https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
M. Tompsett <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72886|0 |1 is obsolete| | --- Comment #7 from M. Tompsett <[email protected]> --- Created attachment 72892 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72892&action=edit Bug 20402: Implement OAuth2 authentication for REST API It implements only the "client credentials" flow with basic scopes support (only one is defined, "patrons.read"). API Clients are defined in $KOHA_CONF. Test plan: 0. Install Net::OAuth2::AuthorizationServer 0.16 1. In $KOHA_CONF, add an <api_client> element under <config>: <api_client> <client_id>$CLIENT_ID</client_id> <client_secret>$CLIENT_SECRET</client_secret> <scope>patrons.read</scope> </api_client> 2. Apply patch, run updatedatabase.pl and reload starman 3. Install Firefox extension RESTer [1] 4. In RESTer, go to "Authorization" tab and create a new OAuth2 configuration: - OAuth flow: Client credentials - Access Token Request Method: POST - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token - Access Token Request Client Authentication: Credentials in request body - Client ID: $CLIENT_ID - Client Secret: $CLIENT_SECRET - Scopes: patrons.read 5. Click on the newly created configuration to generate a new token (which will be valid only for an hour) 6. In RESTer, set HTTP method to GET and url to http://$KOHA_URL/api/v1/patrons then click on SEND It should return 200 OK with the list of patrons 7. Remove or change the <scope> from $KOHA_CONF (reload starman & memcached) and see that you cannot generate a new token. Then reset the scope to its initial value 8. Edit api/v1/swagger/paths/patrons.json, locate 'x-koha-scopes' (2 occurences) and change the values to something else. Reload starman. Repeat step 6 and see that you receive a 403 Forbidden status Undo your changes in api/v1/swagger/paths/patrons.json and reload starman again. 9. Wait an hour (or run the following SQL query: UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. You should have a 403 Forbidden status, and the token must have been removed from the database. [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ Signed-off-by: Mark Tompsett <[email protected]> -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
