Byron, did you mention that people logged in via persona (or in future github) wont be able to authenticate currently over the rest api?
(In reply to Dale Harvey (:daleharvey) from comment #1) > Byron, did you mention that people logged in via persona (or in future > github) wont be able to authenticate currently over the rest api? persona's design and implementation requires a browser; it cannot be used for api/headless authentication. users who use persona to authentication to bmo are able to use api-keys for api authentication. while not finalised, it's highly probable that fixing the copy+paste api-key dance will be a q2 goal for the bmo team.
> persona's design and implementation requires a browser; it cannot be used for api/headless authentication. We arent using the API headlessly, its people using http://bzlite.com/ in a browser, I am going to give adding persona login a shot and hope the api works. I am not sure why API keys are being used or that they can be fixed, QR codes certainly isnt much improvement. It seems like any login flow (persona / github oauth) we use on http://bugzilla.mozilla.org should also be able to authenticate REST api calls
So for the short term I think the only solution is to support API key authentication for users who only use persona auth, long term I would really like to have 1st class support for authentication for REST clients
Hey Byron, sorry for all the bmo questions but thanks a lot for your help Is there a good way to check that a token is valid, it would be extra ideal if I could figure out the username from the token
(In reply to Dale Harvey (:daleharvey) from comment #4) > So for the short term I think the only solution is to support API key > authentication for users who only use persona auth, long term I would really > like to have 1st class support for authentication for REST clients the bugzilla team agrees :) but it's likely this will require a rewrite of our authentication stack :( (In reply to Dale Harvey (:daleharvey) from comment #5) > Is there a good way to check that a token is valid, it would be extra ideal > if I could figure out the username from the token we have http://bugzilla.readthedocs.org/en/latest/api/core/v1/user.html#valid-login for the older login tokens, but nothing for api-keys. i've filed bug 1143533. until that lands, trying to perform an action which requires authentication. user matching is probably the best one to hit - you need to be logged in, and we ignore queries which are too short so the impact on bmo is minimal. https://bugzilla.mozilla.org/rest/user?match=x&api_key=... (that's literally a single "x" as the match)
Decided on the weekly meeting to not block on this, I think ideally I may be able to get familiar with the bugzilla codebase and see what I can do about getting full support for 3rd party auth. In the meantime people will have to use their bugzilla credentials, we may still implement this but it wont block v1
> user matching is probably the best one to hit - you need to be logged in, and we > ignore queries which are too short so the impact on bmo is minimal. > https://bugzilla.mozilla.org/rest/user?match=x&api_key=... Thanks a lot, will do it this way if / when we get to implementing API keys on bzlite
FTR, that is not blocking because a Persona logged-in user can still set a Bugzilla password and login with it on the app, and continue to use Persona on Desktop for instance.
(In reply to Dale Harvey (:daleharvey) from comment #7) > In the meantime people will have to use their bugzilla credentials, we may > still implement this but it wont block v1 FWIW, I don't know if it's the case for many people at Mozilla, but I think my account is a Persona-only one. I've never managed to log in with the default authentication system.
(In reply to Johan Lorenzo [:jlorenzo] (QA) from comment #11) > FWIW, I don't know if it's the case for many people at Mozilla, but I think > my account is a Persona-only one. I've never managed to log in with the > default authentication system. when you log in to bmo with persona you're actually creating a normal account without a usable password.. bugzilla hands off just the password verification phase to persona. as per comment 9 it's possible to use bugzilla's "password reset" mechanism to set a password on your account -- doing so won't prevent you from continuing to use persona for auth.
This has landed and almost ready to implement, documentation is @ https://bugzilla.readthedocs.org/en/latest/integrating/auth-delegation.html#auth-delegation, Dylan can you give me a ping when token api change and UI have landed? Cheers
2 years ago
Created attachment 8645366 [details] [review] https://github.com/mozilla-b2g/bzlite/pull/34 So because this cant be tested against a test installation I have pushed the commit up to http://www.bzlite.com/ so it can be tested. The bugzilla UX doesnt work great on mobile, I have filed a follow up for that @ https://bugzilla.mozilla.org/show_bug.cgi?id=1192538 It does however seem to work, tested persona login and it went good
Comment on attachment 8645366 [details] [review] https://github.com/mozilla-b2g/bzlite/pull/34 r=me with a few comments on the PR to fix
Thanks so much for these reviews, Fixed nits and filing follow up Merged in https://github.com/mozilla-b2g/bzlite/commit/43e54fbb82a0454ad2f4d119e47cc1ef11305c3b
QA trying to verify this bug. Can we have an STR here? Is it just go to http://www.bzlite.com/ on DUT browser and try to log in there?
NI Naoki since he's the one that put verifyme on there. Please address comment 21.
Yes, you would just try to login with your account. Having said this, there's a UX flow bug when you tap the bugzilla login. There's no way you can go back to the regular login screen. Could you verify and file the bug please?
This issue is verified fixed. I was able to log in to bugzilla lite via app or via browser using my login. Also filed bug 1214456 for the issue Naoki described at comment 23. Verified via: Device: Aries 2.5 BuildID: 20151013110851 Gaia: d400cda6bf0f8b30dcf7d7d71bfa61f29a3f1588 Gecko: 607a236c229994df99766c005f9ec729532d7747 Gonk: 2916e2368074b5383c80bf5a0fba3fc83ba310bd Version: 44.0a1 (2.5) Firmware Version: D5803_23.1.A.1.28_NCB.ftf User Agent: Mozilla/5.0 (Mobile; rv:44.0) Gecko/44.0 Firefox/44.0
When I try to log in I get: 'Auth delegation received an HTTP response other than 200 OK from auth consumer. Code: 404" STR: Open bzlite Enter bugzilla username and password, press Login - The following message displays: "API key authentication is required." - Press OK Press 'Or login via Bugzilla' Enter bugzilla username and password + 2FA token - The following displays (from bmo website): Auth Delegation Request ... Press Accept When I look at the API keys listed in my Bugzilla preferences, there is indeed 1 API key for Bugzilla Lite (created as a result of this process) and its status is "never used". I have tried this flow several times, after a restart, and after logging in and out of Bugzilla.
Yup seeing this too, not sure if something else has changed (or I forgot to push) checking now
There was a line missing in my last commit, r=me'd it, should all be working now, apologies https://github.com/mozilla-b2g/bzlite/commit/149a995cc5a0fb97003b8dd8084a0c9fd3e0b2b2
$callback_uri may not be accessible from the bugzilla instance. For example I can have an internal application which want to connect to external bugzilla instance on behalf of user. User can open callback uri (e.g. in browser), but bugzilla instance can not.