Use RemoteAuth for EZProxy authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Evergreen 3.4 introduced remote authentication profiles (bug 1817645), which means external services can use EG as an auth provider while allowing library staff to manage auth privileges from within Evergreen using criteria such as patron type and status. We should build on this feature to provide out-of-the-box support for EZProxy.
The basic workflow is pretty simple: the library points its EZProxy at Evergreen; Evergreen validates the user's credentials, checks their privileges based on the profile defined in EG, and provides EZProxy with a response indicating whether the user is permitted to access resources. There are two EZProxy authentication methods that we could support:
1. External script authentication - EZProxy provides a login form, which submits an auth request to an HTTP API provided by Evergreen; EG's response is an appropriately-
https:/
2. CGI authentication - EG provides a login form; the user enters their credentials; EG processes the auth request, then either presents the user with an error page indicating why their attempt failed, or redirects them to EZProxy with a valid auth ticket.
https:/
I'd like to target method #2, using TT2 templates to allow sites to customize the login form and error pages. But it would be easy enough to add support for method #1 too.
(Ideally the minor issues in bug 1843818 should be addressed before RemoteAuth-based EZProxy support is merged into master.)
Changed in evergreen: | |
milestone: | none → 3.5-alpha |
importance: | Undecided → Wishlist |
Changed in evergreen: | |
milestone: | 3.next → 3.6-beta |
tags: | added: needsreleasenote |
Changed in evergreen: | |
assignee: | Jane Sandberg (sandbej) → nobody |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Working branch user/jeffdavis/ lp1850992- remoteauth- ezproxy- upstream has an initial attempt at an implementation:
https:/ /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ jeffdavis/ lp1850992- remoteauth- ezproxy- upstream
So far the branch consists of two commits. The first adds Template Toolkit support for RemoteAuth, which will be needed to support other vendors/products besides EZProxy: /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=commitdif f;h=77a8d90e
https:/
The second commit adds the support for EZProxy CGI authentication (see method #2 from the bug description): /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=commitdif f;h=06453bf6
https:/
In my test environment, this branch successfully displayed a login form, presented the appropriate error page on auth failure, and redirected to the appropriate EZProxy URL on auth success. I still need to test with an actual EZProxy instance to ensure that EG is generating valid authentication tickets; I should be able to do that in January, at which point I'll add a pullrequest.