thoth-tech · aNebula · Dec 21, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/.../ontrack/documentation/panopoto-integration/panopto-oauth2-intergration-plan.md b/.../ontrack/documentation/panopoto-integration/panopto-oauth2-intergration-plan.md
@@ -0,0 +1,118 @@
+
+# Panopto OAuth2 Integration Guide (Updated)
+
+This guide provides a detailed, step-by-step process to integrate Panopto’s OAuth2-based authentication into your backend application (e.g., OnTrack or Doubtfire-API). It covers creating an API client on Panopto, configuring OAuth2 settings, obtaining authorization codes, exchanging them for access tokens, and integrating the process into your application’s workflow. Technical improvements, corrections, and additional recommendations based on best practices have been included.
+
+## OAuth2 Panopto API Client Setup
+To upload videos to a user's personal Panopto instance, we need to authenticate using OAuth2. This involves creating an API client on Panopto, configuring redirect URIs and CORS, then performing the OAuth2 Authorization Code flow to retrieve the tokens required for API calls.
+
+## Step 1: Create an API Client on Panopto
+1. Navigate to the Panopto website:
+   - Panopto Login: [https://deakin.au.panopto.com/Panopto/Pages/Home.aspx](https://deakin.au.panopto.com/Panopto/Pages/Home.aspx)
+
+2. Access User Settings:
+   - Click on the User Settings icon (usually in the top-right corner).
+
+3. Create a New API Client:
+   - Under the API Client section, click "Create New Client".
+
+4. Configure the API Client:
+   - Set a name for the client (e.g., "OnTrack Integration Client" or "Doubtfire Integration Client").
+   - Choose "Server-side Application" as the client type since the integration is backend-based.
+
+5. Save Your Credentials:
+   - Note down your Client ID and Client Secret. These will be used to authenticate requests.
+   - Store them securely (e.g., environment variables). Do not commit these to version control.
+
+**Example:**
+```
+CLIENT_ID=your_panopto_client_id
+CLIENT_SECRET=your_panopto_client_secret
+```
+<img width="400" alt="Screenshot 2024-12-05 at 5 58 26 pm" src="https://github.com/user-attachments/assets/26e91cd0-c986-4c32-88e4-c111283f4650">
+
+## Step 2: Configure Allowed URLs and Redirect URI
+1. Set CORS (Cross-Origin Resource Sharing):
+   - In the Allowed URL section of the API Client configuration, set CORS to `https://localhost` for local development.
+
+2. Set Redirect URI:
+   - Set the Redirect URI to `http://localhost:9127/redirect`.
+   - The port number (9127) is arbitrary and used for local testing. It must match the `redirect_uri` parameter in your application’s OAuth flow exactly.
+
+## Step 3: Exchange the Code for an Access Token
+Once the API client is set up, the next step is to perform the OAuth2 Authorization Code flow:
+
+### Obtain the Authorization Code
+Replace `YOUR_CLIENT_ID` and `YOUR_PORT` as needed:
+
+```
+https://deakin.au.panopto.com/Panopto/oauth2/connect/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=http://localhost:9127/redirect&scope=openid%20api&nonce=12345
+```
+
+1. Navigate to the above URL in a browser.
+2. Log in and grant access when prompted.
+3. After approval, Panopto redirects to:
+   ```
+   http://localhost:9127/redirect?code=AUTHORIZATION_CODE
+   ```
+
+### Exchange Authorization Code for Access Token
+Use the code to request an access token. Note the correction in `grant_type` spelling (`authorization_code`):
+
+```bash
+curl -X POST "https://deakin.au.panopto.com/Panopto/oauth2/connect/token"   -H "Content-Type: application/x-www-form-urlencoded"   -d "grant_type=authorization_code"   -d "code=YOUR_AUTHORIZATION_CODE"   -d "redirect_uri=http://localhost:9127/redirect"   -d "client_id=YOUR_CLIENT_ID"   -d "client_secret=YOUR_CLIENT_SECRET"
+```
+
+**Example Response:**
+```json
+{
+  "access_token": "eyJ...<snip>",
+  "expires_in": 3600,
+  "token_type": "Bearer",
+  "scope": "openid api",
+  "refresh_token": "optional_refresh_token_if_provided"
+}
+```
+
+This `access_token` can be used to call Panopto’s API for video uploads. If a `refresh_token` is included, you can use it to obtain new access tokens without user re-authorization.
+
+## Step 4: Integrating with OnTrack (or Your Backend)
+1. **Store Credentials Securely:**
+   - Create an `.env` file (for local development):
+     ```env
+     PANOPTO_CLIENT_ID=your_panopto_client_id
+     PANOPTO_CLIENT_SECRET=your_panopto_client_secret
+     PANOPTO_REDIRECT_URI=http://localhost:9127/redirect
+     ```
+   - Load these environment variables in your backend application.
+
+2. **Authorization Flow Integration:**
+   - Your backend can present a link to the authorization URL. The user clicks it to start the process.
+   - After granting access, the backend receives the authorization code at the redirect URI.
+   - The backend exchanges the code for an access token automatically.
+
+3. **Video Upload:**
+   - With a valid access token, your backend can call Panopto’s upload APIs to programmatically upload videos to the user’s personal Panopto instance.
+
+## Recommendations and Updates
+- **Security:**
+  - Use HTTPS in production for all communications.
+  - Do not log sensitive tokens (e.g., access tokens or refresh tokens).
+  - Store secrets securely using a tool like AWS Secrets Manager or HashiCorp Vault.
+- **Scalability:**
+  - Use a shared token storage mechanism (e.g., a database) if running multiple instances of your backend behind a load balancer.
+- **Error Handling:**
+  - Implement retry logic with exponential backoff for transient failures.
+  - Log errors but ensure no sensitive information (e.g., client secret) is exposed.
+- **Version Control:**
+  - Ensure Panopto API versions are checked periodically for updates.
+  - Test all API changes in a staging environment before deploying them to production.
+
+## References
+- Panopto Documentation: [https://support.panopto.com/s/docs](https://support.panopto.com/s/docs)
+- OAuth2 Specification: [https://oauth.net/2/](https://oauth.net/2/)
+- Secret Management: Consider [HashiCorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) for production.
+
+---
+
+By following these steps and best practices, you can seamlessly integrate Panopto’s OAuth2 authentication flow into your backend (e.g., OnTrack or Doubtfire-API), ensuring a smooth and secure process for uploading videos to a user’s Panopto instance.
diff --git a/...s/products/ontrack/documentation/panopoto-integration/panopto-upload-process.md b/...s/products/ontrack/documentation/panopoto-integration/panopto-upload-process.md
@@ -0,0 +1,177 @@
+# Panopto Video Upload Process
+
+## Overview
+This document outlines key information about the process of uploading videos to Panopto using the Panopto REST API. While this isn't a comprehensive guide, it highlights the steps involved in creating a session, performing a multipart upload of the video file, creating the manifest, and finalising the upload. This serves as an informational resource for implementing the video upload functionality in the future. Additional research and context will be needed to fully integrate these steps.
+
+---
+
+## Step 1: Create a Session for Video Upload
+
+Before uploading a video, a session must be created. The session provides the necessary details for the upload process, including the upload target and session ID.
+
+###  Call the Session Creation API
+The session creation process is triggered by sending a POST request to the `sessionUpload` endpoint.
+
+- **API Endpoint:**
+  ```ruby
+  POST https://{server}/Panopto/PublicAPI/REST/sessionUpload
+  ```
+- **Payload:**
+  ```http
+  {
+    "FolderId": "{folder_id}"
+  }
+
+  ```
+- **Example Session Creation:**
+  ```ruby
+  response = RestClient.post(
+    "https://#{server}/Panopto/PublicAPI/REST/sessionUpload",
+    { "FolderId" => folder_id }.to_json,
+    { content_type: :json, accept: :json, authorization: "Bearer #{access_token}" }
+  )
+  ```
+
+- **Example Response:**
+  ```http
+  {
+    "ID": "session_id",
+    "UploadTarget": "upload_target_url",
+    "FolderId": "{folder_id}"
+  }
+  ```
+## Step 2: Upload Video via Multipart Upload
+Panopto supports multipart uploads for large video files. This step uploads the video in parts to the ```upload target``` specified in the session creation response.
+
+#### 1. Initiate Multipart Upload:
+- Get the Upload URL: After creating a session, extract the ```UploadTarget``` URL from the session creation response. This URL specifies where the video should be uploaded.
+
+- Set Up AWS SDK : Even though Panopto doesn’t require AWS credentials, use AWS SDK to handle the multipart upload. Initialise the SDK with dummy credentials (to bypass authentication but still use the multipart upload logic).
+
+```ruby
+# Extract the Upload Target URL from the session creation response
+upload_target = "https://deakin.au.panopto.com/Panopto/Upload/..."
+
+# Set up AWS SDK for multipart upload
+s3 = Aws::S3::Client.new(
+  endpoint: upload_target,
+  region: 'us-east-1',
+  access_key_id: 'dummy',
+  secret_access_key: 'dummy'
+)
+
+# Initiate multipart upload
+mpu = s3.create_multipart_upload(Bucket: 'upload-bucket', Key: 'video-file.mp4')
+upload_id = mpu['UploadId']
+```
+### 2. Upload Parts:
+- Split the Video File: Split the video into parts, each no larger than 5MB. You can adjust the part size as needed.
+
+- Upload Each Part: Iterate over the parts and upload them using the AWS SDK.
+
+```ruby
+# Read the video file in 5MB chunks and upload parts
+File.open('video_path.mp4', 'rb') do |file|
+  part_number = 1
+  while (chunk = file.read(5 * 1024 * 1024))  # 5MB per part
+    s3.upload_part(
+      bucket: 'upload-bucket',
+      key: 'test-video.mp4',
+      part_number: part_number,
+      upload_id: upload_id,
+      body: chunk
+    )
+    part_number += 1
+  end
+end
+```
+### 3. Complete Multipart Upload:
+- Finalise the Upload: Once all parts have been uploaded, call the ``complete_multipart_upload`` method to combine the parts into one video file in Panopto.
+
+```ruby
+# After all parts have been uploaded, complete the upload
+s3.complete_multipart_upload(
+  bucket: 'upload-bucket',
+  key: 'video-file.mp4',
+  upload_id: upload_id,
+  multipart_upload: { parts: parts_metadata }  # Metadata about each uploaded part
+)
+```
+## Step 3: Create and Upload the Manifest File
+Once the video is uploaded, the next step is to create the manifest file. The manifest provides metadata for the video, including its title, description, and the file name.
+
+### 1. Create the Manifest File:
+- The manifest file is an XML file that contains the following key elements:
+
+```xml
+Copy code
+<?xml version="1.0" encoding="utf-8"?>
+<Session xmlns="http://tempuri.org/UniversalCaptureSpecification/v1">
+  <Title>{Video_Title}</Title>
+  <Description>{Video_Description}</Description>
+  <Date>{Current_Date}</Date>
+  <Videos>
+    <Video>
+      <Start>PT0S</Start>
+      <File>{Video_File_Name}</File>
+      <Type>Primary</Type>
+    </Video>
+  </Videos>
+</Session>
+```
+### 2. Upload the Manifest File:
+- The manifest file is uploaded in the same way as the video parts, using `multipart upload`.
+``` Example Upload (Using AWS SDK):
+ruby
+
+s3 = Aws::S3::Client.new(
+  endpoint: upload_target,
+  region: 'us-east-1',
+  access_key_id: 'dummy',
+  secret_access_key: 'dummy'
+)
+
+s3.put_object(bucket: bucket_name, key: manifest_key, body: File.read(manifest_file))
+```
+## Step 4: Finalise the Upload
+After uploading the video and the manifest file, the final step is to finalise the session marking it as complete.
+
+### 1. Send the PUT Request to Finalise Session:
+API Endpoint:
+
+```ruby
+PUT https://{server}/Panopto/PublicAPI/REST/sessionUpload/{session_id}
+```
+Payload:
+
+```ruby
+
+{
+  "State": 1,  # Mark as completed
+  "FolderId": "{folder_id}"
+}
+```
+Example Code:
+
+```ruby
+RestClient.put(
+  "https://#{@server}/Panopto/PublicAPI/REST/sessionUpload/#{@session_id}",
+  { "State" => 1, "FolderId" => @folder_id }.to_json,
+  { content_type: :json, accept: :json, authorization: "Bearer #{@access_token}" }
+)
+```
+## 2. Monitor the Upload Status:
+- Check for Processing: After finalising, periodically check the `session state` to ensure it is processed and completed.
+
+Polling Example:
+
+```ruby
+
+while true
+  sleep(5)  # Wait a few seconds before checking  status
+  session = RestClient.get("https://#{@server}/Panopto/PublicAPI/REST/sessionUpload/#{@session_id}")
+  if JSON.parse(session.body)["State"] == 4  # State 4 means processing complete
+    break
+  end
+end
+```