Authentication bugs
- Blocker
- Critical
- Major
- Normal
- Minor
- Trivial
- Enhancement
- New Feature
New 70
Broken workflow on CAS login with wrong permissions
Attributes removed in LDAP
31912
JD
When enforcing 2FA we should alert the user
Staff logout SSO issue
Changing password after turning on password expiration results in setting of NEVER
Shibboleth SingleSignOut
Internal routines are ignoring the patrons found during credential checks
15204
GC
Auth.pm does too much
Oauth2/OIDC identity providers code is not covered by unit tests
Identity Providers stop working after Apache Reload/Restart
Problem with system preference casServerUrl persistency
15205
GC
Factor 'SyndeticsEnabled' out of Auth.pm
8785
GC
Basic authentication troubleshootings
18992
NC(
LDAP fallback behaviour not consistent
17113
GC
Unable to search multi-domain Active Directory forest due LDAP required base
18587
MR(
LDAP: update_local is entirely untested!
Initials are not generated correctly by LDAP when firstname or surname start with umlauts
18615
GC
LDAP configuration error causes server resource depletion under Plack
ldap auth fails unless <ldapserver id="ldapserver">
8865
GC
Re-logging in needs to pass POST & GET arguments
C4::Auth should use C4::Context->IsSuperLibrarian()
12681
MR(
Shibboleth attributes may contain lists
Optionally block local login of accounts set for SSO
2FA - provide a REST API challenge route
Allow to send the TOTP token by email when enabling 2FA
2FA authentication failure is incorrectly logged as success
2FA: more flexibility
Add ability for administrator to reset a users 2FA
Shibboleth Login not honouring branch selector
Notify patron that the session is about to expire
Identity Provider Single-Logout Enhancement
15428
GC
Different timeout preference for OPAC and staff interface
18016
DP
C4::Auth_with_ldap::ldap_entry_2_hash inserts 0000-00-00 for invalid dateofbirth
Allow for independent shibboleth autocreate and sync mapping
2FA - ask for the users password when they choose to disable 2FA
We need tests for the OAuth2/OIDC client
GDPR: Regularly force patrons password renew
Add ability to turn Shibboleth on/off for staff/opac
Enable to update LDAP entries from Koha
Add a 'koha only' authentication path
Create sub clear_session_and_cookies
Don't allow to use the same password as before when a password expires/is reset
New password should be more than just unequal to old password
Shibboleth may redirect to OPAC if staff interface and OPAC are served on same hostname.
Authentication using Shibboleth - bootstrap
28093
MR(
Additional configuration option(s) for Shibboleth-only mode
OPAC and staff (intranet) should not share the same session and cookie
Add support for extended attributes mapping on IdP config
Enforce 4 character groups (lowercase, uppercase, numbers and special characters) in passwords
[OMNIBUS] Passwords should be more complex / password policy complexity
Add support for LDAPS
LDAP ACTIVE DIRECTORY with different domain suffix
Shibboleth Autocreate error
Streamline OIDC error messages
Allow prioritizing identity providers
20627
MR(
Prevent leakages of user permissions to api access tokens
Auth_with_ldap only searches tree with anon_bind
12680
MR(
Shibboleth adaptive config
12682
MR(
Shibboleth attribute manipulation
Use time-based mechanism for account lockout
Notify patrons about failed login attempts
Support for FIDO WebAuthn (passwordless)
GDPR: Script to block inactive users (with no successful logins on a defined period)
Shibboleth create/sync: Allow mapping of extended patron attributes
Multiple LDAP servers
11920
GC
Staff pages should default to requiring "catalogue" permission
14023
GC
Specify Attribute Mapping for CAS Authentication
Add support for logout from external OAuth2/OIDC identity providers
Enable Koha to act as Shibboleth identity provider
Tumblebooks Integration
Assigned 1
18237
OK
Can't use a hash as a reference at docs/CAS/CASProxy/examples/proxy_cas_data.pl line 60.
In discussion 5
18549
MT
There should be a warning that logging out of Koha will leave browser session logged in to OAuth
Staff users without superlibrarian can't log into OPAC
27305
DC
Use low privileged tokens to enable authenticated iCal feed
18315
FR
authentication and authorization refactoring
Two Factor Authentication: Yubikey
Failed QA 10
38258
BW(
Connecting without a proper CGI cookie can disconnect all sessions
Account lockout message appears incorrectly for blank userid
34164
NVO
OAuth2/OIDC should redirect to page that initiated login
36617
NVO
The old googleopenidconnect service should redirect to page that initiated login
16694
ME
Limit SIP2 auth by patron attribute
20340
AA
Ability to use authentication plugin
33259
AB
Optionally set SameSite attribute of cookie to Strict
Refactor checkauth() auth rejected to improve maintainability
LDAP authentication improvements: multiple branch and transformation modules
27312
ME
Add a syspref to redirect patron after self registration
Patch doesn't apply 1
13932
RS
Allow a header to be considered trusted to provide the userid
Needs signoff 2
11808
MS
When searching for a cardnumber in the intranet, also try to search for it on the LDAP server if one is configured and add/update user
35617
SS
Make phone number as match point in in Identity providers
Signed off 1
37711
TCA(
IdP auto-register should work on the staff interface
Pushed to main 1
38826
DC
C4::Auth::check_api_auth sometimes returns $session and sometimes returns $sessionID
Needs documenting 5
34755
DC
Error authenticating to external OpenID Connect (OIDC) identity provider : wrong_csrf_token
37104
SL
Block AnonymousPatron from logging into anything
36098
DC
Create Koha::Session module
36026
LK
Add TLS MySQL connection without mutual authentication
36503
RS
Add a plugin hook to modify patrons after authentication