Authentication

Authentication to ImageVault core is based on Oauth2.

ImageVault support different authentication methods that OAuth2 defines.

Our recommendation is that you use the Authorization Code Grant for Web browser/javascript based clients and Resource Owner Password Credentials Grant for server based clients.

Oauth roles

Oauth 2.0 defines four different roles. The table below lists them and identifies the different actors using the ImageVault components.

RoleDescriptionImageVault component
Resource ownerAn entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.User using ImageVault
Resource serverThe server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.ImageVault Core
ClientAn application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).ImageVault Ui ImageVault ImageVault Plugin ImageVault Episerver 7 Add-on Any 3rd part application
Authorization serverThe server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.ImageVault Core/ImageVault UI

API key notes

Core utilizes client authentication using oauth2, where the key components are Client ID and secret. The Client ID, which is the API key in ImageVault, is an identity for a certain application that needs to be authenticated when exchanging information with a remote service. A secret is a password for a specific API key and it must be kept safe, in order to avoid that other applications act on your applications behalf.

When installing ImageVault, the API key is automatically set to 'iv4sdk', while the secret needs to be entered by the person installing the product. The secret may be any string of characters, just like a normal password. Our recommendation is, however, to define a secret that is complex - you will only need to enter it during the installation phase. After that, any client can use it to authenticate using it in combination with the iv4sdk client id using the methods above.

It is important not to confuse the API key and secret with the user and password of the user that logs into ImageVault. These are two different user catalogs with different purposes. Client credentials identifies a client APPLICATION while other credentials, like forms authentication, Azure Ad, ADFS, identifies an end user.

comments powered by Disqus