api icon indicating copy to clipboard operation
api copied to clipboard

Published 20 hours ago verified publisher icon IIIF

Should there _always_ be a disinct probe service for auth?

Open tomcrane opened this issue 3 years ago • 1 comments
trafficstars

This issue is a continuation of #2158.

The current draft of auth says, in section 2.1:

  • The info.json must always be its own probe service, and is always requested with HTTP GET.
  • Other Content Resources may be their own probe services, using HTTP HEAD requests (not GET), in scenarios where a separate probe service is not possible, but:
  • Other Content Resources should provide a separate probe service, which is always requested with HTTP GET and may carry additional information.

I think I am in favour of dropping HEAD requests #2158, as long as it doesn't hurt AV use cases.

The further simplification in this issue is to not re-use the info.json as a probe service, and require a separate probe service even for image services, where there is already a probe-able service description. This is a departure from Auth 1 where there's no idea of a distinct probe service at all, the interaction with the info.json is the core of the spec.

Why do this? As with #2158, to simplify the flow, to reduce the complexity of the auth spec, to help people learn and implement it.

The main argument against this suggestion is efficiency - an auth-aware client will have already observed the HTTP status code of its request for the info.json, and if the info.json can carry the proposed location property, why introduce another resource (a distinct probe service) into the flow?

Another (weaker imo) argument against it is that it is different from Auth 1.

In favour:

  • it makes flow diagrams simpler
  • it makes client code (the most complex part of IIIF auth) simpler

I'm not swayed one way or the other yet. Though typing this moved me further towards this suggestion.

tomcrane avatar Oct 25 '22 10:10 tomcrane

One further advantage is that you don't have to add a location property to an image service when it's acting as a probe service.

tomcrane avatar Oct 25 '22 13:10 tomcrane

Eds decision: Yes, probe service for everything. Only one additional request if image service is being protected isn't a great cost for the consistency and semantic separation of info.json and probing for auth.

azaroth42 avatar Jan 24 '23 18:01 azaroth42