We recently switched from EZProxy to OpenAthens. Our patrons are starting to reach out to us about problems they are running into. I have zero experience with Zotero. I was hoping to find a "How To" that specifically focused on setting up Zotero if your organization uses OpenAthens or if your organization switched from EZProxy to OpenAthens. Almost everything I found via a Google search recommends that their users disable the proxy settings in Zotero Connector. That's what I have been suggesting, but I wanted to know if there is something else I should be suggesting.
I am just a user whose institution uses OpenAthens for authentication on and off campus. I have nothing under "Configured Proxies" proxy settings in the Zotero Connector preferences. I do have Enable Proxy Redirection ticked (maybe necessary, maybe not ?), as well as all the sub-elements ticked. https://www.zotero.org/support/connector_preferences#proxies
I see that OpenAthens support does suggest explicit proxy entries. My institution does *not* require those - and explicitly says that since their change to OpenAthens from EzProxy that no proxy access is now used. https://docs.openathens.net/tpa/zotero-browser-extention
A Google search for zotero openathens site:*.edu shows some institutions' library instructions similarly saying no proxy entries are needed for OpenAthens (and clearing any previous entries from Zotero Connector preferences), while others still suggest explicit proxy entries.
Your best bet may be liaising with other academic libraries that have similar OpenAthens configurations to yours.
FWIW when I am off-campus and go to a journal website for the first time in a session, I am taken to my institution's login page for authentication. We also use Lean Library and Libkey Nomad browser extensions; they may also be facilitating OpenAthens access (as a user it is often obscure what is going on "under the hood" to facilitate access to academic resources).
After authentication, the clicking on the Zotero icon in the browser taskbar results in the article data being added to the library open in the Zotero desktop app, and the PDF is also downloaded and added (assuming one's institution has access).
I'm guessing the confusion here is between the Zotero Connector's automatic proxy redirection feature and actual saving to Zotero.
As I understand it, OpenAthens works such that you end up on the original, unmodified site URL. If so, saving is going to work fine. It'd be the same as if you had direct, IP-based access to a site, or if a site didn't require authentication at all.
Proxy redirection is the Zotero Connector's feature to redirect you through a previously detected or configured proxy when you try to access an unproxied URL. The instructions from OpenAthens seem to be trying to allow that to work through their redirector, but there are a few problems:
1) "%a" is no longer a valid placeholder, and the proxy entry won't actually be saved at all with that in the Login URL Scheme. It will look like it's saving, but if you reload the settings, the proxy entry will be gone. So these instructions don't work at all right now.
2) You have to enter a "Proxied URL Scheme" as well, and there's no such scheme for OpenAthens, since URLs aren't rewritten. You can probably just enter any placeholder URL there, but the instructions don't cover that.
3) Since URLs aren't rewritten, the Connector doesn't have any way of knowing whether you're already authenticated for a given URL, which means that when you access a URL of a configured host, it will redirect you once through the redirector, even if you're already authenticated. And the only thing stopping it from then continuing to redirect you again and again through the redirector is redirect-loop detection that we have in the code, which will prevent further redirects for an hour. But that's a bad thing to rely on, and the initial potentially needless redirect is messy.
We'll reach out to OpenAthens to see if there's a consistent way we can detect whether a user is already authenticated on a given site. If so, we should be able to add proper support for OpenAthens, including automatic detection and redirection.
Upgrade Storage
https://www.zotero.org/support/connector_preferences#proxies
I see that OpenAthens support does suggest explicit proxy entries. My institution does *not* require those - and explicitly says that since their change to OpenAthens from EzProxy that no proxy access is now used.
https://docs.openathens.net/tpa/zotero-browser-extention
A Google search for zotero openathens site:*.edu shows some institutions' library instructions similarly saying no proxy entries are needed for OpenAthens (and clearing any previous entries from Zotero Connector preferences), while others still suggest explicit proxy entries.
The simplest setups appear to have no proxy settings for OpenAthens, eg
https://guides.library.wheaton.edu/c.php?g=1114779&p=9816594
https://libguides.gwu.edu/c.php?g=1397374&p=10345900
Your best bet may be liaising with other academic libraries that have similar OpenAthens configurations to yours.
FWIW when I am off-campus and go to a journal website for the first time in a session, I am taken to my institution's login page for authentication. We also use Lean Library and Libkey Nomad browser extensions; they may also be facilitating OpenAthens access (as a user it is often obscure what is going on "under the hood" to facilitate access to academic resources).
After authentication, the clicking on the Zotero icon in the browser taskbar results in the article data being added to the library open in the Zotero desktop app, and the PDF is also downloaded and added (assuming one's institution has access).
As I understand it, OpenAthens works such that you end up on the original, unmodified site URL. If so, saving is going to work fine. It'd be the same as if you had direct, IP-based access to a site, or if a site didn't require authentication at all.
Proxy redirection is the Zotero Connector's feature to redirect you through a previously detected or configured proxy when you try to access an unproxied URL. The instructions from OpenAthens seem to be trying to allow that to work through their redirector, but there are a few problems:
1) "%a" is no longer a valid placeholder, and the proxy entry won't actually be saved at all with that in the Login URL Scheme. It will look like it's saving, but if you reload the settings, the proxy entry will be gone. So these instructions don't work at all right now.
2) You have to enter a "Proxied URL Scheme" as well, and there's no such scheme for OpenAthens, since URLs aren't rewritten. You can probably just enter any placeholder URL there, but the instructions don't cover that.
3) Since URLs aren't rewritten, the Connector doesn't have any way of knowing whether you're already authenticated for a given URL, which means that when you access a URL of a configured host, it will redirect you once through the redirector, even if you're already authenticated. And the only thing stopping it from then continuing to redirect you again and again through the redirector is redirect-loop detection that we have in the code, which will prevent further redirects for an hour. But that's a bad thing to rely on, and the initial potentially needless redirect is messy.
We'll reach out to OpenAthens to see if there's a consistent way we can detect whether a user is already authenticated on a given site. If so, we should be able to add proper support for OpenAthens, including automatic detection and redirection.