GET/POST request via OIDC Bearer Token

[kargl3]

Hello!

I need to use VAPIX API calls in my software via GET/POST requests. Our security standards require use to find a secure way to authenticate with the AXIS camera. I can see in the Network/HTTP settings that one can choose beween Basic and Digest authentication (or Both). The frontend of my camera also has a part where I can configure an OPEN ID Connect account.

HTTP/Authorization

OIDC Config

But it is currently not possible to do the HTTP request with a token previously received from my Keycloak setup? Am I right or am I missing something?

Thanks for your help!

[github-actions[bot]]

This automatically generated reply acts as a friendly reminder.

Answers to your questions will most often come from the community, from developers like yourself. You will, from time to time, find that Axis employees answers some of the questions, but this is not a guarantee. Think of the discussion forum as a complement to other support channels, not a replacement to any of them.

If your question remains unanswered for a period of time, please revisit it to see whether it can be improved by following the guidelines listed in Axis support guidelines.

[vivekatoffice]

Hi @kargl3 ,
OIDC is a completely new topic for me, but I thought it might be helpful to share this article link here. 🥲
Curity Identity Server

Also found this research paper on Google talking about the Keycloak server and Axis camera.

You were able to use token-based authentication previously and after updating Axis OS it stopped working? or you are interested to explore and looking for a document to configure?

Reference: OpenID Configuration

[kargl3]

Hi @vivekatoffice,

Thank you! I created the case with the number 02323890. 🙂

[NickDarvey]

@kargl3, did you end up getting any more info from AXIS support?

[vivekatoffice]

Hi @NickDarvey ,
I am adding the part of communication on the case(02323890) so it will be helpful for you:

[Partner]
I am currently trying to authenticate to AXIS via OIDC by Keycloak directly from my software program, without the availabiltity of a user interaction/browser. I want to send GET/POST requests to AXIS camera from my code and it should be possible to authenticate using the Keycloak server which is already used from other software parts. I already heard that Machine-To-Machine-Flow is not available at the moment, same as Client Credential workflow, so what would be the solution for my situation?

[Axis Team]
As of today we unfortunately cannot provide you with a solution for the machine to machine/client credential workflow. This part like you correctly mentioned has not been implemented yet. We hope however to have this available during H1 2025. So far our OIDC implementation does only support Authorization Code Flow.

[Partner]
If it is not possible at the moment, what would be the best practise to securely send GET/POST request to AXIS camera without having the user credentials involved?

[Axis Team]
Apart from OIDC, basic/digest authentication for GET/POST requests is supported but this would still require user credentials being involved.

[NickDarvey]

Thanks for sharing @vivekatoffice! The only thing that is not explicitly stated in that is whether you can make HTTP API requests using an access token obtained via an OIDC authorisation code grant

[vivekatoffice]

Not for now, but I will keep it in mind and update you once it is available. I request that you start a new discussion by adding your use case and requirement for selecting this method of authentication for VAPIX (currently we support Basic and Digest)