OPDS Authentication document may not be explicit enough

[gotson]

Hello,

while trying to troubleshoot why Aldiko (with the help of @mickael-menu) did not work properly with the Komga OPDS 2 feed, i realized that the OPDS Authentication document may not be clear enough on how clients should handle authentication.

Here are a few things I discovered with Aldiko:

• www-authenticate challenge, though standard for OPDS v1, is not handled. Maybe OPDS Authentication should mention it, since it was how OPDS v1 managed authentication, and i suspect many clients will keep doing the same thing.
• OPDS Authentication does not explain how multiple calls should be handled, and whether the authorization token should be passed with every subsequent request or not. And if it needs to be passed, to which host it should apply. For instance Aldiko will do the following for each URL:
  • call the url unauthenticated
  • get a 401 with the auth document as a response
  • send the same request again with the authentication header
    This generates a lot of toil, with 2 requests for each url, while it could pass the authentication header first. It also generates a new session every time an authorization header is sent.
• to avoid generating new sessions, OPDS clients should probably honor cookies returned by the server, which would usually contain a session ID.
• Aldiko does not apply authentication to images. It seems there is a general assumption in OPDS around the fact that images are always available, which is not true. OPDS Authentication document should clarify that point IMHO.

[mickael-menu]

Thanks for opening this discussion Gauthier.

I'll share some insights about the behavior in Aldiko:

That's on purpose, we deemed more secure to not send the bearer token to all the links in an OPDS feed. We might fine-tune to automatically send them when the origin of the URL is the same in the future though.
In the meantimes, we do have a solution to explicitly request the app to send the bearer token associated with an Authentication Document by adding an authenticate property in the Link object.

Note that this authenticate property is not yet part of the Authentication Document specification yet. The content of authenticate is itself a Link object to the Authentication Document.

Here's an example from Feedbooks:

{
  "rel": "self",
  "href": "https://catalog.feedbooks.com/item/5153060.json",
  "type": "application/opds-publication+json",
  "properties": {
    "authenticate": {
      "href": "https://catalog.feedbooks.com/user/authentication",
      "type": "application/opds-authentication+json"
    }
  }
}