api icon indicating copy to clipboard operation
api copied to clipboard
verified publisher icon IIIF

Clarify the distinct content scenarios for IIIF Auth

Open tomcrane opened this issue 3 years ago • 2 comments

This issue tries to summarise the different kinds of resources the IIIF Auth 2.0 Spec needs to consider, and how they are requested. We use the following terms:

  • a simple web request is a GET request made by the browser, such as loading the resource requested in the browser address bar or loading the src attribute of an img tag. This usually includes tiles or regions from an image server.
  • a scripted web request is one that is usually initiated by client side script, which in modern browsers would likely be via the fetch API. This is what a viewer is doing when loading IIIF resources, info.json etc.

These two terms are similar to (but not the same as) simple and preflighted requests in CORS; the added complexity there is the cross-origin distinction.

Does the spec accommodate:

  • [ ] Simple requests for content resources (a PDF, a static JPEG, an MP3 file)
  • [ ] Simple requests for content resources provided by a service (e.g., jpeg tiles from an image service)
  • [ ] Scripted requests for content resources (loading image data for use on an HTML 5 Canvas, loading a video chunk via hls.js)
  • [ ] Scripted requests for IIIF Resources (loading a IIIF Manifest, loading an Annotation List)
  • [ ] Scripted requests for IIIF Service descriptions - probing a probe service, possibly probing a search service description
  • [ ] Scripted requests for IIIF Resources provided by a IIIF Service (search results from a content search service)

Notes

(WIP) Which of these are actually the same, from a resource point of view? Which are the same when considering how credentials are presented? What's missing?

tomcrane avatar Mar 01 '22 15:03 tomcrane

(notes from call)

scripted requests don't have access to credential in current spec scripted requests become CORS requests when cross-domain

tomcrane avatar Mar 01 '22 17:03 tomcrane

(I converted the list in the original issue body to a check box list we can tick off)

tomcrane avatar Aug 16 '22 13:08 tomcrane

Closing this. Decision was not to address in Auth 2.0 that provides for auth only on Content Resources, see https://github.com/IIIF/api/issues/1890 for the use case that would add coverage of IIIF Rsources

zimeon avatar Jun 07 '23 09:06 zimeon