Articles in this section

Web API Authentication

Avatar
Denys BULANT
  • Updated
Follow

Introduction

With the release of Multicam v10, we moved to a modern .Net version. This change result in our old method based on a simplified OAuth flow to no longer be implemented. We moved to a more simple "api key" method. You'll find on this page both methods being described.

It is important to note that the user accounts previously used are incompatible with v10 API keys.

Multicam 10+: API Key

With the API key method, there are no more password to encrypt nor a user to provide. It has been replaced by a simple API key to provide in a header named 'x-apikey'. The way to do it will vary with each client.

For example, let's take this API key set in Multicam:

So, here is an HTML page example using 'axios' to request the Multicam' systems detail. You can see that, unlike in our previous versions, the key is provided in clear and not obfuscated.

<html>
  <head>
    <script src="https://cdn.jsdelivr.net/npm/axios@1.1.2/dist/axios.min.js">
    </script>
  </head>
 <body>
  <div id="machineName">Machine name not available.</div>

  <script lang="javascript">
    const url = 'http://127.0.0.1:8082/api/application/system';
    axios.interceptors.request.use((request) => {
      request.headers.set('x-apikey', 'QkFqTmtDclVkQTFVaUAz');
      return request;
    });
    axios.get(url)
         .then(function (r) {
           const uiMachineName = document.getElementById("machineName");
           uiMachineName.innerHTML = r.data.computerName; 
         });
  </script>
 </body>
</html>

Multicam 9 and previously: user and encrypted password

To access the web API, you have two ways to authenticate requests:

  • IP Address: only machine(s) with given IP will have access to the API
  • User and key: you should retrieve a Token from the API with you user/key and then, pass the Token along all requests you do.

You can choose to use either or both, but at least one method must be selected.

Access token retrieval

You should issue a POST request to /Token endpoint, in form-urlencoded format

Request:

POST /Token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
grant_type=password&username=john%40example.com&password=3cdbdda34160…

Parameters are:

  • grant_type: fixed string with ‘password’ value.
  • username: API user.
  • password: API key encrypted with given RSA public key. It should be in hex or base64 format.

The Multicam public key is also available in base64:

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynqY4P5mfcYttT840IgPtQxQXZNbHnYROPl5oU8wSiC3PepF/cjYNReva+4/5RZYSOR0ZqZmTZiJbxhdF7icmydIpi3IFFtfNZwXNyDT5176EOyuhtNjLehwqFupHJ+3VYTUzqZPEMXC1jVilfIGVKJEGLgz4d5UpYrqFiodyJ/JZ+Qj1hyJV0QHSm8V9fUz6RCXFiUMo4oDEakh78eQXSM+lM1FVkfGut42C1prpyouhkIMfsYA2XOOkjiVxYOwy0TEb+/QTvJAzOzPNU1OR9s9e8Uvw8cD8O1+gc9SDNO1FfUMJFnLdG9nhTFTQusM/cGEV4TAW4op8O+LbyZonQIDAQAB

It has a RSA only cypher type.

Here's an example of using JSEncrypt to transform a multicam password to the encrypted password expected on the Multicam side ('input_myclearpassword_or_apikey' here references an input's form field):

var crypt = new JSEncrypt();
crypt.setKey("-----BEGIN PUBLIC KEY-----" +
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynqY4P5mfcYttT840IgP" +
"tQxQXZNbHnYROPl5oU8wSiC3PepF/cjYNReva+4/5RZYSOR0ZqZmTZiJbxhdF7ic" +
"mydIpi3IFFtfNZwXNyDT5176EOyuhtNjLehwqFupHJ+3VYTUzqZPEMXC1jVilfIG" +
"VKJEGLgz4d5UpYrqFiodyJ/JZ+Qj1hyJV0QHSm8V9fUz6RCXFiUMo4oDEakh78eQ" +
"XSM+lM1FVkfGut42C1prpyouhkIMfsYA2XOOkjiVxYOwy0TEb+/QTvJAzOzPNU1O" +
"R9s9e8Uvw8cD8O1+gc9SDNO1FfUMJFnLdG9nhTFTQusM/cGEV4TAW4op8O+LbyZo" +
"nQIDAQAB" +
"-----END PUBLIC KEY-----");
var enc = crypt.encrypt($('#input_myclearpassword_or_apikey').val());

The JSEncrypt.encrypt function already returns a base64 encoded result, so the 'enc' value is to be used directly as the encrypted password on the Multicam OAuth flow.

In case of success, API returns:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
     "access_token":"AQAAANCMnd8BFdERjHoAwE_Cl…QBYJXs1",
     "token_type":"bearer",
     "expires_in":1209599
}

Request authentication

Access token (access_token field) have to be added to all requests’ headers in Authorization field, with Bearer scheme:

Authorization: Bearer AQAAANCMnd8BFdERjHoAwE_Cl…QBYJXs1

In case of error, API returns:

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
{
    "error":"invalid_grant"
}

Attached files

At the end of the article, you'll find the javascript used in our swagger page to authenticate with Multicam.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk