Networked Media Open Specifications

HOME DOCS

Docs for main

Overview

Prerequisites

JSON Web Tokens (JWT)

Authorization Server Setup

Implementing Authenticated API Calls

Node to Authorization Server Interactions

Node to Registry Interactions (IS-04)

Controller to Authorization Server Interactions

Controller to Registry (IS-04) and Node Interactions (IS-05, IS-08)

Event and Tally Interactions (IS-07)

Validating Access Tokens

Development Resources

VERSIONS

Branches

main

No releases yet

IS

Interface Specifications

IS-04: Discovery & Registration

IS-05: Device Connection Management

IS-07: Event & Tally

IS-08: Audio Channel Mapping

IS-09: System Parameters

IS-10: Authorization

IS-11: Stream Compatibility Management

IS-12: Control Protocol

IS-13: Annotation

BCP

Best Common Practices

BCP-002-01: Natural Grouping

BCP-002-02: Asset Distinguishing Information

BCP-003-01: Secure Communications in NMOS Systems

BCP-003-02: Authorization in NMOS Systems

BCP-003-03: Certificate Provisioning in NMOS Systems

BCP-004-01: Receiver Capabilities

BCP-005-01: EDID to Receiver Capabilities Mapping

BCP-006-01: NMOS With JPEG XS

BCP-006-02: NMOS With H.264

BCP-006-03: NMOS With H.265

MS

Data Model Specifications

MS-04: ID & Timing Model

MS-05-01: NMOS Control Architecture

MS-05-02: AMWA NMOS Control Framework

MS-05-03: AMWA NMOS Control Block Specs

INFO

Informative Documents

INFO-002: Security Implementation Guide

INFO-003: Sink Metadata Processing Architecture

INFO-004: Implementation Guide for DNS-SD

INFO-005: Implementation Guide for NMOS Controllers

INFO-006: Implementation guide for NMOS Device Capabilities Control

REG

Parameter Registers

General Procedures and Criteria

Capabilities

Device Control Types

Device Types

Flow Attributes

Formats

Node Service Types

Sender Attributes

Source Attributes

Tags

Transports

Transport Parameters

DEVEL

Developer Links

GitHub Repo

API Testing Tool

CI Dashboard

SEARCH

JSON Web Tokens (JWT)

←Prerequisites · Index↑ · Authorization Server Setup→

Access Tokens

The format of the Access Token used by IS-10 is the JSON Web Tokens (JWT). JWT is an open industry standard method for representing claims securely between services (RFC 7519). The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure, enabling the claims to be digitally signed with RSASSA-PKCS1-v1_5 using SHA-512.

The Access Token consists of three segments, each being encoded separately using Base64url Encoding, and concatenated using periods to produce the JWT:

base64urlEncoding(header) + '.' + base64urlEncoding(payload) + '.' + base64urlEncoding(signature)

Example of a JWT:

eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MTI3OTM1MTYsImlhdCI6MTYxMjc5MzMzNiwianRpIjoiMGYxNjc4MzMtOTlkMC00Mjg0LTk5ODAtM2UyYjJlODdmN2RiIiwiaXNzIjoiaHR0cHM6Ly9hdXRob3JpemF0aW9uLXNlcnZlci5jb20iLCJhdWQiOiJyZWdpc3RyeS5leGFtcGxlLm9yZyIsInN1YiI6ImJhZjQxNGU4LTM0YjctNDUwMy1hODdlLTNiNGViOTE2Y2UzYSIsInR5cCI6IkJlYXJlciIsImF6cCI6IjMwYmFmNjE3LTE3NDQtNGMyNC05YmFmLTIyMzUxYmVjMWE3MyIsInNlc3Npb25fc3RhdGUiOiJkMjNmMzE5ZS03OWYzLTRiY2UtOTk1Ni1iNTNlODMzMTUzYzMiLCJhY3IiOiIxIiwic2NvcGUiOiJyZWdpc3RyYXRpb24iLCJ4LW5tb3MtcmVnaXN0cmF0aW9uIjp7InJlYWQiOlsiKiJdLCJ3cml0ZSI6WyIqIl19LCJjbGllbnRJZCI6IjMwYmFmNjE3LTE3NDQtNGMyNC05YmFmLTIyMzUxYmVjMWE3MyJ9.edE5qHXBBGPMZ8S_RZYhW4sYo5uc1GT1gt8z3HkkJwqH_iHL6nD-84l6NOFYpXrE42WjElRyTU5JlPu7gpLMqZHmeqSSDpK-SfF5q25kNHmaiboA5DXQxDeb24ULFztRIjJGmBmWQ6Pg8a8tqVNmO0M75cQBV5pQyDZK1mekFapm3CmzXc628MbQ6YfbeBnNihkbij9NlMFFUffjug12iqiNCv2EEYPSGjsAk2UmVn0WkUQ742EKfqdp1HoBgyMsYJ-D0BjxgRIHWLuYyu7CmrFlOcN2PGbisp_RuGYy3xibgVa-MS8G0_VkQc9rvqkoDKL9kCLPOTyQBeuZsY6wUA

JWTs can be straightforwardly introspected using tools such as the JWT.io debugger.

Header

The Header is used to identify which algorithm was used to generate the Signature. In accordance with IS-10, the alg field in the header is set to RS512.

{
  "alg": "RS512",
  "typ": "JWT"
}

Payload

The Payload contains the token claims, including when the token became active, when it is due to expire, who the token is intended for, and some other registered (standard) and private claims.

Registered Claims

The IS-10 specification gives details of how NMOS API Clients and Servers use registered claims.

Private Claims

IS-10 has defined some private claims which are used to control read/write access to APIs. These are configured in the Authorization Server and are covered in more detail in that section.

Signature

The Signature is created by encoding the Header and Payload using Base64url encoding, then run through the cryptographic algorithm specified in the Header with the issuer private key.

←Prerequisites · Index↑ · Authorization Server Setup→

Documentation built at 13:06:13 CDT on 2023-07-12.
(c) AMWA 2023. RAML/JSON licensed under Apache 2.0. Documentation licensed under CC BY-ND 4.0.