Networked Media Open Specifications

Authorization Server Setup

←JSON Web Tokens (JWT) · Index↑ · Implementing Authenticated API Calls→

IS-10 is all about authorization, so you will need an Authorization Server from which you request Access Tokens. Here you will find some detail on setting up an Authorization Server to provide the correct ‘flavor’ of Access Tokens to your NMOS Nodes.

Overview

IS-10 will work with any OAuth 2.0 or OpenID compliant Authorization Server. For the purposes of this guide we have used Keycloak which is an open source Identity and Access Management solution. However, other Authorization Servers are available, so simply map these configuration steps to your current, favorite Auth Server.

Keycloak Setup

Install Keycloak

You can get a latest version from the Keycloak website.

Configure Realms

Client Scope Config

Audience Config

Private Claims

Repeat for All Scopes

Set Up Trusted Hosts

keytool -import -alias nmosca -file cert.pem -cacerts -storepass changeit

Enable TLS, Redirects and Discovery

An example Apache Reverse Proxy site configuration with a metadata alias is shown below. This makes Keycloak available on port 443, forwarding it from port 8082:

<VirtualHost _default_:443>
        <Location />
                ProxyPreserveHost On
                ProxyPass https://127.0.0.1:8082/ timeout=30 connectiontimeout=1 max=10 ttl=1 smax=10
                ProxyPassReverse https://127.0.0.1:8082/
        </Location>

        <Location /.well-known/oauth-authorization-server>
                ProxyPreserveHost On
                ProxyPass https://127.0.0.1:8082/auth/realms/master/.well-known/openid-configuration timeout=30 connectiontimeout=1 max=10 ttl=1 smax=10
                ProxyPassReverse https://127.0.0.1:8082/auth/realms/master/.well-known/openid-configuration
        </Location>

        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
        Header set Access-Control-Allow-Origin "*"

        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>

Note that to get the Keycloak server to be able to resolve the client addresses / hostnames, then the Keycloak configuration needs to be changed. Details of how to set up a reverse proxy with Keycloak can be found here. Without this change, any attempt to register a client as a “Trusted Host” will fail.

←JSON Web Tokens (JWT) · Index↑ · Implementing Authenticated API Calls→