Networked Media Open Specifications

DOCS

Docs for v1.0.0

Overview

APIs

Discovery

Behaviour

Behaviour - Authorization Servers

Behaviour - Clients

Behaviour - Token Requests

Behaviour - Access Tokens

Behaviour - Resource Servers

Definitions

Upgrade Path

APIS

RAML APIs for v1.0.0

Authorization API

ServerMetadata API

JSON Schemas for v1.0.0

auth_metadata

jwks_response

jwks_schema

register_client_error_response

register_client_request

register_client_response

token_error_response

token_response

token_schema

EXAMPLES

JSON Examples for v1.0.0

access_token

auth-metadata-get-200

auth-metadata-issuer-get-200

jwks-get-200

register-authorization-code-grant-client-post-201

register-authorization-code-grant-client-post-request

register-client-credentials-grant-client-post-201

register-client-credentials-grant-client-post-request

register-client-post-201

register-client-post-400

token-post-200

token-post-400

VERSIONS

Branches

v1.0.x

publish-fix-113

publish-fix-111

Releases

v1.0.0

IS

Interface Specifications

IS-04: Discovery & Registration

IS-05: Device Connection Management

IS-07: Event & Tally

IS-08: Audio Channel Mapping

IS-09: System Parameters

IS-10: Authorization

IS-11: Stream Compatibility Management

IS-12: Control Protocol

IS-13: Annotation

IS-14: Device Configuration

BCP

Best Common Practices

BCP-002-01: Natural Grouping

BCP-002-02: Asset Distinguishing Information

BCP-003-01: Secure Communications in NMOS Systems

BCP-003-02: Authorization in NMOS Systems

BCP-003-03: Certificate Provisioning in NMOS Systems

BCP-004-01: Receiver Capabilities

BCP-005-01: EDID to Receiver Capabilities Mapping

BCP-006-01: NMOS With JPEG XS

BCP-006-02: NMOS With H.264

BCP-006-03: NMOS With H.265

BCP-007-01: NMOS With NDI

BCP-008-01: NMOS Receiver Status

BCP-008-02: NMOS Sender Status

MS

Data Model Specifications

MS-04: ID & Timing Model

MS-05-01: NMOS Control Architecture

MS-05-02: AMWA NMOS Control Framework

MS-05-03: AMWA NMOS Control Block Specs

INFO

Informative Documents

INFO-002: Security Implementation Guide

INFO-003: Sink Metadata Processing Architecture

INFO-004: Implementation Guide for DNS-SD

INFO-005: Implementation Guide for NMOS Controllers

INFO-006: Implementation guide for NMOS Device Capabilities Control

REG

Parameter Registers

General Procedures and Criteria

Capabilities

Device Control Types

Device Types

Flow Attributes

Formats

Node Service Types

Sender Attributes

Source Attributes

Tags

Transports

Transport Parameters

F-SETS

Control Feature Sets

Identification

Monitoring

DEVEL

Developer Links

GitHub Repo

API Testing Tool

CI Dashboard

SEARCH

IS-10 ➤ branches ➤ publish-fix-113 ➤ docs ➤ Viewing live branch. Click here for list of published releases.

Behaviour: Access Tokens

←Behaviour - Token Requests · Index↑ · Behaviour - Resource Servers→

The Access Token type returned MUST be of the Bearer_token type specified in RFC 6750.

The Access Token MUST be a JSON Web Signature (JWS) as defined by RFC 7515. JSON Web Algorithms (JWA) MUST NOT be used.

The JWS MUST be signed with RSASSA-PKCS1-v1_5 using SHA-512, meaning the value of the alg field in the token’s JOSE (JSON Object Signing and Encryption) header (see RFC 7515) MUST be set to RS512 as defined in RFC 7518. An example JOSE header would be:

{
  "typ": "JWT",
  "alg": "RS512"
}

Registered Claims

Registered claims are defined in the authorization JSON Web Token specification in RFC 7519, but their specific usage is left to the application. NMOS API Clients and Servers implementing this specification MUST employ the restrictions on claims outlined below, in addition to implementing tokens as specified in RFC 7519.

iss

Identifies principal that issued the JWT

The iss (issuer) claim MUST be included in the token. The claim MUST contain a URL value that identifies the Authorization Server that issued the JWT as specified in section 2 of RFC 8414. The URL host value SHOULD match one entry in the common name field or alternate names fields in all TLS certificates used by the Authorization Server.

sub

Identifies the subject of the JWT

The sub (subject) claim MUST be included in the token. This claim MUST contain a unique identifier assigned to the end-user by the user authorization system. For example, this may be a username in a Single Sign-On (SSO) system, or the email address of the user.

For the authorization code grant, the subject typically identifies the authorized accessor for which the Access Token is being requested.

aud

Identifies the recipients of the JWT

The aud (audience) claim MUST be included in the token. This claim MUST contain a JSON array of case-sensitive strings, each containing a StringOrURI value that identifies the recipients that the JWT is intended for. It is RECOMMENDED that the JSON array contains the fully resolved domain names of the intended recipients, or a domain name containing wild-card characters in order to target a subset of devices on a network. Such wild-carding of domain names is documented in RFC 4592.

If the aud claim is present and does not match the fully resolved domain name of the resource server, the Resource Server MUST reject the token.

URI based aud claims MUST NOT include port numbers, URL paths or URL query parameters. Resource Servers MUST be capable of interpreting both URI based aud claims which are prefixed by a scheme (such as https://) and string based aud claims which specify only a domain name.

exp

Expiration time of the token

The exp (expiration) claim MUST be included in the token. This is defined in RFC 7519 as being a JSON NumericDate field, which uses the UTC epoch. This is in contrast to the TAI epoch used elsewhere within the NMOS APIs, so implementers should take care to ensure they are using the correct epoch.

API implementations MUST reject a token where the exp claim value is less than the current UTC time. Refer to the Token Lifetime Section for guidance on setting this value.

iat

Token issued at time

The iat (issued at) claim MAY be included in the token. As with the exp claim this claim uses UTC. API implementations MUST reject a token where the iat claim is greater than the current UTC time. Authorization Servers SHALL issue a token with an iat claim that is equal to the UTC time at which the token is issued.

client_id

Client ID that requested the token

The client_id claim MUST be included in the token, unless the azp claim is present in which case it is optional. This claim corresponds with the client identifier of the OAuth 2.0 client that requested the token. The value of this claim MUST exactly match the full client identifier to which the token was granted.

azp

Client ID that requested the token

The azp claim MUST be included in the token when the client_id is omitted. The azp claim SHOULD NOT be included in the token when the client_id is included in order to minimise token size. This claim is included in order to support Authorization Servers which support the OpenID Connect specification. This claim corresponds with the client identifier of the OAuth 2.0 client that requested the token. The value of this claim MUST exactly match the full client identifier to which the token was granted.

scope

List of scopes associated with the token

The scope claim SHOULD be included in the token, if the authorization request included a scope parameter, as per Section 2.2.2 of the draft RFC Profile for OAuth 2.0 Access Tokens. The value of the “scope” claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of RFC6749.

The value of each scope corresponds to the namespace identifier for a given NMOS API (e.g. “registration”, “query”, etc.) to which the user is requesting access and determines how the private x-nmos-* claims, detailed below, are populated.

Presence of a scope matching an NMOS API grants implicit read only access to some API base paths as specified in Resource Servers.

nbf

Not before time

The nbf (not before) claim MAY be included in the token. The “nbf” (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the “nbf” claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the “nbf” claim. This is defined in RFC 7519.

Private Claims

RFC 7519 allows for “private claims”. The following claims are used to identify the API specification(s) a given token is used for.

x-nmos-*

Contains information particular to the NMOS API the token is intended for

One or more x-nmos-* claims SHOULD be included in the token. The claim name begins x-nmos- followed by the namespace identifier found in the URL for that given API (e.g. “registration”, “query”, etc.).

Presence of an x-nmos-* claim matching an NMOS API grants implicit read only access to some API base paths as specified in Resource Servers.

The value of the claim is a JSON object, indicating access permissions for the API. An omitted x-nmos-* object indicates that no access is permitted to the namespace-identified API beyond what may be granted by the presence of a matching scope.

The Access Permissions Object

The value of each x-nmos-* claim is the access permissions object for the given user for that specific API. The access permission object consists of key:value pairs in which the key denotes a specific permission. General permissions include:

• write - ability to insert a new, or edit an existing, resource. This takes the form of POST, PUT, PATCH and DELETE HTTP request verbs.
• read - ability to retrieve the resource. This takes the form of GET, OPTIONS and HEAD HTTP request verbs.

If a permission has not been granted to a specific user, the permission key MUST be omitted, to minimise the token size. If no permissions are given for a specific API, the x-nmos-* claim relating to that API key MUST be removed to ensure token size is minimised.

If a permission of “write” is given in the access permission object, and the intention is that the given user also has “read” access to the specific API, a permission key of “read” MUST also be present in the access permissions object.

Individual AMWA specifications MAY specify additional permissions keys specific to the individual API. These MUST be registered in the AMWA NMOS Parameter Registers. It is recommended that new permissions keys are only introduced alongside a new version of a given AMWA NMOS API in order to minimise the risk of incompatibility.

The value corresponding to each permission key is a JSON array containing URL path specifiers that the user is permitted to perform the specific request against. The asterisk wildcard (‘*’) is permitted in the path specifiers.

A ‘*’ wildcard can be used to replace zero or more characters (this is equivalent to the .* regex pattern). The wildcard may encompass multiple path segments, may be used multiple times, and may appear at any position in the path permission (e.g. single* or single/senders/*/constraints would both match with /x-nmos/connection/v1.1/single/senders/ea388089-9ffb-4a81-b109-a19da845b3b6/constraints). It is RECOMMENDED that the wildcard is used in place of NMOS resource identifiers, such as UUIDs, to minimise token size. Specific identifiers MAY be used in path specifiers if defining access to a small number of resources (such as a single node or device.)

Resource Servers MUST apply URL Normalization to request URLs in order to remove ‘..’ path segments, which could otherwise introduce vulnerabilities. For example, the path /x-nmos/connection/v1.1/single/../bulk MUST NOT be permitted by single/* path permission.

For NMOS API URL’s that follow the standard pattern of:

<api_proto>://<hostname>:<port>/x-nmos/<api type>/<api version>/

all path specifiers MUST start after the API version and its trailing slash. For example, authorizing a user to read all single resources and modify the configuration of all single senders at a Connection Management interface would result in a claim of:

"x-nmos-connection": {
  "read": ["single/*"],
  "write": ["single/senders/*"]
}

Example x-nmos-* Claims

Examples of x-nmos-* claims are shown below. This would permit querying an IS-04 Registry, and modifying single connections via an IS-05 connection management interface, but would not permit the user to register a resource with an IS-04 Registry.

"x-nmos-registration": {
  "read": ["*"]
},
"x-nmos-query": {
  "read": ["*"],
  "write": ["subscriptions/*"]
},
"x-nmos-connection": {
  "read": ["*"],
  "write": ["single/*"]
}

Authorization Servers MAY only have support for certain NMOS API specifications, and MAY only support certain versions of such APIs.

Size Considerations

While RFC 7519 does not prescribe a maximum size for an OAuth 2.0 JSON Web Token, it should be noted that these tokens are typically used within an HTTP header. While HTTP does not define a header size limit, 8KByte is a common limitation in HTTP server implementations. Specification writers should be mindful of this when designing API claims, and ensure that enough space is available in the header for both the token and all other HTTP headers.

Example Access Token Claim Set

{
  "iss": "https://auth.example.com",
  "sub": "username@example.com",
  "aud": ["https://node-*.example.com"],
  "iat": 1548779460,
  "exp": 1548783060,
  "scope": "registration query connection",
  "client_id": "hopy0dNRPNTiGJDqPfqYwGmw",
  "x-nmos-registration": {
    "read": ["*"]
  },
  "x-nmos-query": {
    "read": ["*"],
    "write": ["subscriptions/*"]
  },
  "x-nmos-connection": {
    "read": ["*"],
    "write": ["single/*"]
  }
}

Access Token Lifetime

A given Access Token for an NMOS API may be used on more than one Node or Registry instance. If one of these Nodes or Registries is compromised, it is possible for that entity to re-use it itself maliciously. While the precise duration of token validity should be left to implementers and administrators based on the risk profile, these tokens SHOULD be valid for no more than one hour.

However, if Access Tokens are too short-lived, the number of refresh requests to the Authorization Server for new tokens starts to become a significant overhead, and any latency involved in using a token may cause it to become invalid during transit. As such tokens SHOULD be valid for at least 30 seconds.

30 seconds < TOKEN LIFETIME < 1 hour

←Behaviour - Token Requests · Index↑ · Behaviour - Resource Servers→

Documentation built at 14:25:50 CST on 2024-11-19.
(c) AMWA 2024. RAML/JSON licensed under Apache 2.0. Documentation licensed under CC BY-ND 4.0.