Add IS-10 support #333
Merged
Add IS-10 support #333
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ant, and general tidy up
…for conan, 0.5.1 is continuously to be used for conan
… and `jwks_uri_port` can be overrided by the `http_port` settings
…OS seems like taken longer on the HTTP.
Co-authored-by: jonathan-r-thorpe <[email protected]>
Co-authored-by: jonathan-r-thorpe <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NMOS Authorization
This is based on the
OAuth 2.0recommendation, it is used for protecting the NMOS APIs, which allows NMOS Node and Registry to give limited access to the third-party application. Third-party applications including Broadcast Controller, which queries Registry via the AMWA IS-04 for the NMOS Nodes information and issues the IS-05 connection on Nodes. NMOS Nodes also act as the third party for the Registry to perform the AMWA IS-04 node registration.General idea of how it works
A client such as Broadcast Controller provides credentials to the Authorization Server. The required access token(s) is then granted to the Controller for accessing the protected APIs on the Resource(s) Server, such as the NMOS Node. The Resource Server will verify the access token for the level of the access right. If all goes well, the protected API is accessible.
The access token is time-limited, it must be refreshed before it expired. It is recommended to attempt a refresh at least 15 seconds before the expiry or the half-life of the access token.
To speed up the token validation process, the Resource(s) Server periodically fetches the Authorization Server's public keys, typically once every hour. The public keys allow the Resource(s) Server to perform local token validation without bombarding the Authorization Server on every API access validation.
A similar idea is also applied to how NMOS Node performs node registration, Registry obtains the public keys from the Authorization Server, and the Node obtains the registration access token from the Authorization Server. Once the Node obtains the token, it embeds it into the registration request for node registration, and registry heartbeat.
Authorization Server Metadata
Clients, such as NMOS Broadcast Controller, Registry and Node must obtain the location of the Authorization API endpoints via the DNS-SD Authorization Server discovery. The Authorization Server has a well-known endpoint for returning the server metadata information. Details are shown in the client registration sequence diagram.
Client Registration
Clients must be registered to the Authorization Server before using the
OAuth 2.0protocol. Once the client is registered, the Authorization Server will provide it with a client_id for all both public and confidential clients and a client_secret for the confidential client. It is, however, important that the public client which is using the Authorization Code Flow must register one or more redirect URLs for security purposes, which allows Authorization Server to ensure any authorization request is genuine and only the valid redirect URLs are used for returning the authorization code. While using Client Credentials Flow, Private Key JWT can be used for client authentication for extra security.See the client registration sequence diagram below on how an NMOS Node is registered to the Authorization Server.
Access Token
There are a number of ways to request the access token, it is based on the type of authorization grant. The grant type depends on the location and the nature of the client involved in obtaining the access token. A number of grant types are defined in
OAuth 2.0. NMOS is focused on using the following types, theAuthorization Code Grant, theClient Credentials Grantand theDevice Code Grant(for the future).Authorization Code Grant
This is the most recommended type, it should be used if the client has a web browser, such as the Broadcast Controller. An Authorization code is returned by the Authorization Server via the client's redirect URI. The client can then exchange it for a time-limited access token, and renew it with the refresh token.
For public clients, there is a potential security risk with an attacker hijacking the Authorization code. To prevent that
Proof Key for Code Exchange(PKCE) is used to further secure the Authorization Code Flow.In step 1, create a high entropy cryptographic random string,
code_verifier.In step 2, convert the
code_verifiertocode_challengewith the following logic:In step 3, includes the
code_challegeand the hashing method used to generate thecode_challengein the authorization code request.In step 4, send the
code_verifierand theauthorization codefor exchanging the token. The Authorization Server uses thecode_verifierto recreate the matchingcode_challengeto verify the client.Client Credentials Grant
This type of authorization is used by clients to obtain the access token without user authorization, such as a hardware NMOS Node which has no web browser supported. To gain extra security the
Private Key JWTis used by the NMOS Node as a form of client authentication by the Authorization Server before handing out the token.Authorization Server Public Keys
The public keys are used by the Resource(s) Server for validating the access token before giving access right to the protected APIs. The client must periodically poll the Authorization Server's
public keys, typically once every hour. In the event, that the Authorization Server is no longer available, the last fetched public keys will be kept in use until the Authorization Server connection is restored.The token validation is done by re-generating the matching token signature by signing the token header and the token payload.
Authorization behaviour
The purpose of the authorization behaviour thread is to:
Note: The Device Code Authorization Grant is not shown in the diagram
The state machine implemented by the
nmos::experimental::authorization_behaviour_threadis shown below:Missing public keys to validate the access token
If no matching public key is available to validate the incoming access token. The validation handler will trigger the authorization token issuer thread to fetch and cache the public keys from this token's issue, which will then be possible to validate any token issued by this issuer.
The state machine implemented by the
nmos::experimental::validate_authorization_handlerand thenmos::experimental::authorization_token_issuer_threadare shown below:OAuth 2.0 Node Registration Example
Following is an overview of how an
OAuth 2.0NMOS Node registers to anOAuth 2.0enabled NMOS Registry.