Suggestion: drop Clickthrough as a distinct pattern in auth spec

[tomcrane]

Regardless of where #1959 goes, it seems that windows that open and close themselves without user interaction are going to be frowned upon as issuers of cookies or other credentials we want to be sent in third party contexts.

Implementing Glen's suggestion from https://iiif.slack.com/archives/C01CMCD760P/p1617204394093000?thread_ts=1617204171.090600&cid=C01CMCD760P, I have clickthrough working in Safari, at https://tomcrane.github.io/iiif-auth-client/

However - It still involves an interaction in a first party context, first time round:

But you won't see that again unless a requestStorageAccess call fails

Having said this, the flow is horribly complicated.

We could achieve essentially the same result by dropping clickthrough as a distinct pattern, and making that experience the same as login, but with no credentials entered (just a button as above).

Users are going to have to see some sort of page, some of the time, to establish a first party relationship.

So to make implementation easier and reduce the spec surface area, just make this the same as login.
The spec does not mandate what happens at the login page anyway. The task you need to do for the server to set cookies could be anything:

• press a button (clickthrough)
• enter some credentials and press a button (login)
• solve a puzzle
• feed the machine-learning beast with your human insight
• etc

[azaroth42]

+1 from me.

[zimeon]

+1 - Seems sensible to me to simplify by dropping the clickthrough specific pattern

[mikeapp]

+1 also

[tomcrane]

Dropping clickthrough was begun in d4cf166 and refined further in subsequent commits for #2127

[zimeon]

Resolved. The IIIF Authorization Flow 2.0.0 specification was published 2023-06-02: https://iiif.io/api/search/2.0/ . Both "clickthrough" and "login" are replaced by the "active" pattern

[zimeon]

Complete