Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth and Rights #9

Closed
jpstroop opened this issue Feb 25, 2014 · 4 comments
Closed

Auth and Rights #9

jpstroop opened this issue Feb 25, 2014 · 4 comments
Assignees
@azaroth42
Labels
auth image

Comments

@jpstroop
Copy link
Member

Current spec says:

Note that while there is widespread agreement that the limitation of WWW-Authenticate to Basic and Digest authentication in the current HTTP specification, there is no standard way to indicate appropriate redirection to a login screen, or convey a URI template to insert a return URI.

Which doesn’t make sense so needs correction. Also would be good to discuss practical issues of how auth is being done. Once authenticated it seems that authorization cookie tokens are the means all(?) implementations use to grant access. This happens automagically in the browser but should perhaps specified so that mediated or non-browser applications know to expect to have to get and keep cookies.

Scenarios.

  1. Everything open, no auth: Normal info.json, specifies all info about images available, no login
  2. Nothing available without auth: Access to info.json or any image URI is denied with 401, redirect to auth (can’t use login in info.json??)
  3. Better access with auth: Base info.json has information about available images/tiles without auth, has login information, client will know to request only stuff that is available but can display login link. If client does auth then will get redirect to new info.json with different prefix and possibly different identifier. The new info.json will have all appropriate image information accessible with the new credentials.

Implementation logic (possible):

  • Viewer either gets 401 or it gets info.json with “login” url (suggesting there is possibly a higher quality image available)
  • It can offer the user a possibility to login
  • It displays login url (in an iframe or new browser window)
  • It re-request the info.json for all the opened images from the server
  • Either it is redirected (HTTP) to a new location (iiif prefix)
  • Or the info.json is changed (possibly new width / height, etc).

See this gist for how the new info.json might look.
@jpstroop jpstroop modified the milestones: Release 1.2, Release 1.3 Feb 25, 2014
@azaroth42 azaroth42 added this to the Other 2.1 milestone Jun 26, 2014
@zimeon zimeon added the image label Oct 10, 2014
@azaroth42 azaroth42 removed the defer label Mar 14, 2015
@azaroth42 azaroth42 self-assigned this Apr 29, 2015
@azaroth42
Copy link
Member

Proposed text in http://image-auth.iiif.io/api/image/2.1/#authentication

@zimeon
Copy link
Member

zimeon commented May 13, 2015

Discussed at GWU meeting last week and agreed that approach described above will not work, have created #463 and #464 to explore other options

@zimeon zimeon mentioned this issue Jul 22, 2015
Closed
@zimeon
Copy link
Member

zimeon commented Jul 22, 2015

As a result of #463 and #464 we have explored, prototyped and agreed to go with this authorization-service approach, in a separate specification, and thus this issue can be closed

@azaroth42
Copy link
Member

Auth has been replaced by lots of more specific issues and has been written up. Rights are in image API now as well, so this issue can be closed. -- Eds

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azaroth42 azaroth42

Labels
auth image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimeon @azaroth42 @jpstroop