[Koha] SSO Shibboleth & oauth issues

David Cook dcook at prosentient.com.au
Fri Jun 30 11:46:25 NZST 2023

Hey Justin,

Sorry to hear you're having issues, but great to see another organisation in NSW using Koha!

Let's see if we can help you sort out this issue. What version of Koha are you running, how did you install it, and on which Linux distro? 

With the Shibboleth, you'll want to look at your Koha logs. With the other auth, are you using OAuth or OIDC? 

David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061

Office: 02 9212 0899
Online: 02 8005 0595

-----Original Message-----

Date: Wed, 28 Jun 2023 23:49:06 +1000
From: Justin Dowswell <justin.dowswell at tenantsunion.org.au>
To: koha at lists.katipo.co.nz
Subject: [Koha] SSO Shibboleth & oauth issues
	<CAGzh+UPeBXVz2AsOXMyyXHbCtmY3mYLH3uBPfVYqYzcRCqhxCg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hey everyone,

I am Justin from the Tenants’ Union of NSW. Lovely to meet you all, albeit
in an archaic manner.

There is a Koha issue I am having trouble resolving…

It’s a strange issue with Shibboleth and now I think the same issue
displayed differently with oauth (that I wanted to implement as an
alternative), both using the same IdP, and definitely isolated to Koha
and/or the server running it. I believe it’s a caching issue of some sort…

When I get redirected back to Koha after a successful login with
Shibboleth, I get a HTTP 500 error, with this console output, unsure if
actually related or not:

(index):6577 crbug/1173575, non-JS module files deprecated. (anonymous) @

Refreshing the page redirects once again with a successful login.

Oauth has a similar issue. I am redirected back to Koha after a
successful login with the identity provider and I am greeted with an error

> There was an error authenticating to external identity provider:
> wrong_csrf_token

Refreshing doesn't fix it but clicking the IdP login link again redirects
back with a successful login and token.

My theory is the redirect is happening too quickly before the token is
actually retrieved.

I've looked in Shibboleth's logs and have yet to see anything obvious.

Thanks in advance,
Justin Dowswell

*The Tenants’ Union of NSW recognises that Aboriginal and Torres Strait 
Islander peoples are the First Peoples of Australia. Our office is on the 
lands of the Gadigal of the Eora Nation. We are committed to respecting 
Aboriginal and Torres Strait Islander peoples, cultures, lands, and 
histories as we battle for tenants’ rights in NSW. Read our full 
Acknowledgement of Country 


tenants.org.au <https://www.tenants.org.au/>



This email 
transmission is intended only for the addressee and may contain 
confidential or privileged information. Confidentiality and privilege are 
not waived if you are not the intended recipient of the email, nor may you 
use, review, disclose, disseminate or copy any information contained or 
attached to it. If you received this email in error please delete it and 
any attachments and notify us immediately by return email.

Tenants' Union 
of NSW can only provide information and advice in the New South Wales and 
Commonwealth jurisdictions. If you are enquiring from another state or 
territory please contact your local community legal centre.

More information about the Koha mailing list