Creating a new Service Agent
When creating a new service, or agent to integrate with VidiFlow, the service/agent needs to register itself into the Authentication service in order to authenticate.
Please Note: Although the new service/agent can reuse the existing configuration, it is not recommended to do so for security concern and better configuration separations.
A new client can be done directly in the SWAGGER UI.
Path Swagger Reference: Creating a new Authentication Client |
POST /v1/Client |
Sample Client Body Definition (Implicit)
{
"enabled": true,
"clientId": "{{clientId}}",
"protocolType": "oidc",
"clientSecrets": [
{
"description": null,
"value": "{{clientSecret}}",
"expiration": null,
"type": "SharedSecret"
}
],
"requireClientSecret": false,
"clientName": "Description for the client service",
"clientUri": null,
"logoUri": null,
"requireConsent": false,
"allowRememberConsent": true,
"allowedGrantTypes": [
"authorization_code",
"client_credentials"
],
"requirePkce": false,
"allowPlainTextPkce": false,
"allowAccessTokensViaBrowser": true,
"redirectUris": [
https://webserver/oauth2/callback // The url to be called once user successfully login
],
"postLogoutRedirectUris": [
http://webserver/signout-callback-oidc // The urls to be called when the user successfully logout
],
"frontChannelLogoutUri": null,
"frontChannelLogoutSessionRequired": true,
"backChannelLogoutUri": null,
"backChannelLogoutSessionRequired": true,
"allowOfflineAccess": true,
"allowedScopes": [
"identityscope", // Scopes that the client allowed to use
"openid",
"profile"
],
"alwaysIncludeUserClaimsInIdToken": false,
"identityTokenLifetime": 1800,
"accessTokenLifetime": 1800,
"authorizationCodeLifetime": 300,
"absoluteRefreshTokenLifetime": 2592000,
"slidingRefreshTokenLifetime": 1296000,
"consentLifetime": null,
"refreshTokenUsage": 1,
"updateAccessTokenClaimsOnRefresh": false,
"refreshTokenExpiration": 1,
"accessTokenType": 0,
"enableLocalLogin": true,
"identityProviderRestrictions": [],
"includeJwtId": false,
"claims": [], // The claims the client are allowed. Refer to the following section
"alwaysSendClientClaims": true,
"clientClaimsPrefix": "client_",
"pairWiseSubjectSalt": null,
"allowedCorsOrigins": [
http://webserver // The web site/services that allowed to use the client (CORS Policy)
],
"properties": {}
}
Sample Client Body Definition (Client Credentials)
{
"enabled": true,
"clientId": {{clientId}},
"protocolType": "oidc",
"clientSecrets": [
{
"description": null,
"value": {{clientSecret}},
"expiration": null,
"type": "SharedSecret"
}
],
"requireClientSecret": false,
"clientName": "Description of the client service",
"clientUri": null,
"logoUri": null,
"requireConsent": true,
"allowRememberConsent": true,
"allowedGrantTypes": [
"client_credentials"
],
"requirePkce": false,
"allowPlainTextPkce": false,
"allowAccessTokensViaBrowser": true,
"redirectUris": [],
"postLogoutRedirectUris": [],
"frontChannelLogoutUri": null,
"frontChannelLogoutSessionRequired": true,
"backChannelLogoutUri": null,
"backChannelLogoutSessionRequired": true,
"allowOfflineAccess": true,
"allowedScopes": [
"api1", // Scopes that the client allowed to use
"configportalscope"
],
"alwaysIncludeUserClaimsInIdToken": false,
"identityTokenLifetime": 300,
"accessTokenLifetime": 3600,
"authorizationCodeLifetime": 300,
"absoluteRefreshTokenLifetime": 2592000,
"slidingRefreshTokenLifetime": 1296000,
"consentLifetime": null,
"refreshTokenUsage": 1,
"updateAccessTokenClaimsOnRefresh": false,
"refreshTokenExpiration": 1,
"accessTokenType": 0,
"enableLocalLogin": true,
"identityProviderRestrictions": [],
"includeJwtId": false,
"claims": [], // The claims the client are allowed. Refer to the following section
"alwaysSendClientClaims": true,
"clientClaimsPrefix": "",
"pairWiseSubjectSalt": null,
"allowedCorsOrigins": [ ], // Not required unless this is a web service
"properties": {}
}
The ClientId and ClientSecret should be unique for each service/agent. They can be auto-generated GUID for the sake of simplicity.