Share output publicly over a one-time download link to overcome authentication barriers

[proycon]

When chaining webservices (#52), it may not be possible for service A to directly upload files to service B because of an authentication barrier that requires the user to login. Ideally, the user has authenticated for service A and service A can do user delegation to service B, on the users behalf, but this infrastructure is not yet mature in CLARIAH and requires all services to be part of the same federated authentication network.

Given that this is not the case yet, we need an alternative solution that works regardless of what authentication scheme is being used. The mechanism I propose works as follows:

• The user indicates he wants to forward (certain/all) output from webservice A to webservice B
• The output from webservice A is made available through an temporary unauthenticated download link containing a random component, a redirect link to webservice B is composed that contains this backlink as a component and is passed back to the user as a redirect (HTTP 302).
• The user (automatically) invokes webservice B through the redirect link.
• The user logs in manually using whatever scheme webservice B uses.
• Webservice B invokes the backlink to download the data from webservice A. After which, the backlink ceases to function.

This should not pose a security risk as long as all traffic is properly encrypted (HTTPS). It requires that certain endpoints of a webservice are exempt from authentication, which is already the case for CLAM, but may require some special attention in case there is extra authentication middleware involved.

[proycon]

• - Implement support for this in the generic ForwardViewer class