Evergreen 3.4 introduced remote authentication profiles (bug 1817645), which means external services can use EG as an auth provider while allowing library staff to manage auth privileges from within Evergreen using criteria such as patron type and status. We should build on this feature to provide out-of-the-box support for EZProxy.
The basic workflow is pretty simple: the library points its EZProxy at Evergreen; Evergreen validates the user's credentials, checks their privileges based on the profile defined in EG, and provides EZProxy with a response indicating whether the user is permitted to access resources. There are two EZProxy authentication methods that we could support:
1. External script authentication - EZProxy provides a login form, which submits an auth request to an HTTP API provided by Evergreen; EG's response is an appropriately-formatted yes/no indicating whether auth succeeded. (There is an old CGI script at Open-ILS/examples/remoteauth.cgi that supports this method, but it doesn't use auth profiles, so any non-deleted, non-barred user with a valid password will be authorized.)
https://help.oclc.org/Library_Management/EZproxy/Authenticate_users/EZproxy_authentication_methods/External_script_authentication
2. CGI authentication - EG provides a login form; the user enters their credentials; EG processes the auth request, then either presents the user with an error page indicating why their attempt failed, or redirects them to EZProxy with a valid auth ticket.
https://help.oclc.org/Library_Management/EZproxy/Authenticate_users/EZproxy_authentication_methods/CGI_authentication
I'd like to target method #2, using TT2 templates to allow sites to customize the login form and error pages. But it would be easy enough to add support for method #1 too.
(Ideally the minor issues in bug 1843818 should be addressed before RemoteAuth-based EZProxy support is merged into master.)
Working branch user/jeffdavis/
https:/
So far the branch consists of two commits. The first adds Template Toolkit support for RemoteAuth, which will be needed to support other vendors/products besides EZProxy:
https:/
The second commit adds the support for EZProxy CGI authentication (see method #2 from the bug description):
https:/
In my test environment, this branch successfully displayed a login form, presented the appropriate error page on auth failure, and redirected to the appropriate EZProxy URL on auth success. I still need to test with an actual EZProxy instance to ensure that EG is generating valid authentication tickets; I should be able to do that in January, at which point I'll add a pullrequest.