Comment 4 for bug 1817645

TechRef documentation has been pushed to the working branch.

Some questions to consider:

- Is mod_perl the right tool? I chose it to avoid introducing new dependencies.

- Would it make more sense for each authentication type to use a different mod_perl handler, rather than having all auth endpoints use OpenILS::WWW::RemoteAuth as the handler? Using the same handler simplifies some configuration and hopefully allows Apache processes to be reused by different endpoints, but maybe distinct handlers are preferable.

- Will the current design handle a high volume of patron auth requests?

- Are there any reasonable use cases that can't be accommodated by the current design? So far you can restrict authentication by home library, usergroup (by requiring a perm that is only granted to certain usergroups), blocks/standing penalties, and active/expired status.

- To make live tests work, a default EG install will have a Basic HTTP Authentication endpoint at /api/remoteauth, restricted to local access only. Is that OK (and if not, how do we do live tests)? Do we want to use a different URL path?

- Is there a better way to manage the disparate authentication requirements of library vendors?