Time  Nick       Message
08:27 liw        @wunder helsinki
08:27 huginn     liw: The current temperature in Helsinki, Finland is 1.0°C (10:20 AM EET on February 18, 2017). Conditions: Clear. Humidity: 81%. Dew Point: -2.0°C. Windchill: -4.0°C. Pressure: 29.77 in 1008 hPa (Falling).
12:14 tcohen     morning
12:27 * cait1    waves
14:48 tcohen     hi cait1
14:49 tcohen     have a nice w-e #koha
15:02 kivilahtio ashimema: Hi! Are you working on OAuth2 support in Koha?
15:02 kivilahtio ashimema: looking at batman's and Lee's work regarding the Mojolicious Plugins, having that done using Mojolicious looks like a low-hanging-fruit
15:03 kivilahtio ashimema: we need it for the national OPAC. Or a solution similar to it
15:03 kivilahtio ashimema: but I think OAuth2 is the bestest solution
15:04 kivilahtio also Might implement SAML2-soon as we are getting some pressure from high-ups and nationally (legislation actually mandates us to implement SAML2-support)
15:05 kivilahtio why not do them both while at the auth-madness :)
15:31 jcamins    kivilahtio: because SAML will kill you? Friends don't let friends SAML?
15:32 kivilahtio jcamins: haha
15:32 kivilahtio jcamins: thanks for the warning
15:32 kivilahtio jcamins: unfortunately our suomi.fi use SAML to provide SSO for all public sector services
15:32 kivilahtio and we are legally mandated to join the national "platform"
15:33 kivilahtio jcamins: why do you think SAML is bad?
15:33 jcamins    Actually, I've been lucky... I mostly only have to deal with OAuth2/OpenID Connect.
15:33 jcamins    On the unlucky side, I've had to use a vendor which doesn't believe in backward-compatibility.
15:33 jcamins    It does not map well to modern web technology.
15:34 kivilahtio jcamins: hmm. What do you mean? I didn't find such issues?
15:34 kivilahtio tho I have very little experience with all these security-things
15:34 jcamins    And it's one of those things that is a little bit different in every implementation.
15:35 kivilahtio Luckily there is not so much to implement differently?
15:35 jcamins    There seems to be a surprising amount.
15:36 kivilahtio I mean, you ask the idp if this user is authenticated, and ask for extra attributes if the user is authenticated.
15:36 kivilahtio if not authenticated, redirect to idp for authentication
15:36 kivilahtio There is no standard for the user attributes, I guess this is where things can get complicated
15:37 jcamins    Yeah.
15:37 jcamins    That's where it was particularly painful in terms of lack of standardization.
15:37 jcamins    The fact that all SAML communication is done via POST is what I felt didn't work well with an OAuth2-centric model.
15:38 kivilahtio I understand
15:38 kivilahtio I guess you just need to relax your REST-pants
15:38 jcamins    "Oh look, here's this blank page with some JS that is going to magically POST an XML file to a random third-party server."
15:38 kivilahtio I hear ya
15:38 kivilahtio and using XML
15:39 kivilahtio XML is so dead
15:39 jcamins    Eh, I'm less concerned about purity and more concerned about the fact that it raises red flags in every hospital IT department anywhere.
15:39 kivilahtio jcamins: are you sure you must use js to submit forms?
15:40 kivilahtio jcamins: I guess, since the SAML2-requests must originate from the user, not the server being accessed
15:40 kivilahtio jcamins: but this is no different from Koha's login page?
15:41 kivilahtio jcamins: you load the front-page. While loading it, ask the idp if the user is authenticated. If not, instead of the login-for, display a login-via-idp-link
15:41 kivilahtio *instead of the login-form*
15:42 kivilahtio there is an extra step for the user tho, but after the extra step, it is SSO everywhere
15:42 kivilahtio but yeah. You do have a point.
15:43 kivilahtio isn't this the same with OAuth?
15:43 kivilahtio user is redirected to the auth-server where he gives the permissions for the 3rd party to act on his behalf?
15:44 kivilahtio in SAML, he simply acts by himself
15:47 kivilahtio jcamins: I wonder if you could redirect to the IDP via a http status 307...
16:05 jcamins    kivilahtio: something just occurred to me... you're not implementing the IDP. I imagine if I weren't working on the IDP side, I'd be a lot happier.
16:15 kivilahtio jcamins: I found simplesamlphp
16:15 kivilahtio jcamins: this is the reason why I am considering SAML2
16:16 kivilahtio we can have our own internal SSO using the nationally mandated standard
16:16 kivilahtio then switch to the national IDPs when the time is ripe
16:17 kivilahtio jcamins: but no. I am planning to use simplesamlphp as the idp. I managed to get it owkr and the php-code is something I can debug.
16:17 kivilahtio owkr = work
16:18 kivilahtio jcamins: have you worked on the idp-side?
16:25 jcamins    kivilahtio: we use a third-party vendor as IDP, but I've been substantially responsible for making everything work together from the application point of view.
16:25 jcamins    So dealing with implementation quirks, moving between applications, etc.