[Koha] Koha API - Authentication Failure
Ere Maijala
ere.maijala at helsinki.fi
Thu May 27 01:12:49 NZST 2021
Looks like I had cgid_module and suexec_module on 20.05 enabled in
addition to what you have, but disabling them did not help.
--Ere
Tomas Cohen Arazi kirjoitti 26.5.2021 klo 15.20:
> So maybe it is a side effect of using some authentication module in Apache?
>
> This is from a 20.05 setup, that I know OAuth2 is being used by a vendor:
>
> $ sudo apache2ctl -D DUMP_MODULES
> Loaded Modules:
> core_module (static)
> so_module (static)
> watchdog_module (static)
> http_module (static)
> log_config_module (static)
> logio_module (static)
> version_module (static)
> unixd_module (static)
> access_compat_module (shared)
> alias_module (shared)
> auth_basic_module (shared)
> authn_core_module (shared)
> authn_file_module (shared)
> authz_core_module (shared)
> authz_host_module (shared)
> authz_user_module (shared)
> autoindex_module (shared)
> cgi_module (shared)
> deflate_module (shared)
> dir_module (shared)
> env_module (shared)
> expires_module (shared)
> filter_module (shared)
> headers_module (shared)
> mime_module (shared)
> mpm_itk_module (shared)
> mpm_prefork_module (shared)
> negotiation_module (shared)
> proxy_module (shared)
> proxy_http_module (shared)
> reqtimeout_module (shared)
> rewrite_module (shared)
> setenvif_module (shared)
> socache_shmcb_module (shared)
> ssl_module (shared)
> status_module (shared)
>
>
> El mié, 26 may 2021 a las 3:28, Ere Maijala (<ere.maijala at helsinki.fi
> <mailto:ere.maijala at helsinki.fi>>) escribió:
>
> Do you mean OAuth2 is working for you without anything special in
> Apache
> config? I've not been that fortunate yet, though it might depend on
> whether authentication plugins are enabled in Apache.
>
> --Ere
>
> Tomas Cohen Arazi kirjoitti 22.5.2021 klo 18.15:
> > I wonder why it is working out of the box, and not for you. Is
> there any
> > special apache config you're using?
> >
> > If not, then this is something we should patch in the Koha
> packages for
> > everyone.
> >
> > Kind regards
> >
> > El sáb., 22 may. 2021 12:12, Aswin Unnikrishnan
> <aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>
> > <mailto:aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>>
> escribió:
> >
> > Thank you so much guys,
> >
> > Was a bit busy the past couple of days and could'nt work on
> it. But I
> > followed the documentation mentioned by Ere and it worked!
> >
> > SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
> >
> >
> > If anyone else faces this issue, you should add this command
> under
> > <VirtualHost> </VirtualHost> Tag .
> >
> > Thanks,
> > Aswin
> >
> > On Wed, 19 May 2021 at 14:20, Ere Maijala
> <ere.maijala at helsinki.fi <mailto:ere.maijala at helsinki.fi>
> > <mailto:ere.maijala at helsinki.fi
> <mailto:ere.maijala at helsinki.fi>>> wrote:
> >
> > > My documented steps to make sure OAuth2 is working are here:
> > >
> > >
> > >
> >
> https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20
> <https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20>
> >
> <https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20 <https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20>>
> > >
> > > This may be useful for you. I suppose it would make sense
> to document
> > > this properly in Koha wiki as well, I just haven't had time...
> > >
> > > Best,
> > > Ere
> > >
> > > Aswin Unnikrishnan kirjoitti 17.5.2021 klo 20.53:
> > > > Thanks for pointing that out Stephen, I will have to
> look into
> > that, it
> > > > might be the issue here.
> > > >
> > > > Tomas, I am not exactly sure if we have plack running or
> not.
> > Plack
> > > seems
> > > > to be enabled, but plack logs are all empty. the logs
> are all at
> > > > intranet-error.log and opac-error.log
> > > >
> > > > I will try out the apache CGIPass method as Stephen
> suggested
> > and get
> > > back
> > > > if it works.
> > > >
> > > > Thanks,
> > > > Aswin
> > > >
> > > > On Mon, May 17, 2021, 9:02 PM Tomas Cohen Arazi
> > <tomascohen at gmail.com <mailto:tomascohen at gmail.com>
> <mailto:tomascohen at gmail.com <mailto:tomascohen at gmail.com>>>
> > > > wrote:
> > > >
> > > >> Are you running Plack?
> > > >>
> > > >> El lun, 17 may 2021 a las 11:53, Aswin Unnikrishnan (<
> > > >> aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>
> <mailto:aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>>)
> escribió:
> > > >>
> > > >>> Thanks Stephen, Tomas for the quick response.
> > > >>>
> > > >>> Aswin - are you using the correct URL to call your custom
> > endpoint. It
> > > >>>> should be under the contrib namespace e.g.
> > > >>>>
> > > >>>
> > > >>> The app i am making is not part of koha, its a
> seperate web
> > app which
> > > >>> makes calls to /api/v1/ end points of the koha server.
> > > >>>
> > > >>> Does the user (owner of the id/secret pair) have
> privileged
> > access to
> > > >>>> Koha? Remember it needs to have permissions to enter
> the staff
> > > interface
> > > >>>> (the 'catalogue' permission) in order to access routes
> > (other than
> > > those in
> > > >>>> the /api/v1/public namespace).
> > > >>>>
> > > >>> Yes, the user has permission set to access all librarian
> > functions, I
> > > >>> also tried accessing the api end point via browser after
> > logging in to
> > > the
> > > >>> staff portal with this user, and im getting the
> correct response.
> > > >>>
> > > >>> Im also not able to access api/v1/.html from the
> browser, it
> > gives a
> > > 403
> > > >>> Error page. I checked the error logs and found this
> > > >>>
> > > >>> [authz_core:error] [pid 25846] AH01630: client denied
> by server
> > > >>>> configuration: /usr/share/koha/api/v1/.html
> > > >>>>
> > > >>>
> > > >>>
> > > >>> Is there any logging systems in place which could give
> more info
> > > >>> regarding the authorization failure error? or any idea
> whats
> > wrong?
> > > >>>
> > > >>> Thanks,
> > > >>> Aswin
> > > >>>
> > > >>>
> > > >>> On Mon, 17 May 2021 at 19:13, Tomas Cohen Arazi
> > <tomascohen at gmail.com <mailto:tomascohen at gmail.com>
> <mailto:tomascohen at gmail.com <mailto:tomascohen at gmail.com>>>
> > > >>> wrote:
> > > >>>
> > > >>>> Does the user (owner of the id/secret pair) have
> privileged
> > access to
> > > >>>> Koha? Remember it needs to have permissions to enter
> the staff
> > > interface
> > > >>>> (the 'catalogue' permission) in order to access routes
> > (other than
> > > those in
> > > >>>> the /api/v1/public namespace).
> > > >>>>
> > > >>>> BTW: All routes also have some required permissions you
> > should take a
> > > >>>> look at. Specific ones.
> > > >>>>
> > > >>>> Kind regards
> > > >>>>
> > > >>>> El lun, 17 may 2021 a las 9:40, Aswin Unnikrishnan (<
> > > >>>> aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>
> <mailto:aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>>)
> escribió:
> > > >>>>
> > > >>>>> Hi,
> > > >>>>>
> > > >>>>> I wanted to build an app that uses the koha API, and
> so i was
> > > testing it
> > > >>>>> out, but I keep getting "Authentication Failure" error
> > whichever end
> > > >>>>> point
> > > >>>>> I try to access.
> > > >>>>> The steps i did are
> > > >>>>>
> > > >>>>> 1. Got the client_id / secret from koha
> > > >>>>> 2. Sent a POST request to api/v1/oauth/token with
> required
> > parameters
> > > >>>>> and
> > > >>>>> got an "access_token" returned
> > > >>>>> 3. Added the token to my authorization header with
> > header-prefix
> > > >>>>> "Bearer"
> > > >>>>> 4. Sent a GET request to different end points, but
> getting
> > the same
> > > 401
> > > >>>>> Unauthorized error code with error : Authentication
> failure
> > > >>>>>
> > > >>>>> However if i access one of the public end points like
> > > >>>>> /api/v1/biblios/{biblio_id} i can get a response
> > > >>>>>
> > > >>>>> If anyone has any idea why this is happening,
> please let
> > me know.
> > > >>>>>
> > > >>>>> Thanks in advance,
> > > >>>>> Aswin
> > > >>>>> _______________________________________________
> > > >>>>>
> > > >>>>> Koha mailing list http://koha-community.org
> <http://koha-community.org>
> > <http://koha-community.org <http://koha-community.org>>
> > > >>>>> Koha at lists.katipo.co.nz
> <mailto:Koha at lists.katipo.co.nz> <mailto:Koha at lists.katipo.co.nz
> <mailto:Koha at lists.katipo.co.nz>>
> > > >>>>> Unsubscribe:
> > https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > <https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>>
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Tomás Cohen Arazi
> > > >>>> Theke Solutions (http://theke.io <http://theke.io>
> <http://theke.io <http://theke.io>>)
> > > >>>> ✆ +54 9351 3513384
> > > >>>> GPG: B2F3C15F
> > > >>>>
> > > >>>
> > > >>
> > > >> --
> > > >> Tomás Cohen Arazi
> > > >> Theke Solutions (http://theke.io <http://theke.io>
> <http://theke.io <http://theke.io>>)
> > > >> ✆ +54 9351 3513384
> > > >> GPG: B2F3C15F
> > > >>
> > > > _______________________________________________
> > > >
> > > > Koha mailing list http://koha-community.org
> <http://koha-community.org>
> > <http://koha-community.org <http://koha-community.org>>
> > > > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
> > > > Unsubscribe:
> https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > <https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>>
> > > >
> > >
> > > --
> > > Ere Maijala
> > > Kansalliskirjasto / The National Library of Finland
> > > _______________________________________________
> > >
> > > Koha mailing list http://koha-community.org
> <http://koha-community.org>
> > <http://koha-community.org <http://koha-community.org>>
> > > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
> > > Unsubscribe:
> https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > <https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>>
> > >
> > _______________________________________________
> >
> > Koha mailing list http://koha-community.org
> <http://koha-community.org> <http://koha-community.org
> <http://koha-community.org>>
> > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
> > Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > <https://lists.katipo.co.nz/mailman/listinfo/koha
> <https://lists.katipo.co.nz/mailman/listinfo/koha>>
> >
>
> --
> Ere Maijala
> Kansalliskirjasto / The National Library of Finland
>
>
>
> --
> Tomás Cohen Arazi
> Theke Solutions (http://theke.io <http://theke.io/>)
> ✆ +54 9351 3513384
> GPG: B2F3C15F
--
Ere Maijala
Kansalliskirjasto / The National Library of Finland
More information about the Koha
mailing list