From dd512db60b21080a1c1cfeae2a3891edd69fd95e Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 9 May 2023 18:03:50 -0300 Subject: [PATCH] Bug 33708: Make staff interface login not require public API (OAuth/OIDC) This patch makes the URL for staff login not point to the `/public` namespace. The behavior is not changed for the protocol, but as `/public` requires several settings to be available, it effectively requires to enable the OPAC, the public API, etc. This patch diferentiates both to solve the problem. I've tested following the Wiki instructions to set keycloak [1] using the *--sso* switch for `ktd` as well [2]. It is important to set the following URLs as allowed redirect in order to replicate the issue and verify the fix: http://localhost:8080/api/v1/public/oauth/login/test/opac http://localhost:8081/api/v1/oauth/login/test/staff To test: 1. Login into the staff interface using the SSO link: => FAIL: Results in a 'Bad redirect URL' error 2. Apply this patch and repeat 1 => SUCCESS: You get a permission denied error or you just login, depending on your setup. [1] https://wiki.koha-community.org/wiki/Testing_SSO [2] ktd --sso up -d Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Cook Signed-off-by: Tomas Cohen Arazi --- Koha/REST/V1/OAuth/Client.pm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Koha/REST/V1/OAuth/Client.pm b/Koha/REST/V1/OAuth/Client.pm index 5378cec0fe..0fb04089d7 100644 --- a/Koha/REST/V1/OAuth/Client.pm +++ b/Koha/REST/V1/OAuth/Client.pm @@ -43,25 +43,25 @@ Controller method handling login requests sub login { my $c = shift->openapi->valid_input or return; - my $provider = $c->validation->param('provider_code'); - my $interface = $c->validation->param('interface'); + my $provider = $c->param('provider_code'); + my $interface = $c->param('interface'); my $logger = Koha::Logger->get({ interface => 'api' }); my $provider_config = $c->oauth2->providers->{$provider}; my $uri; - my $base_url; + my $redirect_url; if ( $interface eq 'opac' ) { - $base_url = C4::Context->preference('OPACBaseURL'); + $redirect_url = C4::Context->preference('OPACBaseURL') . '/api/v1/public/oauth/login/'; if ( C4::Context->preference('OpacPublic') ) { $uri = '/cgi-bin/koha/opac-user.pl'; } else { $uri = '/cgi-bin/koha/opac-main.pl'; } } else { - $base_url = C4::Context->preference('staffClientBaseURL'); + $redirect_url = C4::Context->preference('staffClientBaseURL') . '/api/v1/oauth/login/'; $uri = '/cgi-bin/koha/mainpage.pl'; } @@ -76,7 +76,7 @@ sub login { $provider_config->{authorize_url} = $authorize_url->to_string; } - return $c->oauth2->get_token_p( $provider, { redirect_uri => $base_url . '/api/v1/public/oauth/login/' . $provider . "/" . $interface } )->then( + return $c->oauth2->get_token_p( $provider, { redirect_uri => $redirect_url . $provider . "/" . $interface } )->then( sub { return unless my $response = shift; -- 2.39.5