EZProxy Issues

[jwoosnam]

I have come across the following EZ proxy issues:

1. IP address not being passed - University of Vienna are accessing PEP from an EZProxy server. The client appears to be working but PaDS is not finding the EZProxy IP address and therefore can not authenticate them.
2. Downloads not working - American University of Paris Library (AUP). In October their EZProxy access started working once they moved the stanza to the top of the EZProxy configuration file, even though this shouldn't make any difference. When they tested for me today they found the download does not work and returns the error below:

[jwoosnam]

@AthenaPEP @davidtuckett

[nrshapiro]

@AthenaPEP @davidtuckett @jwoosnam

You can't go directly to the server and read documents or download documents unless you have a client session-id logged in to PaDS passed in the header, or are logged in directly via the server. So that error is normal.

[davidtuckett]

Can you elaborate please Neil? You are suggesting the error comes about because although people think they are "in" - becasue logged in via their unicersity or group in situatiins where further log in (registration) is not forced. This is not how the syetm is emant to work.

[nrshapiro]

@davidtuckett

I am not saying anything of the sort. I am saying that if you go to a browser like that and enter that URL, you are calling the server directly, and you are not logged in. Authentication requires that you log in to the server, or you use the client App. Period. That is how it is meant to work.

The server uses information in the message headers sent by the client, among that info including a session id, to authenticate the user via pads. No downloads or document views are permitted unless PaDS gives the ok. And that requires a session id.

If you log into the server directly (it then calls PaDS to authenticate you), you will have a session id, and if your account permits it, you can download. That's mainly used for testing and future client development.

[jwoosnam]

The user who is testing this for me is definitely clicking the download link within the client.

On Thu, 2 Dec 2021 at 13:02, Neil Shapiro @.***> wrote:

@davidtuckett https://github.com/davidtuckett

I am not saying anything of the sort. I am saying that if you go to a browsere like that and enter that URL, you are calling the server directly, and you are not logged in. Authentication requires that you log in to the server, or you use the client App. Period. That is how it is meant to work.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/578#issuecomment-984607812, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQW276QFG5TEW2CTPZGOAC3UO5U6TANCNFSM5JG4M5NQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[nrshapiro]

I'm in the process of adding the PaDS responses to the direct error messages from the server. That should help diagnose.

When your user is clicking on this in the client, what error message is the server returning? It's not what you showed...that was a direct error message from a URL.

When I test it directly and trace internally, for me it's because I'm getting a 401 error from PaDS. I am logged in but it looks like my session has timed out.

Still working on the error display, but right now it's:

{"detail":"[v2/Documents/Downloads]: The requested document FA.007A.0031A could not be returned (in PDF) From Authorization Server: Full-text access for FA.007A.0031A denied (401). Sess:01314f10-9a5b-471d-863b-2cd959860165: Access:Full-text of this document is unavailable. Your session may have timed out. Please try and login again. "}

[davidtuckett]

Neil. James. Please forgive me for stressing that these issues are causing immense problems for us - custiomer service overload, reputation, potnetial loss of university subscribers. I say this because if it would solve the problem we should return to the idea of forcing everyone to log-on despite the Google consequences. [In other words the screen should grey out and display constant demands you sign in to do anything.] We much prefer to keep the customers we have than to reach out to those we do not and thr proquest/ebsco etc intergrations are more proms9ng than Google.

[nrshapiro]

@davidtuckett I understand the stress, but that would do nothing to fix this type of problem.

[jwoosnam]

I think we have to be careful we don't concentrate on this specific problem. This only came up this morning when I was asking AUP to test their proxy access, and it is only the download that is not working for them, reading documents is fine. My guess is that it is nothing to do with an error on Neil's server and is much more likely to be to do with how the proxy server is handling this sort of request.

This user is authenticated via AUP, so it is not an authentication issue, unless the proxy server is disconnecting the authenticated session from the session that is trying to download the file. I don't even know if what I have just said is even possible, as I am not sure how the proxy server works.

On Thu, 2 Dec 2021 at 14:19, Neil Shapiro @.***> wrote:

@davidtuckett https://github.com/davidtuckett I understand the stress, but that would do nothing to fix this type of problem.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/578#issuecomment-984669838, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQW276RPGKKHXW5C4PTF7U3UO56AJANCNFSM5JG4M5NQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[rickardnyman]

@nrshapiro @jwoosnam

Have university of Vienna or AUP mentioned this issue again? I struggle to see how EZProxy would be the issue if they have the latest version of the stanza? Neil, did you find anything else out from the error message from Pads, or is the session timeout still the most recent message?

Anyone else that may be able to advice us on this issue?

[nrshapiro]

@rickardnyman @jwoosnam

I am not investigating this, I am working on making server messages more informative by adding the PaDS response after the OPAS response.

[jwoosnam]

As far as I know neither institution has raised these issues again, but Athena is more likely to hear if they did. The University of Vienna have been using the system but not via EZProxy, American University of Paris Library haven't used PEP in the last week.

Regards

James Woosnam

Mob: 07703 525 775

On Mon, 20 Dec 2021 at 11:29, rickardnyman @.***> wrote:

@nrshapiro https://github.com/nrshapiro @jwoosnam https://github.com/jwoosnam

Have university of Vienna or AUP mentioned this issue again? I struggle to see how EZProxy would be the issue if they have the latest version of the stanza? Neil, did you find anything else out from the error message from Pads, or is the session timeout still the most recent message?

Anyone else that may be able to advice us on this issue?

— Reply to this email directly, view it on GitHub https://github.com/Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/578#issuecomment-997841251, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQW276QFJDQ3FRS4MHVSPSDUR4HRNANCNFSM5JG4M5NQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: <Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/578/997841251 @github.com>

[SophieMBennett]

No new issues have come in from University of Vienna via the Github Support thread, however, I am linking active threads which relate to the university and their EZProxy link.

https://github.com/Psychoanalytic-Electronic-Publishing/Support/issues/190 https://github.com/Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/568

[SophieMBennett]

23/12/2021 Adding for reference /

From: Cappello, Orazio o.cappello@ucl.ac.ukDate: Thursday, 23 December 2021 at 10:01To: Athena Tsiokris athena@pep-web.orgCc: Rickard Nyman rickardnyman@gmail.com, Tuckett, David d.tuckett@ucl.ac.uk, James Woosnam james.woosnam@zedra.co.ukSubject: EZ Proxy Email: Steps to Resolve

Dear Athena,

Hope this finds you well. Apologies for bothering you on your holiday.

This won’t take a minute! As discussed, I’ve liaised with Rickard and David to sort this EZProxy situation out. The situation is now in hand from a technical perspective.

All we need to do now is communicate the solution and get buy-in to resolve.

With Rickard’s contribution and David’s approval, I have drafted the below. This note contains the steps to update the proxy configuration and resolve the access issue.

Could you please send this to those universities facing this issue, copying me in. If they require further counselling or to speak to Rickard (or for one of us to update the configuration), I will jump in. So you won’t have to worry further about this.

Let me know if this works for you

All best Orazio

STARTS

RE: Updating Configuration of EZProxy Servers

Dear [XX],

The PEP Team apologises for these continued access issues that you have brought to our attention. Our investigation into the root cause has taken a little longer than we would have liked, and we are grateful for your patience.

We believe that we have now identified the issue, which has been experienced by several institutions that run their own EZProxy servers. This is connected to the configuration of EZProxy servers. Could we ask that you:

— Engage your technical team or advisor to update the configuration file (or “stanza”) to this: https://help.oclc.org/Library_Management/EZproxy/Database_stanzas/PEP_Web.

— Let us know once this has been done so that we can add the URL to the CORS configuration for redirect purposes.

We are more than happy to assist you directly in updating the stanza file for the server, if you required it. We would need a temporary login to your proxy server to do so.

If you wish for further clarifications or would like to speak to our technical team, please do not hesitate to get in touch and we will arrange that promptly.

Thank you for your cooperation and for bearing with us. We are confident that this will overcome the issue and re-establish a reliable access to PEP-Web.

Kind Regards

[PEP]

ENDS

[nrshapiro]

@rickardnyman @SophieMBennett @ocappello

Is this issue still open?

[davidtuckett]

Yes. Epoxy is difficult to put to bed. @rickardnyman has been in touch with the Ohio people. @SophieMBennett will be posting something. Athena is fretting as she is on the sharp end.

[SophieMBennett]

@rickardnyman Please can you update with any further developments with resolving EZProxy issues. We have a number of universities currently without remote access.

They are reporting Search box and button are unresponsive. Sign in box not loading.

I've linked the two Turkish Uni's and a Swedish one here which include their feedback for reference.

[SophieMBennett]

Adding for reference:

From: Rickard Nyman rickardnyman@gmail.comSent: 16 February 2022 16:23To: James Woosnam james.woosnam@zedra.co.ukCc: Bennett, Sophie sophie.bennett@ucl.ac.uk; Athena Tsiokris athena@pep-web.org; Tuckett, David d.tuckett@ucl.ac.uk; Julian Gates Julian.gates@zedra.co.uk; Cappello, Orazio o.cappello@ucl.ac.ukSubject: Re: EZProxy Server Setup

Fantastic, thank you

Kind regards, Rickard

From: James Woosnam james.woosnam@zedra.co.ukSent: 16 February 2022 16:21To: Rickard Nyman rickardnyman@gmail.comCc: Bennett, Sophie sophie.bennett@ucl.ac.uk; Athena Tsiokris athena@pep-web.org; Tuckett, David d.tuckett@ucl.ac.uk; Julian Gates Julian.gates@zedra.co.uk; Cappello, Orazio o.cappello@ucl.ac.ukSubject: Re: EZProxy Server Setup

Hi Rickard,

I have seen your email and will join you at 16:30GMT

[Regards] James Woosnam

From: Rickard Nyman rickardnyman@gmail.comSent: 16 February 2022 11:36To: James Woosnam james.woosnam@zedra.co.ukCc: Bennett, Sophie sophie.bennett@ucl.ac.uk; Athena Tsiokris athena@pep-web.org; Tuckett, David d.tuckett@ucl.ac.uk; Julian Gates Julian.gates@zedra.co.uk; Cappello, Orazio o.cappello@ucl.ac.ukSubject: Re: EZProxy Server Setup

Hi James,

I am trying to set up a call with OCLC to discuss possible options. EZProxy requires a license and I had to contact them directly for a quote. I expect we will not have to pay for one since we are actually trying to help OCLCs customers

I will CC you in case you have the availability to join any call

Kind regards, Rickard

James Woosnam james.woosnam@zedra.co.uk Wed 16/02/2022 08:52

Hi Rickard,

I was wondering whether there was any news on setting up our own test EZ proxy server so we could work out what was going wrong with some of these users. Other than Sophie and Athena bringing it up because of feedback from users I have not heard much recently.

If there is anything I can do to help please let me know.

[Regards]

James Woosnam Senior Consultant and Director

[SophieMBennett]

@rickardnyman Please can you update with any further developments with resolving EZProxy issues.

cc. @jwoosnam @ocappello

[bakerac4]

@nrshapiro this was included in the R2A Urgent - April 2022 list - but Im unsure of what needs to be done here from us?

[nrshapiro]

@bakerac4

I think most ezprozy issues were solved, but I have not been involved in that.

@SophieMBennett @jwoosnam @ocappello Please close this if it is resolved or provide more information as to what is needed.

[SophieMBennett]

@bakerac4 Leyla (@lhorne-gavant) has been offering us support with the remaining EzProxy issues.

[SophieMBennett]

@bakerac4 Hi Adam, we would appreciate your help to investigate why University of Chicago cannot connect correctly to PEP via their ezproxy IP address. The issue seems to be as follows: When a Chicago user tries to access PEP via the Uni of Chicago library's ezproxy IP address 205.208.116.24 that address is not shown against the session id (when I tested it, it was my IP address that showed) so when they view PEP... 1) the PEP homepage is not configured for a Referral/Federated-Open Athens/IP Address Login, and 2) user is not logged in as their IP address so has no access to full content. This means users off-campus cannot access PEP.

Based on Leyla's previous interventions I requested the following info from the Uni:

Which proxy provider are they using? ezproxy
Can they provide their proxy configuration ? see below
Can they provide login credentials for us to see what the errors are? see below

Current stanza:

Option CookiePassThrough Title PEP Web HTTPHeader -request -process X-* HTTPHeader -request -process Accept-Encoding HTTPHeader -request -process Access-Control-Allow-Origin HTTPHeader -request -process Origin U https://pep-web.org HJ https://www.pep-web.org HJ www.pep-web.org HJ https://api.pep-web.org HJ https://pads.pep-web.org HJ api.pep-web.org HJ pads.pep-web.org HJ pep-web.org DJ pep-web.org NeverProxy assets.pep-web.org Option Cookie

Login credentials:

Directions for accessing PEP via Uni of Chicago Library https://www.lib.uchicago.edu/ Click on 'Articles, Journals, and Databases' tab and select 'Databases' button. Type 'Psychoanalytic Electronic Publishing' in the search field. Select hyperlink 'PEP: Psychoanalytic Electronic Publishing' Login to Uni of Chicago with CNetID/UCMEDID: t-974bde Password: sinC5ungferyl

Enter a passcode to authenticate credentials from the attached list. (These are my test credentials, any problems getting in, let me know and I will ask them to contact you and set you up directly)

I have checked their stanza, it is correct. Their proxy IP address is configured correctly in PaDS. Based on what showed up when I did a test login @jwoosnam has suggested that the issue is that their IP address isn't being passed correctly.

I have a contact at the Uni called Fred Seaton fseaton@uchicago.edu who is a Systems Administrator, also with experience of ezproxy. He has the following questions:

1. Could your developers tell me what part of your javascript (assuming it’s the javascript) is making the connection to the database as that might be a clue as to what isn’t getting proxied, assuming that the URL in your browser shows that it is proxied. (nb. https://pep-web-org.proxy.uchicago.edu/ is what shows in the browser when you come through from the Uni, and that's what we have in PaDS)

2. It would be useful to know how the database is getting the IP address. As far as I know, the only ezproxy directives that can block the proxying of a request are “NeverProxy” and “RedirectSafe”, but I looked through those directives on the ezproxy server and none of them make any reference to the pep-web.org domain (except for the one NeverProxy directive in your stanza). We also tried adding a “HTTPHeader -ignoreGlobal” to rule out any interference from a global HTTPHeader directive, but no luck.

Adam, if you could look into this from your perspective via a test login (email Fred if needed as he is the most knowledgable person on the Chicago IT side) to see if we can figure out what might be stopping the proxy IP address from being passed. If you should need any other info please let me know.

Original support thread: https://github.com/Psychoanalytic-Electronic-Publishing/Support/issues/340

Sophie Bennett-passcode.pdf

[adistasio]

Hi @SophieMBennett,

After looking into this I would agree with @jwoosnam's assessment. It would appear whatever IP is coming through the proxy isn't matching his configuration so the user isn't being logged in. @jwoosnam Are you able to see any IP's in the 205.208.x.x range coming in today? The ip is grabbed on the server via the "referrer" header.

[SophieMBennett]

Copying in @jjgates because James is on leave until next week.

[jjgates]

Hi @adistasio, Here is a list of the current Pads Sessions for IP's in the 205.208.x.x range.

205.208.x.x_Range.xlsx

[jjgates]

Hi @SophieMBennett I have sent a list of Pads Sessions for IP's in 205.208.x.x range to @adistasio

[SophieMBennett]

@adistasio Were you able to take a look at the information Julian sent over?

[SophieMBennett]

@adistasio @bakerac4 Please could you review this again as Chicago Uni are waiting for info about this issue. Thanks!

[SophieMBennett]

@bakerac4 Hi Adam, Would you be able to look into this issue of proxy IP addresses not being recognised by the system? (re: Chicago Uni) https://github.com/Psychoanalytic-Electronic-Publishing/Support/issues/340

I have recently had another institution contact us about the same issue (Birkbeck College Library): https://github.com/Psychoanalytic-Electronic-Publishing/Support/issues/380

If you view the threads you will see that in each case when reaching the PEP homepage via the proxy IP address, the Sign In information is not displayed correctly for a university and the user is not logged in - they should be logged in directly when using the IP address for the institution which we have in PaDS, with the option to Sign In /register with their own PEP credentials to personalise.

The stanza they are using is:

Option CookiePassThrough Title PEP Web (updated 20220715) HTTPHeader -request -process X-* HTTPHeader -request -process Accept-Encoding HTTPHeader -request -process Access-Control-Allow-Origin HTTPHeader -request -process Origin U https://pep-web.org HJ https://www.pep-web.org HJ www.pep-web.org HJ https://api.pep-web.org HJ https://pads.pep-web.org HJ api.pep-web.org HJ pads.pep-web.org HJ pep-web.org DJ pep-web.org NeverProxy assets.pep-web.org Option Cookie

Both institutions have given us test credentials. If you need any other info please let me know. Would really like to solve this!

[jwoosnam]

I also think these issues have been resolved, but I have not been involved with it very closely recently.

Regards

James Woosnam

Mob: 07703 525 775

On Wed, 18 May 2022 at 18:34, Neil Shapiro @.***> wrote:

@bakerac4 https://github.com/bakerac4

I think most ezprozy issues were solved, but I have not been involved in that.

@SophieMBennett https://github.com/SophieMBennett @jwoosnam https://github.com/jwoosnam @ocappello https://github.com/ocappello Please close this if it is resolved or provide more information as to what is needed.

— Reply to this email directly, view it on GitHub https://github.com/Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/578#issuecomment-1130295580, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQW276WNBIPFKRBUXVBBDCLVKUS2RANCNFSM5JG4M5NQ . You are receiving this because you were mentioned.Message ID: <Psychoanalytic-Electronic-Publishing/PEP-Web-User-Interface/issues/578/1130295580 @github.com>