api
api copied to clipboard
IIIF
Suggestion: drop Clickthrough as a distinct pattern in auth spec
Regardless of where https://github.com/IIIF/api/issues/1959 goes, it seems that windows that open and close themselves without user interaction are going to be frowned upon as issuers of cookies or other credentials we want to be sent in third party contexts.
Implementing Glen's suggestion from https://iiif.slack.com/archives/C01CMCD760P/p1617204394093000?thread_ts=1617204171.090600&cid=C01CMCD760P, I have clickthrough working in Safari, at https://tomcrane.github.io/iiif-auth-client/
However - It still involves an interaction in a first party context, first time round:
But you won't see that again unless a requestStorageAccess call fails
Having said this, the flow is horribly complicated.
We could achieve essentially the same result by dropping clickthrough as a distinct pattern, and making that experience the same as login, but with no credentials entered (just a button as above).
Users are going to have to see some sort of page, some of the time, to establish a first party relationship.
So to make implementation easier and reduce the spec surface area, just make this the same as login. The spec does not mandate what happens at the login page anyway. The task you need to do for the server to set cookies could be anything:
- press a button (clickthrough)
- enter some credentials and press a button (login)
- solve a puzzle
- feed the machine-learning beast with your human insight
- etc
+1 - Seems sensible to me to simplify by dropping the clickthrough specific pattern
Dropping clickthrough was begun in https://github.com/IIIF/api/commit/d4cf166c80b88ee8a7e06ccf84c405b3d9fd7832 and refined further in subsequent commits for https://github.com/IIIF/api/pull/2127
Resolved. The IIIF Authorization Flow 2.0.0 specification was published 2023-06-02: https://iiif.io/api/search/2.0/ . Both "clickthrough" and "login" are replaced by the "active" pattern