New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: drop Clickthrough as a distinct pattern in auth spec #2035
Comments
+1 from me. |
+1 - Seems sensible to me to simplify by dropping the clickthrough specific pattern |
+1 also |
Resolved. The IIIF Authorization Flow 2.0.0 specification was published 2023-06-02: https://iiif.io/api/search/2.0/ . Both "clickthrough" and "login" are replaced by the "active" pattern |
Complete |
zimeon
removed
discuss
Ready-for-Eds
Editorial changes ready for Editorial review
labels
Jun 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Regardless of where #1959 goes, it seems that windows that open and close themselves without user interaction are going to be frowned upon as issuers of cookies or other credentials we want to be sent in third party contexts.
Implementing Glen's suggestion from https://iiif.slack.com/archives/C01CMCD760P/p1617204394093000?thread_ts=1617204171.090600&cid=C01CMCD760P, I have clickthrough working in Safari, at https://tomcrane.github.io/iiif-auth-client/
However - It still involves an interaction in a first party context, first time round:
But you won't see that again unless a requestStorageAccess call fails
Having said this, the flow is horribly complicated.
We could achieve essentially the same result by dropping clickthrough as a distinct pattern, and making that experience the same as login, but with no credentials entered (just a button as above).
Users are going to have to see some sort of page, some of the time, to establish a first party relationship.
So to make implementation easier and reduce the spec surface area, just make this the same as login.
The spec does not mandate what happens at the login page anyway. The task you need to do for the server to set cookies could be anything:
The text was updated successfully, but these errors were encountered: