Use RemoteAuth for EZProxy authentication

Bug #1850992 reported by Jeff Davis on 2019-11-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Wishlist
Unassigned

Bug Description

Evergreen 3.4 introduced remote authentication profiles (bug 1817645), which means external services can use EG as an auth provider while allowing library staff to manage auth privileges from within Evergreen using criteria such as patron type and status. We should build on this feature to provide out-of-the-box support for EZProxy.

The basic workflow is pretty simple: the library points its EZProxy at Evergreen; Evergreen validates the user's credentials, checks their privileges based on the profile defined in EG, and provides EZProxy with a response indicating whether the user is permitted to access resources. There are two EZProxy authentication methods that we could support:

1. External script authentication - EZProxy provides a login form, which submits an auth request to an HTTP API provided by Evergreen; EG's response is an appropriately-formatted yes/no indicating whether auth succeeded. (There is an old CGI script at Open-ILS/examples/remoteauth.cgi that supports this method, but it doesn't use auth profiles, so any non-deleted, non-barred user with a valid password will be authorized.)
https://help.oclc.org/Library_Management/EZproxy/Authenticate_users/EZproxy_authentication_methods/External_script_authentication

2. CGI authentication - EG provides a login form; the user enters their credentials; EG processes the auth request, then either presents the user with an error page indicating why their attempt failed, or redirects them to EZProxy with a valid auth ticket.
https://help.oclc.org/Library_Management/EZproxy/Authenticate_users/EZproxy_authentication_methods/CGI_authentication

I'd like to target method #2, using TT2 templates to allow sites to customize the login form and error pages. But it would be easy enough to add support for method #1 too.

(Ideally the minor issues in bug 1843818 should be addressed before RemoteAuth-based EZProxy support is merged into master.)

Changed in evergreen:
milestone: none → 3.5-alpha
importance: Undecided → Wishlist
Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1850992-remoteauth-ezproxy-upstream has an initial attempt at an implementation:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jeffdavis/lp1850992-remoteauth-ezproxy-upstream

So far the branch consists of two commits. The first adds Template Toolkit support for RemoteAuth, which will be needed to support other vendors/products besides EZProxy:
https://git.evergreen-ils.org/?p=working/Evergreen.git;a=commitdiff;h=77a8d90e

The second commit adds the support for EZProxy CGI authentication (see method #2 from the bug description):
https://git.evergreen-ils.org/?p=working/Evergreen.git;a=commitdiff;h=06453bf6

In my test environment, this branch successfully displayed a login form, presented the appropriate error page on auth failure, and redirected to the appropriate EZProxy URL on auth success. I still need to test with an actual EZProxy instance to ensure that EG is generating valid authentication tickets; I should be able to do that in January, at which point I'll add a pullrequest.

Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1850992-remoteauth-ezproxy-upstream-rebased is the same code, but rebased to master. I've confirmed that it works with an EZProxy test instance, so I'm adding a pullrequest.

Changed in evergreen:
milestone: 3.5-beta → 3.next
tags: added: pullrequest
Jane Sandberg (sandbej) wrote :

I can try this with our production EZProxy... eventually! Please feel free to unassign me if somebody else can get to it first.

Changed in evergreen:
assignee: nobody → Jane Sandberg (sandbej)
Changed in evergreen:
milestone: 3.next → 3.6-beta
Jane Sandberg (sandbej) on 2020-08-19
tags: added: needsreleasenote
Jane Sandberg (sandbej) wrote :

This works well for me. Thanks, Jeff. Sign off branch at user/sandbergja/lp1850992-remoteauth-ezproxy-signoff.

I also pushed some release notes, and a little extra guidance in the eg_vhost comments to answer some stumbling blocks I ran into.

tags: added: signedoff
removed: needsreleasenote
Jane Sandberg (sandbej) on 2020-08-19
Changed in evergreen:
assignee: Jane Sandberg (sandbej) → nobody
Galen Charlton (gmc) wrote :

All of the bits short of hooking it up to an EZproxy server work for me, so I've pushed this to master for inclusion in 3.6. Thanks, Jeff and Jane!

Changed in evergreen:
status: New → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers