- From: Robert Sanderson <azaroth42@gmail.com>
- Date: Fri, 5 Jun 2015 12:20:40 -0700
- To: Web Annotation <public-annotation@w3.org>
- Message-ID: <CABevsUEO-gOxx6wat7HU6DHoRNMGB=fr3EvCHfKWGO6jfZ4Bgg@mail.gmail.com>
Dear all,
On a recent call we discussed authentication with respect to the protocol
draft.
Following on from the conclusions of that call, we (Stanford) tried to
implement OAuth2 directly as the framework for auth over top of our
annotation service... and failed.
The major issue we ran into was where, in a straight client/server
interaction, does the OAuth redirect go back to in order for the client to
obtain the authorization code. We started down the line of changing it to
simply return the code directly to a client, but it became a significant
implementation challenge that was much more easily solved in other ways.
So we changed course to implement a very similar workflow that allows the
modular inclusion of any authentication system (so far demonstrated with
basic auth and various OAuth2 providers) without the client needing to know
any of the user's information. Instead it can just pass it through. That
workflow was designed for access to protected image content, but works the
same way for access to annotations:
http://image-auth.iiif.io/api/image/2.1/authentication.html
(You may recognize one (or more) of the editors)
I believe that the spirit fits within the discussion from the call, but
would appreciate any feedback!
And, for discussion, should the protocol document discuss authentication?
Any real world implementation is going to need to have authenticated and
authorized users, so I'm wary of either non-interoperability or lack of
implementations if we don't.
Rob
--
Rob Sanderson
Information Standards Advocate
Digital Library Systems and Services
Stanford, CA 94305
Received on Friday, 5 June 2015 19:21:08 UTC