Time Nick Message 06:29 * magnuse waves in the general direction of Marseille 06:30 ashimema morning magnuse 06:30 magnuse bonjour! 06:30 magnuse the early bird gets the worm? 06:33 * magnuse wonders what people do if they have external services that need to authenticate Koha-users through the REST API, but the service should only be avaiable to some of the users, based on something like patron category or an individual setting per user 06:34 reiveune hello 06:35 dcook magnuse: *covers my ears* 06:35 * dcook also waves to folks in France (and other places) 06:35 magnuse bonjour reiveune 06:36 dcook magnuse: I suppose for a use case like that... you'd have to lookup the user first, apply whatever filtering, and then only do the auth then 06:37 dcook With the Keycloak extension I did, I do a patron lookup across a few criteria, and then only attempt auth if I find a matching patron 06:37 magnuse dcook: yeah, that sounds reasonable, but how to implement that? hack the api or could it be done with a plugin? 06:37 dcook Note I forbid any APIs calls to the OPAC other than "public" calls, and then I also restrict the admin REST API by IP 06:37 magnuse ah keycloak, eh 06:37 dcook Doesn't need to be hacked 06:37 dcook But the logic would be consumer-side 06:37 dcook Or if you wanted to embed it in Koha I'd go with a plugin 06:38 dcook magnuse: Yeah I put that Keycloak extension somewhere... 06:39 magnuse could a plugin infiltrate itself into the standard api, or would it have to provide a separate endpoint/service? 06:40 magnuse and if different services should use the same api, how would koha know which logic to apply? 06:40 dcook Different endpoint 06:40 magnuse ok, cool 06:41 dcook However you like 06:41 dcook Phenomenal cosmic power... itty bitty living space... 06:42 dcook The plugin is so powerful you could do anything 06:42 * ashimema wants to try and do some new OAuth grant flows 06:42 dcook ashimema: Oh my... you know just what to say... 06:42 * dcook is onboard for this idea 06:42 magnuse yeah, was mostly wondering if there was some magic that could be done with the standard api 06:43 ashimema we only support the most basic one really.. I'd like to see us to a few other flows.. 06:43 dcook There is no such thing as magic O_O 06:43 dcook hehe 06:43 * ashimema tries to remember the grant flow he's especially interested in. 06:43 dcook magnuse: What's the use case? You can DM me if you don't want to post it here 06:43 ashimema it's on the list to discuss api masquerading at hackfest... i'm kinda hoping that also lets me ask this question again and get someone to help work on it.. 06:44 * dcook isn't at all trying to do 3 things at once right now 06:44 dcook ashimema: Are you at the hackfest? 06:44 dcook Or remoting in? 06:44 ashimema the main issue I've had is our underlying permissions system.. it's a bit of a mess to try and do this 06:44 dcook ^ 06:44 ashimema I'm at Hackfest 🙂 06:44 dcook :3 06:44 ashimema my whole team is here 🙂 06:44 dcook I wish that I was as well.. seems like a good year for it 06:45 ashimema well.. Alexander will be soon enough.. he's the straggler but should hopefully join us in the next few days.. 06:45 ashimema we'll have 7! here this year 06:45 dcook Nice! 06:45 dcook I hope it's a really productive time :D 06:45 dcook Is it just this week? 06:46 ashimema I'm putting together my KohaCon proposal next week.. already got permission to go loosely agreed anyway though 🙂 06:46 dcook I've got a hectic few days, but maybe I can pick up some slack towards the end of the week.. 06:46 ashimema hopefully see yout here 06:46 dcook I sure hope so :) 06:46 ashimema yeah.. just the week.. never get enough done 06:46 dcook Story of my life 06:47 ashimema Hackfest is taking a slightly different format this year though :).. I have been plannning it with my team here for weeks.. when I shared our target list with Paul he turned it into a set of 'Tracks' and now we have three parallel tracks running each with a "lead" 06:47 dcook Oooh that sounds good 06:48 ashimema so I'm leading a track and encouraging discussions and coding to happen around it. 06:48 dcook What's your track called? 06:48 ashimema just up early having a coffee and working out how I'm going to do that.. lol... being on vacation last week means I'm jumping in at the deep end a little again.. 06:49 ashimema I'm on the 'Side' track (which I think is the 'it didn't fit anywhere else' track.. lol) 06:49 ashimema one sec.. I'll dig out the sheet.. no reason not to share it 06:49 ashimema https://docs.google.com/spreadsheets/d/1CqV3Y9iA7j4x7D4RN34h6gfCWJLM0-MFV_G9COEuaOc/edit?usp=sharing 06:49 ashimema those are the hackfest plans 06:50 magnuse dcook: nothing specific yet, the scenario is just different external services that need to authenticate Koha users, and "filtering" which Koha users should be allowed to authenticate 06:51 ashimema [off] I should have a quiet word with Paul about redacting the email addresses in there.. it's a public sheet and I trust you guys but emails should probably be hidden 06:51 dcook ashimema: Oh neat. I like the sound of a lot of these things, although I'm not sure what API Masquerading is 06:51 ashimema the Topics tab is the interesting one 06:51 dcook [off] Yeah probably a good idea to hide those, although I think many of ours have been well and truly harvested by now 06:51 dcook That's the one I'm on haha 06:52 ashimema right now we only do client credentials grant so you create an API user and just login as that.. we have systems that want to login as the client user but 'act' as the patron or staff user 06:52 dcook magnuse: So one way of doing that could be using SSO and attributes in the Identity Provider 06:53 ashimema acting on behalf of a user 06:53 dcook ashimema: Oh yes, I think we talked about this once.. 06:54 dcook Actually if I understand... 06:54 ashimema in reality what we really sohuld have is 'code grant' flow I reckon 06:54 dcook I'm not sure I follow the use case quite.. 06:54 ashimema where you identify both parties anyway and the end user picks which of their permissions the client can access 06:55 ashimema right now we can't easily identify client vs user for api calls 06:56 dcook brb 07:03 dcook And back but really should be running 07:03 dcook ummm 07:04 dcook Yeah, that use case is one I've definitely wanted to work on more as well 07:06 dcook The particular supplier who needed it isn't in the mix anymore I think 07:06 ashimema I'm heading up the road now to find the offices.. 07:06 ashimema catch you later chaps 07:07 dcook "where you identify both parties anyway and the end user picks which of their permissions the client can access" this seemed more common pre-OIDC of course 07:07 dcook We'd want to think of something in a SSO context I think.. 07:07 paulderscheid[m] morning #koha 07:07 dcook Yeah I better run 07:07 dcook laterz ashimema and co 07:43 * magnuse waves in the general direction of Marseille 08:58 dolf Hi. I upgraded from Koha 22.05 to 22.11 today (slowly catching up on all those missed releases). In Koha 22.05, I was using exactly this config for cover images: https://bywatersolutions.com/education/koha-question-of-the-week-where-do-cover-images-come-from-in-koha After the upgrade to 22.11, the cover images are missing. Any ideas how I could debug this or what I should check for? 09:02 dolf Example: https://library.refstudycentre.com/cgi-bin/koha/opac-search.pl?idx=&q=commentary&weight_search=1 09:09 ashimema Joubu: around? 09:31 krimsonkharne[m] g'day #koha 10:14 magnuse_ did we implement 2fa for the opac yet? i thought there was an issue about that but couldn't find it 10:19 aude_c[m] Can't find the bug for it either 🧐 12:18 clrh hi here 12:25 magnuse_ bonjour clrh 12:31 caroline good morning! 12:38 magnuse hiya caroline 12:38 magnuse is there a difference between renewsCheckout and renewCheckout in the REST API? 12:53 clrh hello magnuse 20:39 mtj hi #koha, bonjour #hackfest