https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25796
--- Comment #4 from David Cook <[email protected]> --- But then if you read this: https://auth0.com/blog/id-token-access-token-what-is-the-difference/ In theory, the access token should be for the "Resource server" (ie the Koha API). I suppose that the access token can then be used to do a UserInfo lookup in order to get the user info (I did that in my early 2014 OpenID Connect work). I suppose the Koha API would check the "iss" and "aud" claims. The "iss" would let it know what IdP to talk to (and whether or not it trusts it). I think the "aud" would need to be the whole Koha API and then further authorization would be handled by Koha at a more granular level... Looking at Koha::OAuth, it would be fairly trivial to add support. We'd just need a table really to store providers. If the "iss" provider isn't found in the table, then we default to a Koha supplied access token. We need a table to store providers anyway for improving Koha's SSO options so this dovetail with that. If we wanted to handle this with plugins, we could do that instead so long as we put a plugin hook in "Koha::OAuth::_verify_access_token_cb". It does look like we'd need to alter Koha::Rest::V1::Auth a little bit as it tries to lookup the patron using the "client_id" in the access token. Anyway, lots of possibilities there. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
