Authentication
Authentication to the ImageVault API is based on Oauth2.
ImageVault support different authentication methods that OAuth2 defines.
- Authorization Code Grant
- Authorization Pin Grant
- Resource Owner Password Credentials Grant
- Client Credentials Grant
Our recommendation is that you use the Authorization Code Grant for Web browser/javascript based clients and Resource Owner Password Credentials Grant for server based clients. For native clients, use the Authorization Pin Grant.
Oauth roles
Oauth 2.0 defines four different roles. The table below lists them and identifies the different actors using the ImageVault components.
| Role | Description | ImageVault component(s) |
|---|---|---|
| Resource owner | An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user. | User using ImageVault |
| Resource server | The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. | ImageVault Core |
| Client | An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices). | ImageVault Ui ImageVault,ImageVault Plugin,ImageVault Episerver Add-on,Any 3rd part application |
| Authorization server | The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. | ImageVault Core/ImageVault UI |
API key notes
Core utilizes client authentication using oauth2, where the key components are Client ID and secret. The Client ID, which is the API key in ImageVault, is an identity for a certain application that needs to be authenticated when exchanging information with a remote service. A secret is a password for a specific API key and it must be kept safe, in order to avoid that other applications act on your applications behalf.
When installing ImageVault, the API key is automatically set to 'iv4sdk', while the secret needs to be entered by the person installing the product. The secret may be any string of characters, just like a normal password. Our recommendation is, however, to define a secret that is complex - you will only need to enter it during the installation phase. After that, any client can use it to authenticate using it in combination with the iv4sdk client id using the methods above.
It is important not to confuse the API key and secret with the user and password of the user that logs into ImageVault. These are two different user catalogs with different purposes. Client credentials identifies a client APPLICATION while other credentials, like forms authentication, Microsoft Entra ID, ADFS, identifies an end user.
Postman (and other tools)
To configure oauth authentication with postman and other tools you can use one of the following authentication methods.
- Authorization Code (Authorization Code Grant)
- Password Credentials (Resource Owner Password Credentials Grant)
- Client Credentials (Client Credentials Grant)
For auth url, use https://my.imagevault.app/oauth/authorize and for access token url use https://my.imagevault.app/apiv2/oauth/token
The example below uses the (Authorization Code Grant).
