W3C home > Mailing lists > Public > public-openannotation@w3.org > November 2015

RE: Web Annotation Protocol implementation wiki page? And thoughts on API Authorization

From: Hugo Manguinhas <Hugo.Manguinhas@europeana.eu>
Date: Mon, 30 Nov 2015 08:42:50 +0000
To: Benjamin Goering <bengoering@gmail.com>, "public-openannotation@w3.org" <public-openannotation@w3.org>
Message-ID: <6D0598B03E7E9848A4287E110919B4BA0112CFEA@MBX-SRV-P200.wpakb.kb.nl>
Hi Benjamin,

great that you bring out this topic, as we are also discussing it at the moment.

Our AnnotationAPI will have a first level of authorization using the apikey that gives access only to read methods, while the OAuth2 using the MyEuropeana account will authorize access to write methods... but we currently investigating ways to also allow other users (from the client applications) to be able to create anotations in the server without necessarily having the MyEuropeana account, so we are really interested in knowing more about your proposal.

Best,
Hugo

Hugo Manguinhas
Technical R&D Coordinator

T: +31 (0)70 314 0967
M:
E: Hugo.Manguinhas@europeana.eu
Skype: hugo.manguinhas


Be part of Europe's online cultural movement - join the Europeana Network Association: http://bit.ly/NetworkAssociation
 #AllezCulture!
Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system.

________________________________
From: Benjamin Goering [bengoering@gmail.com]
Sent: 19 November 2015 20:26
To: public-openannotation@w3.org
Subject: Web Annotation Protocol implementation wiki page? And thoughts on API Authorization

Is there a wiki page that lists implementations of web services that speak OA?
I did a quick search but could only find. https://www.w3.org/annotation/wiki/Existing_Protocol_Implementations

My understanding is that API Authorization is intentionally being omitted from the Web Annotation Protocol spec, and I think that's a good idea.

However, I do note that Hugo's API requires a human to register for an API key via  form, then provide it as a 'wskey' parameter in requests. Hugo, does your annotation API also support OAuth2 as described on this page? http://labs.europeana.eu/api/authentication

And I'm curious what other implementations are doing for API Authorization

I think that an ecosystem of federated annotation providers (and a competetive market of Clients that make use of them) would benefit from machine-negotiable Dyanmic Client Registration<https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-30> and Authorization service/configuration discovery.

An example would be if I had a personal annotation store, and I annotated something on Europeana.edu, my App could seamlessly register for a Europeana API Key, guide the user through authentication and authorizing my Client to post on their behalf, and also share that Annotation with Hugo's API.

Sounds a bit 'out-there', and OAuth2 specs aren't very prescriptive on exactly how to implement this. However I have recently been implementing<http://accounts.livefyre.com/.well-known/openid-configuration> a specific flavor of OAuth2, OpenID Connect (Core<http://openid.net/specs/openid-connect-core-1_0.html>, Discovery<https://openid.net/specs/openid-connect-discovery-1_0.html>, and Dynamic Client Registration <http://openid.net/specs/openid-connect-registration-1_0.html> via pyoidc<https://github.com/rohe/pyoidc>), and it is, in my opinion, very well thought out and promising. It's also prescriptive enough (and configurable enough) to afford for interoperable Clients.

I hope to prove this out with a UNXI tool I'm building, oidc-cli<https://github.com/gobengo/oidc-cli>, such that the following works
$> client=$(oidc "https://accounts.livefyre.com" create-client)
$> annotations=$(curl -H "Authorization: $(oidc client-credentials $client)" https://api.livefyre.com/annotations/?ldpstuff)

A Web Annotation Protocol tool could depend on this sort of thing to make these sort of one-liners work to easily stream annotations to stdout, while ensuring that Annotation services can still identify all the Clients of their APIs (for auditing, rate limiting, emailing the developers, etc).
$> web-annotations --discover-for-url "http://answers.livefyre.com/developers/app-integrations/sidenotes/" | jq . | more
--
Benjamin Goering, Technologist
@bengo<https://twitter.com/bengo> - github.com/gobengo<https://github.com/gobengo> - linkedin.com/in/benjamingoering<https://www.linkedin.com/in/benjamingoering>
Received on Monday, 30 November 2015 08:43:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 30 November 2015 08:43:29 UTC