# RFC 003: Asset Access This RFC proposes a solution for restricting access to digital assets based on their access provisions and the authentication status of the viewer, while allowing these assets to be served via a CDN. **Last modified:** 2018-11-02T16:46:57+00:00 ## Background Wellcome Collection digital assets are primarily publically accessible. In some cases there are restrictions on digital assets for items that are deemed sensitive (by virtue of law or public sensibility). Restrictions on the availability of items can be broken down into multiple roles. ## Problem Statement We need to restrict access for certain assets based on their access provisions and the authentication status / role of the viewer. In addition we need to be able to serve these assets via a CDN (in our case CloudFront). This means not requiring sign-in for all users to prevent the cache varying on authentication tokens. The implication for users being that they will only be asked to sign in when accessing restricted assets. ### Images Some digital assets served via the IIIF Image API compliant server [Loris](https://github.com/loris-imageserver/loris), are restricted and require authentication before viewing. The IIIF Image standard requires that image asset URLs follow the [described syntax](http://iiif.io/api/image/2.1/#canonical-uri-syntax). ## Suggested Solution We propose to build an authentication solution based on introducing an origin-response [lambda@edge](https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html) function. ![overview](/files/xmK8BWENrkAYbvGExt72) ### Process flow The authentication flow is as follows: ![asset authentication flow](/files/15neEcaVs2hAUENvhfVG) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wellcomecollection.org/request-for-comments-rfcs/003-asset_access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.