Networked Media Open Specifications

DOCS

Docs for v1.0.0

Overview

APIs

Discovery

Behaviour

Behaviour - Authorization Servers

Behaviour - Clients

Behaviour - Token Requests

Behaviour - Access Tokens

Behaviour - Resource Servers

Definitions

Upgrade Path

APIS

RAML APIs for v1.0.0

Authorization API

ServerMetadata API

JSON Schemas for v1.0.0

auth_metadata

jwks_response

jwks_schema

register_client_error_response

register_client_request

register_client_response

token_error_response

token_response

token_schema

EXAMPLES

JSON Examples for v1.0.0

access_token

auth-metadata-get-200

auth-metadata-issuer-get-200

jwks-get-200

register-authorization-code-grant-client-post-201

register-authorization-code-grant-client-post-request

register-client-credentials-grant-client-post-201

register-client-credentials-grant-client-post-request

register-client-post-201

register-client-post-400

token-post-200

token-post-400

VERSIONS

Branches

v1.0.x

Releases

v1.0.0

IS

Interface Specifications

IS-04: Discovery & Registration

IS-05: Device Connection Management

IS-07: Event & Tally

IS-08: Audio Channel Mapping

IS-09: System Parameters

IS-10: Authorization

IS-11: Stream Compatibility Management

IS-12: Control Protocol

IS-13: Annotation

BCP

Best Common Practices

BCP-002-01: Natural Grouping

BCP-002-02: Asset Distinguishing Information

BCP-003-01: Secure Communications in NMOS Systems

BCP-003-02: Authorization in NMOS Systems

BCP-003-03: Certificate Provisioning in NMOS Systems

BCP-004-01: Receiver Capabilities

BCP-005-01: EDID to Receiver Capabilities Mapping

BCP-006-01: NMOS With JPEG XS

BCP-006-02: NMOS With H.264

BCP-006-03: NMOS With H.265

MS

Data Model Specifications

MS-04: ID & Timing Model

MS-05-01: NMOS Control Architecture

MS-05-02: AMWA NMOS Control Framework

MS-05-03: AMWA NMOS Control Block Specs

INFO

Informative Documents

INFO-002: Security Implementation Guide

INFO-003: Sink Metadata Processing Architecture

INFO-004: Implementation Guide for DNS-SD

INFO-005: Implementation Guide for NMOS Controllers

INFO-006: Implementation guide for NMOS Device Capabilities Control

REG

Parameter Registers

General Procedures and Criteria

Capabilities

Device Control Types

Device Types

Flow Attributes

Formats

Node Service Types

Sender Attributes

Source Attributes

Tags

Transports

Transport Parameters

DEVEL

Developer Links

GitHub Repo

API Testing Tool

CI Dashboard

SEARCH

IS-10 ➤ branches ➤ v1.0.x ➤ docs ➤ Viewing live branch. Click here for list of published releases.

Discovery

←APIs · Index↑ · Behaviour→

NMOS Discovery makes use of the DNS Service Discovery protocol as described in RFC 6763. DNS-SD specifies a mechanism for the use of Unicast or Multicast DNS for the purpose of identifying one or more endpoints on a network associated with a named service.

DNS-SD Advertisement

The preferred method of Authorization API advertisement is via unicast DNS-SD advertisement of the type _nmos-auth._tcp. Authorization APIs SHOULD additionally be capable of producing an mDNS advertisement. This MAY be disabled via a user-configurable method.

The Authorization Server MUST advertise itself with the following service type:

_nmos-auth._tcp

The hostname and port of the Authorization Server MUST be identified via the DNS-SD advertisement, with the full HTTPS path then being resolved as identified in section 3 of RFC 8414. A DNS A record MUST be provided to allow the hostname to be resolved.

Multiple DNS-SD advertisements for the same API are permitted where the API is exposed via multiple ports and/or protocols.

Clients and Resource Servers MUST support discovering the Authorization Server through use of unicast DNS-SD service discovery, as described in RFC 6763.

Authorization Server Metadata Endpoint

The Server Metadata endpoint is described in RFC 8414. The “.well-known” URI suffix of “oauth- authorization-server” MUST be used to identify the Authorization Server metadata endpoint. The value of the Authorization Server metadata URL should take the form:

<api_proto>://<hostname>:<port>/.well-known/oauth-authorization-server[/<api_selector>]

Where /.well-known/oauth-authorization-server forms the “well-known URI string” and the optional api_selector is based on the “path component of the issuer identifier”, with the latter enabling support for multiple issuers per host. Placeholders are described in DNS-SD TXT Records below.

Use with TLS

• Clients and Resource Servers MUST verify the TLS certificate of the Authorization Server. The hostname and domain used MUST match one of the Subject Alternate Names provided in the TLS certificate of the Authorization Server. The hostname and domain used SHOULD be the Common Name on the TLS certificate of the Authorization Server.
• Clients MUST verify the entire chain of trust of the Authorization Server TLS certificate, back to a trusted root certificate. This ensures that the authorization server is trusted.
• Clients and Resource Servers MUST provide a mechanism for installing root CA certificates used for verifying the TLS certificate of Authorization Servers.
• Clients and Resource Servers MUST NOT interact with Authorization Servers if the TLS certificate of the Authorization Server cannot be validated.

DNS-SD TXT Records

api_proto

The DNS-SD advertisement MUST be accompanied by a TXT record of name api_proto with a value of either http or https dependent on the protocol in use by the Authorization API web server. In production environments this MUST be set to https.

api_ver

The DNS-SD advertisement MUST be accompanied by a TXT record of name api_ver. The value of this TXT record is a comma-separated list of API versions supported by the server. For example: v1.0,v1.1,v2.0. There should be no whitespace between commas, and versions should be listed in ascending order.

This TXT record MUST NOT be used to form the URL of the authorization server endpoints, with the api_selector record used instead to locate the server metadata endpoint. The api_ver TXT record should instead be used solely as an indicator to the client of what versions of this specification the authorization service supports.

pri

The DNS-SD advertisement MUST include a TXT record with key pri and an integer value. Servers MAY additionally present a matching priority via the DNS-SD SRV record priority and weight as defined in RFC 2782. The TXT record should be used in favour of the SRV priority and weight where these values differ, in order to overcome issues in the Bonjour and Avahi implementations. Values 0 to 99 correspond to an active NMOS Authorization API (zero being the highest priority). Values 100+ are reserved for development work to avoid colliding with a live system.

api_selector

The DNS-SD advertisement MAY include a TXT record of name api_selector. The value of this TXT record is a string corresponding to the “path component of the issuer identifier”, as described in Section 3.1 of RFC 8414, with the initial ‘/’ and any trailing ‘/’ omitted. It is used as described in Authorization Server Metadata Endpoint above. If this record is omitted or is equal to an empty string, the “.well-known” URI does not include a path component.

For example, when the issuer identifier has the path /x-nmos/auth/v1.0/, the api_selector TXT record value MUST be equal to x-nmos/auth/v1.0.

Implementation Notes

It is expected that timeouts specified by DNS-SD and DNS specifications will be abided by when maintaining a cache, however clients may wish to temporarily mark particular advertisements as invalid where they have timed out or produced HTTP 5xx errors during API interactions. In the case of multicast DNS the re-query mechanism should be used, and is particularly important for servers which cannot unregister their mDNS announcements before going offline.

Due to the caching mechanisms present within mDNS implementations, if a service disappears from the network without cleanly removing its mDNS announcement, it will still be present in the caches of browsing systems until the defined expiry time (120 seconds to 75 minutes dependent on record type). When mDNS advertised data is found to be invalid (for example by performing an HTTP request to an advertised service API and seeing a time-out), the procedure defined in RFC 6762 section 10.2 should be followed. Additionally, RFC 6762 section 10.5 may be used to pre-empt these failures.

←APIs · Index↑ · Behaviour→

Documentation built at 13:05:26 CDT on 2023-07-12.
(c) AMWA 2023. RAML/JSON licensed under Apache 2.0. Documentation licensed under CC BY-ND 4.0.