This scenario requires a unique client ID, client secret, and redirect URI to be set up with movingimage in advance. Contact movingimage Professional Services for further assistance. |
Use this scenario if you are making a server-side application that requires the user to login to their VideoManager Pro account. This scenario will allow you to redirect the user to the authorization server's login page. The workflow is shown in the diagram to the right and corresponds to the OAuth 2.0 "authorization code" grant type. Note that in this scenario, the application never has access to the user's credentials.
There are several authentication APIs available that can be used instead of writing the code for the requests below from scratch. The framework used to develop the integration software may even already provide this functionality. A list of authentication APIs can also be found on the OAuth website. Make sure the one you choose supports the "authorization code" grant type. Continue reading to learn how to build these requests from scratch.
In order to acquire the access and refresh tokens, the application must perform two requests to the authorization server:
Once the tokens are acquired, they are used in the following ways:
(this diagram assumes all requests are successful)
state - (optional) - generate a random URL encoded string for this value
Though the state value is optional, it is highly recommended to use it, as it protects against malicious software attacks. Click here for more information. |
Example:
https://login.movingimage.com/auth/realms/platform/protocol/openid-connect/auth? client_id=<---CLIENT_ID--->& redirect_uri=<---REDIRECT_URI--->& response_mode=query& response_type=code& scope=openid& state=<---RANDOM_STRING---> |
Remember to URL encode your redirect URI (so "https://" should be "https%3A%2F%2F") |
The user is then redirected to the location in the redirect_uri parameter. This location will contain an authorization code similar to the example below:
https://redirect.example.com/#state=7f4jKO98p0&code=beEGJ7l7OmpTI6DuCmOsAWmcPMz4EwajvLE-0BU5NdA.3a21d1a0-23ad-40c0-8d79-332ac758dee2 |
The state will also be given back to you if you used this parameter in the login URL. If the state value matches the string from the original login URL, it is safe to use the code. |
4. Extract the authorization code from the query.
5. Use the token endpoint to build a POST request that will return your access and refresh tokens (if the code is valid).
Example Request:
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d ' grant_type=authorization_code& client_id=<---CLIENT_ID--->& client_secret=<---CLIENT_SECRET--->& code=<---AUTHORIZATION_CODE--->& redirect_uri=<---REDIRECT_URI--->' https://login.movingimage.com/auth/realms/platform/protocol/openid-connect/token |
6. Example Response:
{ "access_token": "<----ACCESS_TOKEN---->", "expires_in":300, "refresh_expires_in":3600, "refresh_token":"<----REFRESH_TOKEN---->", "token_type":"bearer", "id_token":"<----ID_TOKEN---->", "not-before-policy":0, "session_state":"b2e54e67-f61e-4193-88b8-5826a0b76179" "scope": "openid profile email" } |
Note the "expires_in" and "refresh_expires_in" values. These give the timeframe (in seconds) during which the access and refresh tokens are valid, respectively. The access token's timeframe will be short, making the refresh token necessary (as demonstrated below under the "Use the Refresh Token" heading). |
With the access and refresh tokens, it is now possible to use them to authorize the user to access resources from the API.
Once you have a valid access token, you must include it in the header of each request to the movingimage REST API. The following uses the "Get VideoManagers" method to demonstrate this:
curl -X GET -H "Authorization: Bearer <ACCESS_TOKEN>" https://api.video-cdn.net/v1/vms |
The access token will expire after a short time, but it is possible to maintain uninterrupted access. After the access token expires, you can use the refresh token to get a new one. You will also get a new refresh token and the expiration time for the tokens will restart. Refreshing the tokens is possible until the latest refresh token expires. If both tokens expire without refreshing, the session will end and you will need to authenticate again.
Example Request:
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d ' grant_type=refresh_token& response_type=token& client_id=<---CLIENT_ID--->& client_secret=<---CLIENT_SECRET--->& refresh_token=<---REFRESH_TOKEN--->& scope=openid' https://login.movingimage.com/auth/realms/platform/protocol/openid-connect/token |