Testing IIIF Authentication API 2.0

概要

I had the opportunity to test IIIF Authentication API 2.0, so here are my notes.

I created the following demo site.

https://iiif-auth-nextjs.vercel.app/ja

The repository is as follows.

https://github.com/nakamura196/iiif-auth-nextjs

Below is an AI-generated explanation. Note that I was unable to get it working properly with Mirador, which remains a future task.

概要

This article provides a detailed explanation of the IIIF Authentication API 2.0 authentication flow at the level of actual HTTP requests/responses. We will trace what requests are sent and what responses are returned at each step.

Architecture Overview

Authentication Flow Details

Step 1: Initial Image Information Request (Unauthenticated)

Request:

Processing Flow (Server-side):

Response:

Step 2: Request to Probe Service

The client obtains the AuthProbeService2 URL from the 401 response and checks the authentication status.

Request:

Processing Flow (Server-side):

Response (Unauthenticated):

Step 3: Starting the Authentication Window

The client obtains the AuthAccessTokenService2 URL from the Probe Service response and opens a popup window.

Client-side Processing:

Generated URL:

Step 4: Token Service Redirect Processing

Request:

Processing Flow (Server-side):

Response:

Login Form Submission:

Processing Flow (Server-side):

JWT Generation Details:

Response:

Step 6: Token Delivery (postMessage)

After successful login, the client receives the token and sends it to the original window via the Token Service.

Client-side (auth/page.tsx):

Step 7: Token Reception in the Original Window

Client-side (Main Window):

Step 8: Authenticated Image Request

Request:

Processing Flow (Server-side):

Response:

Token Persistence and Synchronization

Persistence via localStorage

Synchronization Between Tabs

CORS Configuration

Image API Endpoint

Probe/Access Service

Error Handling

Token Expiration

Handling Authentication Errors

Security Considerations

1. Token Signature Verification

2. Using HTTPS (Production Environment)

3. Origin Verification

Performance Optimization

1. Token Caching

2. Handling Parallel Requests

Troubleshooting

2. postMessage Reception Failure

まとめ

In the IIIF Authentication API 2.0 implementation, requests are processed in the following flow:

Initial Access → 401 with Probe Service
Probe Service → 401 with Access Service
Token Service → Login Page redirect
Login → JWT Token generation
postMessage → Token delivery to main window
Authenticated Request → Protected resource access

By implementing proper error handling and security measures at each step, you can build a safe and user-friendly authentication system.

概要#

概要#

Architecture Overview#

Authentication Flow Details#

Step 1: Initial Image Information Request (Unauthenticated)#

Step 2: Request to Probe Service#

Step 3: Starting the Authentication Window#

Step 4: Token Service Redirect Processing#

Step 5: Authentication on the Login Page#

Step 6: Token Delivery (postMessage)#

Step 7: Token Reception in the Original Window#

Step 8: Authenticated Image Request#

Token Persistence and Synchronization#

Persistence via localStorage#

Synchronization Between Tabs#

CORS Configuration#

Image API Endpoint#

Probe/Access Service#

Error Handling#

Token Expiration#

Handling Authentication Errors#

Security Considerations#

1. Token Signature Verification#

2. Using HTTPS (Production Environment)#

3. Origin Verification#

Performance Optimization#

1. Token Caching#

2. Handling Parallel Requests#

Troubleshooting#

1. Popup Blocker#

2. postMessage Reception Failure#

まとめ#

References#

概要

概要

Architecture Overview

Authentication Flow Details

Step 1: Initial Image Information Request (Unauthenticated)

Step 2: Request to Probe Service

Step 3: Starting the Authentication Window

Step 4: Token Service Redirect Processing

Step 5: Authentication on the Login Page

Step 6: Token Delivery (postMessage)

Step 7: Token Reception in the Original Window

Step 8: Authenticated Image Request

Token Persistence and Synchronization

Persistence via localStorage

Synchronization Between Tabs

CORS Configuration

Image API Endpoint

Probe/Access Service

Error Handling

Token Expiration

Handling Authentication Errors

Security Considerations

1. Token Signature Verification

2. Using HTTPS (Production Environment)

3. Origin Verification

Performance Optimization

1. Token Caching

2. Handling Parallel Requests

Troubleshooting

1. Popup Blocker

2. postMessage Reception Failure

まとめ

References