Authentication to ImageVault core is based on Oauth2.
ImageVault support different authentication methods that OAuth2 defines.
- Authorization Code Grant
- Authorization Pin Grant
- Resource Owner Password Credentials Grant
- Client Credentials Grant
Oauth 2.0 defines four different roles. The table below lists them and identifies the different actors using the ImageVault components.
|Resource owner||An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.||User using ImageVault|
|Resource server||The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.||ImageVault Core|
|Client||An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).||ImageVault Ui ImageVault ImageVault Plugin ImageVault Episerver 7 Add-on Any 3rd part application|
|Authorization server||The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.||ImageVault Core/ImageVault UI|
API key notes
Core utilizes client authentication using oauth2, where the key components are Client ID and secret. The Client ID, which is the API key in ImageVault, is an identity for a certain application that needs to be authenticated when exchanging information with a remote service. A secret is a password for a specific API key and it must be kept safe, in order to avoid that other applications act on your applications behalf.
When installing ImageVault, the API key is automatically set to 'iv4sdk', while the secret needs to be entered by the person installing the product. The secret may be any string of characters, just like a normal password. Our recommendation is, however, to define a secret that is complex - you will only need to enter it during the installation phase. After that, any client can use it to authenticate using it in combination with the iv4sdk client id using the methods above.
It is important not to confuse the API key and secret with the user and password of the user that logs into ImageVault. These are two different user catalogs with different purposes. Client credentials identifies a client APPLICATION while other credentials, like forms authentication, Azure Ad, ADFS, identifies an end user.