Initiate authorization for a UI-less node #75
Comments
|
Hi Cristian. Yes exactly, the device would likely support an endpoint (e.g. /login ) which would then provide a convenient means of redirecting a user's browser to the Auth Server to initiate the auth code flow. The device would be expected to host an authorization endpoint (e.g. /authorize) anyway in order to then receive the Authorization Code and swap it for an Access Token. Without the ability to host endpoints, the authorization could not be achieved using the standard Auth Code flow. |
|
Thanks @dannymeloy! So is this mentioned anywhere in the spec? Do we need to make it a standardised endpoint? Some things like low powered devices might just have the NMOS API and that's it (no Web UI at all). |
|
The endpoint is mentioned here (https://github.com/AMWA-TV/nmos-authorization/blob/v1.0-dev/docs/4.2.%20Behaviour%20-%20Clients.md#client-endpoints). I think it may be beneficial to assign a fixed value to this endpoint, for the sake of easing automation for instance. We could say that "If the redirect endpoint is hosted then it MUST be found at /oauth" for example). We may have to think how that might affect which scopes are passed upstream for instance, but it has the potential to help with integration. |
|
I see. I agree we should consider making it a fixed value which could then be wrapped by a control system with a UI in a consistent way (items awaiting authorization would appear in a list and you can click on them in the control system and click on the Authorize button which would then redirect to the node /oauth endpoint potentially). |
|
Our idea is the user-agent (e.g. broadcast controller) has a special endpoint (e.g. /start_authorization_flow), which is configured in the Node. When Node startup, it will construct the authorization_code_uri and send it to the user-agent via this special endpoint to kick start the authorization code flow. example of authorization URI End-user can then authorize the Node by interacting with the Authorization Server via the User-agent. |
|
I think in the past activities have been cautious about specifying broadcast controller features. This would create a dependency on the broadcast controller for the node which wouldn't really work in an environment where you may not have a broadcast controller (p2p mode). |
|
Broadcast controller is just an example of an User-agent (a browser), which is just providing the UI feature for the Node. And Yes the Node will have dependency of the user-agent. I would like to clarify my understanding of your idea,
|
|
It would be more like: This would tell the node it needs to initalize the authorization flow and redirect to the authorization server with the grant and scopes. The user enters credentials and allows the authorization to happen. The node gets back the auth code transparently and it gets to retrieve the token. I don't really see why the "tool" would need to intercept the authorization code and intervene in that part of the process. |
|
Please find attached animation powerpoint Grant_access_to_UI-less_NMOS_Node.pptx on showing how an UI-less NMOS node can be authorized. There are area Danny and Cristian have pointed out in the previous conversation, such as need to standardize the Client’s /oauth endpoint. While we are creating the powerpoint, we also realised the Authorization Server’s /clients endpoint will need to be standardize too. Client Credentials Grant may also be the solution for UI-less client, see #62 |
|
Moved to #76 |
How does a user initiate the authorization flow for an NMOS node which does not have a UI (e.g. pure hardware device like an SFP)?
Do we need to specify something like an /authorize endpoint which will kick start the process (redirect to the authorization server with the correct grant type and scopes)?
The text was updated successfully, but these errors were encountered: