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
   - Access Token Request Client Authentication: Credentials in request
     body
   - Client ID: $CLIENT_ID
   - Client Secret: $CLIENT_SECRET
5. Click on the newly created configuration to generate a new token
   (which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
   http://$KOHA_URL/api/v1/patrons then click on SEND
   If patron X has permission 'edit_borrowers', it should return 200 OK
   with the list of patrons
   Otherwise it should return 403 with the list of required permissions
   (Please test both cases)
7. Wait an hour (or run the following SQL query:
   UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
   You should have a 403 Forbidden status, and the token must have been
   removed from the database.
8. Create a bunch of tokens using RESTer, make some of them expires
   using the previous SQL query, and run the following command:
     misc/cronjobs/cleanup_database.pl --oauth-tokens
   Verify that expired tokens were removed, and that the others are
   still there
9. prove t/db_dependent/api/v1/oauth.t

[1] https://addons.mozilla.org/en-US/firefox/addon/rester/

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Julian Maurice <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |Needs Signoff

--- Comment #23 from Julian Maurice <[hidden email]> ---
All patches squashed and rebased on master.

Please test !

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Josef Moravec <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Failed QA

--- Comment #24 from Josef Moravec <[hidden email]> ---
(In reply to Julian Maurice from comment #22)

> Created attachment 74018 [details] [review]
> Bug 20402: Implement OAuth2 authentication for REST API
>
> It implements only the "client credentials" flow with no scopes
> support. API clients are tied to an existing patron and have the same
> permissions as the patron they are tied to.
> API Clients are defined in $KOHA_CONF.
>
> Test plan:
> 0. Install Net::OAuth2::AuthorizationServer 0.16 and
>    Mojolicious::Plugin::OAuth2::Server 0.40
> 1. In $KOHA_CONF, add an <api_client> element under <config>:
>      <api_client>
>        <client_id>$CLIENT_ID</client_id>
>        <client_secret>$CLIENT_SECRET</client_secret>
>        <patron_id>X</patron_id> <!-- X is an existing borrowernumber -->
>      </api_client>
> 2. Apply patch, run updatedatabase.pl and reload starman
> 3. Install Firefox extension RESTer [1]
> 4. In RESTer, go to "Authorization" tab and create a new OAuth2
>    configuration:
>    - OAuth flow: Client credentials
>    - Access Token Request Method: POST
>    - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
>    - Access Token Request Client Authentication: Credentials in request
>      body
>    - Client ID: $CLIENT_ID
>    - Client Secret: $CLIENT_SECRET
> 5. Click on the newly created configuration to generate a new token
>    (which will be valid only for an hour)
> 6. In RESTer, set HTTP method to GET and url to
>    http://$KOHA_URL/api/v1/patrons then click on SEND
>    If patron X has permission 'edit_borrowers', it should return 200 OK
>    with the list of patrons
>    Otherwise it should return 403 with the list of required permissions
>    (Please test both cases)
> 7. Wait an hour (or run the following SQL query:
>    UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
>    You should have a 403 Forbidden status, and the token must have been
>    removed from the database.

Token is removed, but i got status 500

> 8. Create a bunch of tokens using RESTer, make some of them expires
>    using the previous SQL query, and run the following command:
>      misc/cronjobs/cleanup_database.pl --oauth-tokens
>    Verify that expired tokens were removed, and that the others are
>    still there
> 9. prove t/db_dependent/api/v1/oauth.t

One test is failing for me:

not ok 19 - 200 OK

    #   Failed test '200 OK'
    #   at t/db_dependent/api/v1/oauth.t line 98.
    #          got: '403'
    #     expected: '200'
    # Looks like you failed 1 test of 19.


>
> [1] https://addons.mozilla.org/en-US/firefox/addon/rester/

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

--- Comment #25 from Tomás Cohen Arazi <[hidden email]> ---
(In reply to Julian Maurice from comment #21)
> A few notes about the last patch:
> - I attached it only as an easy way to see the last changes, beacause I will
> squash all patches into one clean patch.
> - The use of Mojolicious::Plugin::OAuth2::Server was suggested on IRC, but
> it only helps removing a few lines of code. I'm not sure it's worth it (new
> non-packaged dependency)
> - The test plan in comment 7 is not correct anymore. Before testing, please
> wait until I squash all patch and write a new test plan (or use your brain
> to guess a new test plan :))

When I tested using the Mojo plugin, I didn't find a clear way to implement
several grant flows. And my guess was that sticking to using the core lib was
easier.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
123