External services often need to talk to the ILS to authenticate/authorize patrons and retrieve basic information about the patron account, such as patron type, email address, or current checkouts. Different vendors have different requirements, and different libraries in a consortium may have different policies around which patrons may be authenticated and what patron info to share with the vendor. Evergreen does not currently provide an easy way to handle this.
I propose the following:
1. EG should provide a simple, secure HTTP API for authentication and retrieval of basic patron information -- something that common library vendors and products can use.
2. To accommodate the range of vendor requirements, there should be different handlers for different external services. The handler would process the incoming message, talk to the EG backend (client authorization and patron auth/retrieval), and provide an appropriate response. Responses should be configurable and template-based where applicable, so that each library has control over the information they share.
3. Libraries should be able to control which patrons can and cannot be authenticated, based on common criteria such as patron type, current status, and blocks/standing penalties.
Working branch user/jeffdavis/ lp1817645- remoteauth- patron- api has an initial implementation:
https:/ /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ jeffdavis/ lp1817645- remoteauth- patron- api
It introduces a generic RemoteAuth mod_perl handler for processing various types of patron auth requests, and provides a form of "Basic" HTTP Authentication [1] as a reference implementation.
This branch doesn't include templating for responses. I want to add support for EZProxy and possibly PatronAPI, but I'd like the current design and code to be reviewed before I proceed.
How it works:
-------------
1. Client submits a request to a RemoteAuth endpoint containing user credentials and any additional requirements.
2. RemoteAuth loads the handler module for this endpoint.
3. Handler processes the request and authorizes the client.
4. Handler loads this endpoint's configuration from the database.
5. Handler authenticates the user using the credentials provided, and tests whether auth is permitted for this user at this endpoint.
6. Handler returns an appropriate response to RemoteAuth, which passes the response to the client.
Test plan for Basic HTTP Authentication: ------- ------- ------- ------- ----- :<password> " | base64 /localhost/ api/basicauth -H "Authorization: Basic <base64- encoded- credentials> "
-------
1. Install the branch on a test server and load concerto data. Basic auth will be enabled by default for localhost access only.
2. Generate base64-encoded credentials for your test patron: echo -n "<username>
3. Query the basic auth endpoint: curl -k -s -o /dev/null -I -w "%{http_code}\n" https:/
This will return 200 if patron authentication is successful, and 403 if patron auth fails or is not permitted.
There's also a Perl live test. However, the live test may fail in some environments due to an upstream bug in LWP::Protocol: :https that prevents us from skipping certificate verification.[2] The packaged version of that module in Ubuntu 16.04 is affected; installing LWP::Protocol: :https version >=6.07 from CPAN resolves the problem.
Apache configuration: ------- -------
-------
To define a new RemoteAuth endpoint, add a new Location directive in your eg_vhost.conf file. The default configuration for Basic auth looks like this:
<Location /api/basicauth> :WWW::RemoteAut h
SetHandler perl-script
PerlHandler OpenILS:
Options +ExecCGI
# access restricted to localhost by default; since this module provides no
# client authentiation, restricting access by IP or other means is stongly
# recommended
Require local
# remoteauth config name onfig "Basic" andler "OpenILS: :WWW::RemoteAut h::Basic"
PerlSetVar OILSRemoteAuthC
# Perl module for processing requests
PerlSetVar OILSRemoteAuthH
# staff username/password for config lookup and patron retrieval lientUsername "admin" lientPassword "demo123"
PerlSetVar OILSRemoteAuthC
PerlSetVar OILSRemoteAuthC
</Location>
The URL path /api/basicauth is our endpoint. External clients send appropriately- constructed requests to this URL and get a response indicating whether auth succeeded (and containing patron account information, dependi...