Networked Media Open Specifications

DOCS

Docs for v1.0.0

Overview

APIs

Discovery

Behaviour

Behaviour - Authorization Servers

Behaviour - Clients

Behaviour - Token Requests

Behaviour - Access Tokens

Behaviour - Resource Servers

Definitions

Upgrade Path

APIS

RAML APIs for v1.0.0

Authorization API

ServerMetadata API

JSON Schemas for v1.0.0

auth_metadata

jwks_response

jwks_schema

register_client_error_response

register_client_request

register_client_response

token_error_response

token_response

token_schema

EXAMPLES

JSON Examples for v1.0.0

access_token

auth-metadata-get-200

auth-metadata-issuer-get-200

jwks-get-200

register-authorization-code-grant-client-post-201

register-authorization-code-grant-client-post-request

register-client-credentials-grant-client-post-201

register-client-credentials-grant-client-post-request

register-client-post-201

register-client-post-400

token-post-200

token-post-400

VERSIONS

Branches

v1.0.x

Releases

v1.0.0

IS

Interface Specifications

IS-04: Discovery & Registration

IS-05: Device Connection Management

IS-07: Event & Tally

IS-08: Audio Channel Mapping

IS-09: System Parameters

IS-10: Authorization

IS-11: Stream Compatibility Management

IS-12: Control Protocol

IS-13: Annotation

BCP

Best Common Practices

BCP-002-01: Natural Grouping

BCP-002-02: Asset Distinguishing Information

BCP-003-01: Secure Communications in NMOS Systems

BCP-003-02: Authorization in NMOS Systems

BCP-003-03: Certificate Provisioning in NMOS Systems

BCP-004-01: Receiver Capabilities

BCP-005-01: EDID to Receiver Capabilities Mapping

BCP-006-01: NMOS With JPEG XS

BCP-006-02: NMOS With H.264

BCP-006-03: NMOS With H.265

MS

Data Model Specifications

MS-04: ID & Timing Model

MS-05-01: NMOS Control Architecture

MS-05-02: AMWA NMOS Control Framework

MS-05-03: AMWA NMOS Control Block Specs

INFO

Informative Documents

INFO-002: Security Implementation Guide

INFO-003: Sink Metadata Processing Architecture

INFO-004: Implementation Guide for DNS-SD

INFO-005: Implementation Guide for NMOS Controllers

INFO-006: Implementation guide for NMOS Device Capabilities Control

REG

Parameter Registers

General Procedures and Criteria

Capabilities

Device Control Types

Device Types

Flow Attributes

Formats

Node Service Types

Sender Attributes

Source Attributes

Tags

Transports

Transport Parameters

DEVEL

Developer Links

GitHub Repo

API Testing Tool

CI Dashboard

SEARCH

IS-10 ➤ releases ➤ v1.0.0 ➤ docs ➤

APIs

←Overview · Index↑ · Discovery→

This document covers common aspects of the following API, and how other AMWA NMOS APIs and their clients interact with it:

• Authorization API

The Authorization API specified above is one valid implementation, but does not define how every Authorization Server will present itself. Any OAuth 2.0 compatible Authorization Server which implements the RFCs noted in the Overview is compatible with this authorization mechanism.

API Specifications

The Authorization API is specified using:

• The following sub-sections describing the API and its associated IETF RFCs.
• Example RAML documents and JSON schemas in the APIs folder.
• Examples of JSON format output are provided in the examples folder.

The Authorization Server SHALL present an instance of the NMOS Authorization API. The API MAY use alternative paths for all endpoints other than those beginning with .well-known, provided the alternative paths are correctly signalled via OAuth 2.0 Authorization Server Metadata RFC 8414.

The Authorization Server and client authentication methods MUST otherwise be implemented as per the OAuth 2.0 Authorization Framework RFC 6749. All Access Tokens produced by the Authorization Server MUST be Bearer Tokens using the JSON Web Token (JWT) format as per RFC 7519.

API Paths

The Authorization Server MUST have have an “issuer identifier” URL, as defined by RFC 8414. This MAY follow the path structure defined by other NMOS specifications, but this is not mandatory:

https://<ip address or hostname>:<port>/x-nmos/auth/<api version>/

Any path component of the issuer identifier (omitting the initial / and any trailing /) is advertised via the DNS-SD api_selector TXT record, as described in Discovery. In this example, it would be x-nmos/auth/<api version>.

The issuer identifier MAY be used as the base of the Authorization API, but this is not mandatory. The server identifies the paths for its Authorization API endpoints as follows.

Server Metadata Endpoint

The Authorization Server MUST implement an endpoint at the following path. This path immediately follows the port and MUST NOT be prefixed by any additional path, including but not limited to ‘x-nmos’. This endpoint cannot follow the usual format of NMOS APIs since it MUST follow the syntax and semantics of “.well-known” endpoints defined in RFC 5785.

• **/.well-known/oauth-authorization-server[/\]** - This path MUST return a response matching the requirements of OAuth 2.0 Authorization Server Metadata [RFC 8414][RFC-8414]. This MUST include the optional `jwks_uri` and `registration_endpoint` parameters. The `revocation_endpoint` SHOULD be supported.

Authorization Endpoints

The following endpoints MUST be implemented by an Authorization Server at the paths signaled in the Authorization Server Metadata.

• The authorization_endpoint, for example at /authorize - Used for requesting an authorization code when using the authorization code grant, as defined by RFC 6749.
• The token_endpoint, for example at /token - Used for requesting a token when using any of the chosen grant types, as defined by RFC 6749.
• When included in the Server Metadata, the revocation_endpoint, for example at /revoke - Used as the revocation endpoint for revoking currently active access tokens or refresh tokens, as defined by RFC 7009.
• The jwks_uri endpoint, for example at /jwks - Used to expose a JSON Web Key Set RFC 7517 containing the public key that corresponds with the private key used to sign the Access Tokens.
• The registration_endpoint, for example at /register - Used for the manual or dynamic registration of an OAuth 2.0 client with the Authorization Server in line with RFC 7591.

API Interaction

The following diagrams highlight the different sequences of interactions that occur when accessing a Protected Resource depending on the OAuth 2.0 grant type used.

Authorization Code Grant Flow

This flow can be used for any NMOS interaction.

Client Credentials Grant Flow

This flow can only be used in specific interactions. Refer to BCP-003-02 for permitted uses of this grant.

API Validation

JSON schemas are included with the RAML API definitions. These include validation for values used within the APIs. These are based on the schemas defined in the OAuth 2.0 Specification. It is RECOMMENDED that implementers of the Authorization API use these JSON schemas as part of a validation stage when passing client registration data to, or receiving client and token data from, the Authorization Server.

Content Types

All API endpoints returning a JSON response MUST provide a JSON representation signalled via Content-Type: application/json headers. This SHOULD be the default content type in the absence of any requested alternative by clients. Other content types (such as HTML) are permitted if they are explicitly requested via Accept headers.

For HTTP redirections, such as when using the Authorization Code grant, a Content-Type of text/html MAY also be returned.

Cache-Control

The authorization server MUST include the HTTP “Cache-Control” response header field with a value of “no-store” in any response containing tokens, credentials, or other sensitive information, as well as the “Pragma” response header field with a value of “no-cache”, in line with RFC 6749.

Redirections

Some of the standard grants used within the OAuth 2.0 framework make use of user-agent redirection (e.g. via a web-browser) in order to gain user authorization. The primary grant that makes use of redirection is the Authorization Code grant. As such, clients performing requests using this method MUST correctly handle a 302 response (Found) as stated in Section 4.1.2 of RFC 6749 following the guidelines given in RFC 7231.

The Authorization Server MUST NOT use the 307 HTTP status code for redirection as per Section 4.10. of the OAuth 2.0 Best Common Practice draft.

OPTIONS Requests

OAuth 2.0 Clients MUST support pre-flight OPTIONS requests when performing all HTTP requests, including GET requests, as the presence of the Authorization HTTP header used to send the Access Token creates a “non-simple” request, in line with the W3C’s Cross-Origin Resource Sharing specification.

OPTIONS requests MUST NOT require authorization, such as the presence of an Access Token inside the Authorization header.

The Authorization Server and Resource Servers MUST correctly reply to OPTIONS requests across all API endpoints, explicitly permitting the use of the Authorization header inside the Access-Control-Allow-Headers field.

Error Codes & Responses

The NMOS APIs use HTTP status codes to indicate success, failure and other cases to clients as per RFC 7231 and related standards.

Authorization Servers MUST return error codes and responses in line with Section 5.2. of RFC 6749. OAuth 2.0 Clients MUST be capable of handling such responses.

Resource Servers MUST return error codes and responses in line with Section 3 of RFC 6750. OAuth 2.0 Clients MUST be capable of handling such responses.

Further details on when Resource Servers will respond with particular codes is covered in Resource Servers - Accessing Protected Resources.

Where the RAML specification of an API specifies explicit response codes it is expected that a client will handle these cases in a particular way. As explicit handling of every possible HTTP response code is not expected, clients must instead implement more generic handling for ranges of response codes (1xx, 2xx, 3xx, 4xx and 5xx).

←Overview · Index↑ · Discovery→

Documentation built at 13:05:26 CDT on 2023-07-12.
(c) AMWA 2023. RAML/JSON licensed under Apache 2.0. Documentation licensed under CC BY-ND 4.0.