[Koha] Koha API - Authentication Failure
Tomas Cohen Arazi
tomascohen at gmail.com
Thu May 27 00:20:15 NZST 2021
So maybe it is a side effect of using some authentication module in Apache?
This is from a 20.05 setup, that I know OAuth2 is being used by a vendor:
$ sudo apache2ctl -D DUMP_MODULES
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_itk_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
proxy_module (shared)
proxy_http_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
El mié, 26 may 2021 a las 3:28, Ere Maijala (<ere.maijala at helsinki.fi>)
escribió:
> Do you mean OAuth2 is working for you without anything special in Apache
> config? I've not been that fortunate yet, though it might depend on
> whether authentication plugins are enabled in Apache.
>
> --Ere
>
> Tomas Cohen Arazi kirjoitti 22.5.2021 klo 18.15:
> > I wonder why it is working out of the box, and not for you. Is there any
> > special apache config you're using?
> >
> > If not, then this is something we should patch in the Koha packages for
> > everyone.
> >
> > Kind regards
> >
> > El sáb., 22 may. 2021 12:12, Aswin Unnikrishnan <aswinunni01 at gmail.com
> > <mailto:aswinunni01 at gmail.com>> escribió:
> >
> > Thank you so much guys,
> >
> > Was a bit busy the past couple of days and could'nt work on it. But I
> > followed the documentation mentioned by Ere and it worked!
> >
> > SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
> >
> >
> > If anyone else faces this issue, you should add this command under
> > <VirtualHost> </VirtualHost> Tag .
> >
> > Thanks,
> > Aswin
> >
> > On Wed, 19 May 2021 at 14:20, Ere Maijala <ere.maijala at helsinki.fi
> > <mailto:ere.maijala at helsinki.fi>> wrote:
> >
> > > My documented steps to make sure OAuth2 is working are here:
> > >
> > >
> > >
> >
> https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20
> > <
> https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20
> >
> > >
> > > This may be useful for you. I suppose it would make sense to
> document
> > > this properly in Koha wiki as well, I just haven't had time...
> > >
> > > Best,
> > > Ere
> > >
> > > Aswin Unnikrishnan kirjoitti 17.5.2021 klo 20.53:
> > > > Thanks for pointing that out Stephen, I will have to look into
> > that, it
> > > > might be the issue here.
> > > >
> > > > Tomas, I am not exactly sure if we have plack running or not.
> > Plack
> > > seems
> > > > to be enabled, but plack logs are all empty. the logs are all at
> > > > intranet-error.log and opac-error.log
> > > >
> > > > I will try out the apache CGIPass method as Stephen suggested
> > and get
> > > back
> > > > if it works.
> > > >
> > > > Thanks,
> > > > Aswin
> > > >
> > > > On Mon, May 17, 2021, 9:02 PM Tomas Cohen Arazi
> > <tomascohen at gmail.com <mailto:tomascohen at gmail.com>>
> > > > wrote:
> > > >
> > > >> Are you running Plack?
> > > >>
> > > >> El lun, 17 may 2021 a las 11:53, Aswin Unnikrishnan (<
> > > >> aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>)
> escribió:
> > > >>
> > > >>> Thanks Stephen, Tomas for the quick response.
> > > >>>
> > > >>> Aswin - are you using the correct URL to call your custom
> > endpoint. It
> > > >>>> should be under the contrib namespace e.g.
> > > >>>>
> > > >>>
> > > >>> The app i am making is not part of koha, its a seperate web
> > app which
> > > >>> makes calls to /api/v1/ end points of the koha server.
> > > >>>
> > > >>> Does the user (owner of the id/secret pair) have privileged
> > access to
> > > >>>> Koha? Remember it needs to have permissions to enter the
> staff
> > > interface
> > > >>>> (the 'catalogue' permission) in order to access routes
> > (other than
> > > those in
> > > >>>> the /api/v1/public namespace).
> > > >>>>
> > > >>> Yes, the user has permission set to access all librarian
> > functions, I
> > > >>> also tried accessing the api end point via browser after
> > logging in to
> > > the
> > > >>> staff portal with this user, and im getting the correct
> response.
> > > >>>
> > > >>> Im also not able to access api/v1/.html from the browser, it
> > gives a
> > > 403
> > > >>> Error page. I checked the error logs and found this
> > > >>>
> > > >>> [authz_core:error] [pid 25846] AH01630: client denied by
> server
> > > >>>> configuration: /usr/share/koha/api/v1/.html
> > > >>>>
> > > >>>
> > > >>>
> > > >>> Is there any logging systems in place which could give more
> info
> > > >>> regarding the authorization failure error? or any idea whats
> > wrong?
> > > >>>
> > > >>> Thanks,
> > > >>> Aswin
> > > >>>
> > > >>>
> > > >>> On Mon, 17 May 2021 at 19:13, Tomas Cohen Arazi
> > <tomascohen at gmail.com <mailto:tomascohen at gmail.com>>
> > > >>> wrote:
> > > >>>
> > > >>>> Does the user (owner of the id/secret pair) have privileged
> > access to
> > > >>>> Koha? Remember it needs to have permissions to enter the
> staff
> > > interface
> > > >>>> (the 'catalogue' permission) in order to access routes
> > (other than
> > > those in
> > > >>>> the /api/v1/public namespace).
> > > >>>>
> > > >>>> BTW: All routes also have some required permissions you
> > should take a
> > > >>>> look at. Specific ones.
> > > >>>>
> > > >>>> Kind regards
> > > >>>>
> > > >>>> El lun, 17 may 2021 a las 9:40, Aswin Unnikrishnan (<
> > > >>>> aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>)
> escribió:
> > > >>>>
> > > >>>>> Hi,
> > > >>>>>
> > > >>>>> I wanted to build an app that uses the koha API, and so i
> was
> > > testing it
> > > >>>>> out, but I keep getting "Authentication Failure" error
> > whichever end
> > > >>>>> point
> > > >>>>> I try to access.
> > > >>>>> The steps i did are
> > > >>>>>
> > > >>>>> 1. Got the client_id / secret from koha
> > > >>>>> 2. Sent a POST request to api/v1/oauth/token with required
> > parameters
> > > >>>>> and
> > > >>>>> got an "access_token" returned
> > > >>>>> 3. Added the token to my authorization header with
> > header-prefix
> > > >>>>> "Bearer"
> > > >>>>> 4. Sent a GET request to different end points, but getting
> > the same
> > > 401
> > > >>>>> Unauthorized error code with error : Authentication failure
> > > >>>>>
> > > >>>>> However if i access one of the public end points like
> > > >>>>> /api/v1/biblios/{biblio_id} i can get a response
> > > >>>>>
> > > >>>>> If anyone has any idea why this is happening, please let
> > me know.
> > > >>>>>
> > > >>>>> Thanks in advance,
> > > >>>>> Aswin
> > > >>>>> _______________________________________________
> > > >>>>>
> > > >>>>> Koha mailing list http://koha-community.org
> > <http://koha-community.org>
> > > >>>>> Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> > > >>>>> Unsubscribe:
> > https://lists.katipo.co.nz/mailman/listinfo/koha
> > <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > > >>>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Tomás Cohen Arazi
> > > >>>> Theke Solutions (http://theke.io <http://theke.io>)
> > > >>>> ✆ +54 9351 3513384
> > > >>>> GPG: B2F3C15F
> > > >>>>
> > > >>>
> > > >>
> > > >> --
> > > >> Tomás Cohen Arazi
> > > >> Theke Solutions (http://theke.io <http://theke.io>)
> > > >> ✆ +54 9351 3513384
> > > >> GPG: B2F3C15F
> > > >>
> > > > _______________________________________________
> > > >
> > > > Koha mailing list http://koha-community.org
> > <http://koha-community.org>
> > > > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> > > > Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> > <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > > >
> > >
> > > --
> > > Ere Maijala
> > > Kansalliskirjasto / The National Library of Finland
> > > _______________________________________________
> > >
> > > Koha mailing list http://koha-community.org
> > <http://koha-community.org>
> > > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> > > Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> > <https://lists.katipo.co.nz/mailman/listinfo/koha>
> > >
> > _______________________________________________
> >
> > Koha mailing list http://koha-community.org <
> http://koha-community.org>
> > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
> > Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> > <https://lists.katipo.co.nz/mailman/listinfo/koha>
> >
>
> --
> Ere Maijala
> Kansalliskirjasto / The National Library of Finland
>
--
Tomás Cohen Arazi
Theke Solutions (http://theke.io)
✆ +54 9351 3513384
GPG: B2F3C15F
More information about the Koha
mailing list