[Koha] Koha API - Authentication Failure

Ere Maijala ere.maijala at helsinki.fi
Thu May 27 01:12:49 NZST 2021


Looks like I had cgid_module and suexec_module on 20.05 enabled in 
addition to what you have, but disabling them did not help.

--Ere

Tomas Cohen Arazi kirjoitti 26.5.2021 klo 15.20:
> So maybe it is a side effect of using some authentication module in Apache?
> 
> This is from a 20.05 setup, that I know OAuth2 is being used by a vendor:
> 
> $ sudo apache2ctl -D DUMP_MODULES
> Loaded Modules:
>   core_module (static)
>   so_module (static)
>   watchdog_module (static)
>   http_module (static)
>   log_config_module (static)
>   logio_module (static)
>   version_module (static)
>   unixd_module (static)
>   access_compat_module (shared)
>   alias_module (shared)
>   auth_basic_module (shared)
>   authn_core_module (shared)
>   authn_file_module (shared)
>   authz_core_module (shared)
>   authz_host_module (shared)
>   authz_user_module (shared)
>   autoindex_module (shared)
>   cgi_module (shared)
>   deflate_module (shared)
>   dir_module (shared)
>   env_module (shared)
>   expires_module (shared)
>   filter_module (shared)
>   headers_module (shared)
>   mime_module (shared)
>   mpm_itk_module (shared)
>   mpm_prefork_module (shared)
>   negotiation_module (shared)
>   proxy_module (shared)
>   proxy_http_module (shared)
>   reqtimeout_module (shared)
>   rewrite_module (shared)
>   setenvif_module (shared)
>   socache_shmcb_module (shared)
>   ssl_module (shared)
>   status_module (shared)
> 
> 
> El mié, 26 may 2021 a las 3:28, Ere Maijala (<ere.maijala at helsinki.fi 
> <mailto:ere.maijala at helsinki.fi>>) escribió:
> 
>     Do you mean OAuth2 is working for you without anything special in
>     Apache
>     config? I've not been that fortunate yet, though it might depend on
>     whether authentication plugins are enabled in Apache.
> 
>     --Ere
> 
>     Tomas Cohen Arazi kirjoitti 22.5.2021 klo 18.15:
>      > I wonder why it is working out of the box, and not for you. Is
>     there any
>      > special apache config you're using?
>      >
>      > If not, then this is something we should patch in the Koha
>     packages for
>      > everyone.
>      >
>      > Kind regards
>      >
>      > El sáb., 22 may. 2021 12:12, Aswin Unnikrishnan
>     <aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>
>      > <mailto:aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>>
>     escribió:
>      >
>      >     Thank you so much guys,
>      >
>      >     Was a bit busy the past couple of days and could'nt work on
>     it. But I
>      >     followed the documentation mentioned by Ere and it worked!
>      >
>      >     SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
>      >
>      >
>      >     If anyone else faces this issue, you should add this command
>     under
>      >     <VirtualHost> </VirtualHost> Tag .
>      >
>      >     Thanks,
>      >     Aswin
>      >
>      >     On Wed, 19 May 2021 at 14:20, Ere Maijala
>     <ere.maijala at helsinki.fi <mailto:ere.maijala at helsinki.fi>
>      >     <mailto:ere.maijala at helsinki.fi
>     <mailto:ere.maijala at helsinki.fi>>> wrote:
>      >
>      >      > My documented steps to make sure OAuth2 is working are here:
>      >      >
>      >      >
>      >      >
>      >
>     https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20
>     <https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20>
>      >   
>       <https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20 <https://github.com/vufind-org/vufind/blob/dev/config/vufind/KohaRest.ini#L20>>
>      >      >
>      >      > This may be useful for you. I suppose it would make sense
>     to document
>      >      > this properly in Koha wiki as well, I just haven't had time...
>      >      >
>      >      > Best,
>      >      > Ere
>      >      >
>      >      > Aswin Unnikrishnan kirjoitti 17.5.2021 klo 20.53:
>      >      > > Thanks for pointing that out Stephen, I will have to
>     look into
>      >     that, it
>      >      > > might be the issue here.
>      >      > >
>      >      > > Tomas, I am not exactly sure if we have plack running or
>     not.
>      >     Plack
>      >      > seems
>      >      > > to be enabled, but plack logs are all empty. the logs
>     are all at
>      >      > > intranet-error.log and opac-error.log
>      >      > >
>      >      > > I will try out the apache CGIPass method as Stephen
>     suggested
>      >     and get
>      >      > back
>      >      > > if it works.
>      >      > >
>      >      > > Thanks,
>      >      > > Aswin
>      >      > >
>      >      > > On Mon, May 17, 2021, 9:02 PM Tomas Cohen Arazi
>      >     <tomascohen at gmail.com <mailto:tomascohen at gmail.com>
>     <mailto:tomascohen at gmail.com <mailto:tomascohen at gmail.com>>>
>      >      > > wrote:
>      >      > >
>      >      > >> Are you running Plack?
>      >      > >>
>      >      > >> El lun, 17 may 2021 a las 11:53, Aswin Unnikrishnan (<
>      >      > >> aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>
>     <mailto:aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>>)
>     escribió:
>      >      > >>
>      >      > >>> Thanks Stephen, Tomas for the quick response.
>      >      > >>>
>      >      > >>> Aswin - are you using the correct URL to call your custom
>      >     endpoint. It
>      >      > >>>> should be under the contrib namespace e.g.
>      >      > >>>>
>      >      > >>>
>      >      > >>> The app i am making is not part of koha, its a
>     seperate web
>      >     app which
>      >      > >>> makes calls to /api/v1/ end points of the koha server.
>      >      > >>>
>      >      > >>> Does the user (owner of the id/secret pair) have
>     privileged
>      >     access to
>      >      > >>>> Koha? Remember it needs to have permissions to enter
>     the staff
>      >      > interface
>      >      > >>>> (the 'catalogue' permission) in order to access routes
>      >     (other than
>      >      > those in
>      >      > >>>> the /api/v1/public namespace).
>      >      > >>>>
>      >      > >>> Yes, the user has permission set to access all librarian
>      >     functions, I
>      >      > >>> also tried accessing the api end point via browser after
>      >     logging in to
>      >      > the
>      >      > >>> staff portal with this user, and im getting the
>     correct response.
>      >      > >>>
>      >      > >>> Im also not able to access api/v1/.html from the
>     browser, it
>      >     gives a
>      >      > 403
>      >      > >>> Error page. I checked the error logs and found this
>      >      > >>>
>      >      > >>> [authz_core:error] [pid 25846]  AH01630: client denied
>     by server
>      >      > >>>> configuration: /usr/share/koha/api/v1/.html
>      >      > >>>>
>      >      > >>>
>      >      > >>>
>      >      > >>> Is there any logging systems in place which could give
>     more info
>      >      > >>> regarding the authorization failure error? or any idea
>     whats
>      >     wrong?
>      >      > >>>
>      >      > >>> Thanks,
>      >      > >>> Aswin
>      >      > >>>
>      >      > >>>
>      >      > >>> On Mon, 17 May 2021 at 19:13, Tomas Cohen Arazi
>      >     <tomascohen at gmail.com <mailto:tomascohen at gmail.com>
>     <mailto:tomascohen at gmail.com <mailto:tomascohen at gmail.com>>>
>      >      > >>> wrote:
>      >      > >>>
>      >      > >>>> Does the user (owner of the id/secret pair) have
>     privileged
>      >     access to
>      >      > >>>> Koha? Remember it needs to have permissions to enter
>     the staff
>      >      > interface
>      >      > >>>> (the 'catalogue' permission) in order to access routes
>      >     (other than
>      >      > those in
>      >      > >>>> the /api/v1/public namespace).
>      >      > >>>>
>      >      > >>>> BTW: All routes also have some required permissions you
>      >     should take a
>      >      > >>>> look at. Specific ones.
>      >      > >>>>
>      >      > >>>> Kind regards
>      >      > >>>>
>      >      > >>>> El lun, 17 may 2021 a las 9:40, Aswin Unnikrishnan (<
>      >      > >>>> aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>
>     <mailto:aswinunni01 at gmail.com <mailto:aswinunni01 at gmail.com>>>)
>     escribió:
>      >      > >>>>
>      >      > >>>>> Hi,
>      >      > >>>>>
>      >      > >>>>> I wanted to build an app that uses the koha API, and
>     so i was
>      >      > testing it
>      >      > >>>>> out, but I keep getting "Authentication Failure" error
>      >     whichever end
>      >      > >>>>> point
>      >      > >>>>> I try to access.
>      >      > >>>>> The steps i did are
>      >      > >>>>>
>      >      > >>>>> 1. Got the client_id / secret from koha
>      >      > >>>>> 2. Sent a POST request to api/v1/oauth/token with
>     required
>      >     parameters
>      >      > >>>>> and
>      >      > >>>>> got  an "access_token" returned
>      >      > >>>>> 3. Added the token to my authorization header with
>      >     header-prefix
>      >      > >>>>> "Bearer"
>      >      > >>>>> 4. Sent a GET request to different end points, but
>     getting
>      >     the same
>      >      > 401
>      >      > >>>>> Unauthorized error code with error : Authentication
>     failure
>      >      > >>>>>
>      >      > >>>>> However if i access one of the public end points like
>      >      > >>>>> /api/v1/biblios/{biblio_id} i can get a response
>      >      > >>>>>
>      >      > >>>>> If anyone has any idea why this is happening,
>     please  let
>      >     me know.
>      >      > >>>>>
>      >      > >>>>> Thanks in advance,
>      >      > >>>>> Aswin
>      >      > >>>>> _______________________________________________
>      >      > >>>>>
>      >      > >>>>> Koha mailing list http://koha-community.org
>     <http://koha-community.org>
>      >     <http://koha-community.org <http://koha-community.org>>
>      >      > >>>>> Koha at lists.katipo.co.nz
>     <mailto:Koha at lists.katipo.co.nz> <mailto:Koha at lists.katipo.co.nz
>     <mailto:Koha at lists.katipo.co.nz>>
>      >      > >>>>> Unsubscribe:
>      > https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>
>      >     <https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>>
>      >      > >>>>>
>      >      > >>>>
>      >      > >>>>
>      >      > >>>> --
>      >      > >>>> Tomás Cohen Arazi
>      >      > >>>> Theke Solutions (http://theke.io <http://theke.io>
>     <http://theke.io <http://theke.io>>)
>      >      > >>>> ✆ +54 9351 3513384
>      >      > >>>> GPG: B2F3C15F
>      >      > >>>>
>      >      > >>>
>      >      > >>
>      >      > >> --
>      >      > >> Tomás Cohen Arazi
>      >      > >> Theke Solutions (http://theke.io <http://theke.io>
>     <http://theke.io <http://theke.io>>)
>      >      > >> ✆ +54 9351 3513384
>      >      > >> GPG: B2F3C15F
>      >      > >>
>      >      > > _______________________________________________
>      >      > >
>      >      > > Koha mailing list http://koha-community.org
>     <http://koha-community.org>
>      >     <http://koha-community.org <http://koha-community.org>>
>      >      > > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
>     <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
>      >      > > Unsubscribe:
>     https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>
>      >     <https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>>
>      >      > >
>      >      >
>      >      > --
>      >      > Ere Maijala
>      >      > Kansalliskirjasto / The National Library of Finland
>      >      > _______________________________________________
>      >      >
>      >      > Koha mailing list http://koha-community.org
>     <http://koha-community.org>
>      >     <http://koha-community.org <http://koha-community.org>>
>      >      > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
>     <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
>      >      > Unsubscribe:
>     https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>
>      >     <https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>>
>      >      >
>      >     _______________________________________________
>      >
>      >     Koha mailing list http://koha-community.org
>     <http://koha-community.org> <http://koha-community.org
>     <http://koha-community.org>>
>      > Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>
>     <mailto:Koha at lists.katipo.co.nz <mailto:Koha at lists.katipo.co.nz>>
>      >     Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>
>      >     <https://lists.katipo.co.nz/mailman/listinfo/koha
>     <https://lists.katipo.co.nz/mailman/listinfo/koha>>
>      >
> 
>     -- 
>     Ere Maijala
>     Kansalliskirjasto / The National Library of Finland
> 
> 
> 
> -- 
> Tomás Cohen Arazi
> Theke Solutions (http://theke.io <http://theke.io/>)
> ✆ +54 9351 3513384
> GPG: B2F3C15F

-- 
Ere Maijala
Kansalliskirjasto / The National Library of Finland


More information about the Koha mailing list