...
Table of contents
| Table of Contents |
|---|
Background.
OAuth works by using the redirect functionality in the HTTP protocol. This means that neither your application or the Vidispine API will ever see the user's password. Instead, the user will log in directly to the Authorization Server (e.g. Azure AD, or Google API). Once logged in, the user's browser will receive an authorization code and a redirect request back to your application. That authorization code is used to get a resource token (JWT). The resource token is then sent to Vidispine for all API calls using Authorization: Bearer HTTP header, instead of Basic authentication.
Authorization flow
...
Token Validation
When Vidispine receives the token, it has to be validated. There are today three ways of doing this. If you want to authenticate against a service that provides an API to validation (e.g. Google API), you just have to enter the endpoint information in your shiro.ini. As usual, apidoc has the details. In order to reduce the load on the authorization service (and provide you with a faster API), the information is cached in Vidispine.
...
A third alternative is to provide Vidispine with a set of static X.509 certificates directly in the shiro.ini file.
Mapping Vidispine users
If the JWT contains a unique_name object, that is used as the username. Otherwise, if the validation endpoint returns a JSON with a unique_name, that is used. If the user does not exist in Vidispine, a simple authentication error response is given, with HTTP header Reason: User was not found: {username}. Your application can then decide what to do, e.g. simply add the user in Vidispine and attach it to a default group.
Related articles
| Filter by label (Content by label) | ||||||
|---|---|---|---|---|---|---|
|
...