Auth Service Integration Guide [C IG]

Introduction

AuthService is the central component for authentication and authorization in the Vidispine suite. For fornetend applications the AuthService is handeling the login in an redirect page and issues an token for the user, the token should be used to access all APIs of the suite (e.g. ConfigPortal, VidiCore, VidiFlow).

For backend services the AuthService also provide an mechanismus to receive an token in order to access all the provided APIs by Vidispine.

The AuthService is usually connected to an Microsoft AD server which serve as Identity Provider. The AD server handle the user, groups assignment and password policies.

OpenIDConnect

OpenID Connect is a simple identity layer on top of the OAuth protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

https://openid.net/connect/

Integration - Overview

Configuration

In order to contact the AuthService to retrieve a token, the application has to be known by the AuthService. This is done by adding client configurations into AuthService.

AuthService provides APIs that allow admins to securely register and configure their client applications that requires API access authentication and authorization.

To integrate any client application with AuthService to be as the Identity Provider for the application, the following steps must be taken:

• The client application must define all of its public/scoped/internal APIs that would need to be managed by AuthService, and register those resources via AuthService

• The client application would need to configure the Client Configuration and register that application to be managed by AuthService

• The client application would then need to implement supports for OpenID Connect (OIDC) and OAuth2 protocol for the client-side applications.

• For authorization and authentication to happen, the client application would be expected to always send an authorization request either of the following endpoints:

  • authorize endpoint for the implicit flow - this is used for user interface clients which redirect to the AuthService login page

  • token endpoint for the authorization code and client credentials flow - this is used

More details are explained in this chapter:

Configure OIDC Client Applications [C IG]

JWT Token

If the configuration is correct, the client receive an JWT token via the redirect endpoint.

The JWT contains the user information including assigned roles.

JWT Token