User Stories
High level diagrams
Manufacturing process
Entone has a certificate authority (CA).
At the time of manufacture an RSA keypair signed by this CA will be added to the box.
User provisioning
The user purchases a STB.
The retail partner provisions a user account by calling the user management API (documentation)
The retail partner links the STB to the user (documentation)
The retail partner only needs to inform Amino of the STB serial number
User login
Note:
The Entone API will include the STB public key as one of the claims of the signed JWT token.
Detailed flow
Details of logging in with JWT
Sequence overview
- Client calls the Entone API to get a JWT used for logging in
- Client sends login JWT token to Middleware
- Middleware responds with two tokens that can be used to authenticate future requests
This is diagrammed in the section "user login" above.
Entone API
The View team will add a new function to the API with the following signature:
String ENTONE.stb.createJWT(algorithm, claim)
Where claim is a object containing the payload of the JWT, algorithm is the mechanism to sign the signature.
The returned string is a JWT which is based64 encoded string.
Parameters to pass to Entone API
The algorithm must be one of the values supported as the "alg" parameter in the JWT spec (here). The only algorithm supported is RSA with sha-256 and so the algorithm parameter value should always be "RS256".
The client MUST use this format for the claim object:
$claim = [
"iss" => "EntoneAPI",
"iat" => time(),
"exp" => time() + TEN_MINUTES,
"aud" => "www.aminocom.com",
"sub" => "Serial number 123",
'certificate' => "String containing the STB public key"
'batchCACertificate' => "String containing the STB batch CA certificate",
];
It will receive a JWT from EntoneAPI and must then call the MoveAPI endpoint as below.
MoveAPI
Endpoint
| Method type | URL | Authorization |
|---|---|---|
| POST | https://domain.tld/api/stb/auth | Service-Token |
Validation rules
The MoveAPI must validate the JWT as follows:
- Decode the JWT
- Retrieve the supplied public key from the "certificate" claim
- Retrieve the suppled CA certificate from the "batchCACertificate" claim
- If it is omitted then read the CA certificate for batch 0133 from disk
- Verify that:
- The issuer is EntoneAPI
- The audience is www.aminocom.com
- The token has not expired
- The token was issued in the past, or otherwise within a tolerable window to allow for server time drift
- JWT was signed with the key you obtained in step 2
- Verify that the CA certificate is signed by the Entone CA certificate
- Obtain the "sub" claim
- Find the user associated with the STB serial code indicated in the "sub"
It is important that the JWT is signed with the supplied key AND that the key was generated from the Entone root CA
Response
The Move Middleware will respond with two JWT tokens that can be used for authentication in future requests. This is identical to DNA.
| 200 | { | JWT token both jwt and refresh_token are encrypted using a pass phrase and HS256 encryption. Pass phrase is configurable by config file and will be shared separately. JWT Sample Data { |
| 401 | none | - |
Logout STB
API to handle logout request of STB
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://customer.domain/api/stb/logout | STB (Using JWT), Service (Using service_token) |
POST Body
Please note that M is for Mandatory and O is for Optional.
| Body Fields | M/O | Description | Values |
|---|---|---|---|
service_token | M | Token generated for a service. For example DNA has own service_token. This token is generated from Backend and provided to application developers. This token should be kept in a secured location on application, i.e STB | String of Alpha numeric values. Mostly MD5 or SHA1 string. e.g. 8f9cf3f5789e16124f38936954a98668 |
Headers
Please note that M is for Mandatory and O is for Optional.
| Header | M/O | Description |
|---|---|---|
Authorization: Bearer | M | JWT json web token provided by backend after STB authenticated successfully |
Response
| HTTP Code | Response |
|---|---|
| 200 | none |
| 401 | none |
Link STB to a User
After user bought a STB this API need to be called. This API link or grant ownership of a STB to a user.
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://boox.fi/api/management/stb/link_user | IP, Service (Digest Authentication) |
POST Data Parameters
Please note that M is for Mandatory and O is for Optional.
| Parameters | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
serial_no | M | Serial Number of STB. If device does not exists with provided serial no then it will be added. | Alpha numeric string. |
| M | Email address (being used as an user identifier in AminoTV) of user who is provisioned for using the STB | Valid email address. e.g. john.doe@example.com | |
public_keys | O | 8 Public keys which will be used to authenticate the STB. | key0_base64;key1_base64;...........;key7_base64 (no limit on max length). where each public key is base-64 encoded,semicolon(;) is used between keys as separator. |
| chipset_id | O | STB device chipset number/ID. | chipset_id is a random list of characters (max 32 characters). |
| mac | O | Ethernet interface MAC address. | mac is a random list of characters (max 18 characters). |
Response
| HTTP Code | Response |
|---|---|
| 200 | { |
| 400 | |
| 401 | none |
Error Codes
| Error Code | Description |
|---|---|
| 1414 | Email does not exist |
| 1426 | Parameter is required |
| 1427 | Invalid length of chipset_id |
| 1428 | Invalid length of mac |
| 1433 | STB exists and linked |
| 1434 | Record already exists for value |
| 1435 | STB is already assigned |
| 1436 | Invalid email address format |
Unlink STB from User
This API remove ownership of a STB from an user. Use cases: when user sells his/her device, when a device got stolen.
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://customer.domain/api/management/stb/unlink_user | IP, Service (Digest Authentication) |
POST Data Parameters
Please note that M is for Mandatory and O is for Optional.
| Parameters | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
serial_no | M | Serial Number of STB | Alpha numeric string. e.g. 615507895162 |
| M | Email address of user who is provisioned for using the STB | Valid email address. e.g. john.doe@example.com |
Response
| HTTP Code | Response |
|---|---|
| 200 | none |
| 400 | |
| 401 | none |
Error Codes
| Error Code | Description |
|---|---|
| 1414 | Email does not exist |
| 1426 | Parameter is required |
| 1432 | serial_no does not exists |
| 1418 | Invalid STB link |
| 1436 | Invalid email address format |
Add New User Account
This API is used to add a new user account. Following rules apply:
- Email address or customer-id should not belong to any customer that is not in DELETED state; otherwise API will return an error.
- If the user with that email exists in DELETED state and his grace period is not expired, his previous registration state is restored.
- A new user is created in UNREGISTERED state.
Design Points (to be considered for future):
- The main problem with making the two pin params as mandatory is that this feature is very specific to a customer requirements, while other frontends don't expect them. Therefore, we need a way so that both parties remain happy by giving a better design.
- For that we should make it configurable whether the two params are mandatory. So for those who require those PINs, we will configure them as mandatory, so that if they are not provided by 3rd provisioning system when creating a new user API will return an error to provide the mandatory input param. While for others, we will configure them as optional so that if they don't provide the params, API will successfully create a user and set the pins in DB as NULL (empty).
- It is easy to implement from effort point of view and much flexible and reliable
Request
| Method Type | URL | Authorization |
|---|---|---|
| POST | https://boox.fi/api/management/user | Service (Digest Authentication) |
Query Strings
Please note that M is for Mandatory and O for Optional.
| Parameter | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
| M | Email address of the user. | Email address of the user | |
| cid | M | Customer Identifier. | Numeric ID generated from Visio |
| auth_pin | M | Authentication PIN code. Change This is new field. At the DNA TV Rel 2.9 publish time, the provisioning party (Visio) | Number with the length of 4. e.g. 8798 |
| purchase_pin | M | Purchase PIN code. Change This is new field. At the DNA TV Rel 2.9 publish time, the provisioning party (Visio) | Number with the length of 4. e.g. 8798 |
| dob | O | User Date of birth in YYYY-MM-DD format. |
Error Codes
| Error Code | Description |
|---|---|
| 1403 | email is missing |
| 1405 | cid is missing |
| 1406 | auth_pin is missing |
| 1407 | purchase_pin is missing |
| 1412 | Email already exists |
| 1413 | CID already Exists |
Edit Existing User Account
This API is used to suspend or activate a user account. It can also be used to change the email or customer-id of an existing account. Following rules apply:
- A user in DELETED state is not updated.
- "email" and "cid" parameters should not belong to any existing user, even if the user in in DELETED state
- If a user is suspended, his state is changed to DISABLED
- If a DISABLED user is activated and grace period has not expired, then previous registration state is restored, otherwise his state is changed to UNREGISTERED
- In other cases, if a user is activated, his state changed to REGISTERED.
Request
| Method Type | URL | Authorization |
|---|---|---|
| PUT | https://boox.fi/api/management/user/<email> | Service (Digest Authentication) |
Querystrings
Please note that M is for Mandatory and O for Optional.
| Parameter | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
| O | New email address of the user. Defaults to no value. | Email address of the user | |
| cid | O | New customer Identifier. Defaults to no value. | Numeric ID generated from Visio |
| auth_pin | O | Authentication PIN code. Change This is new field. | Number with the length of 4. |
| purchase_pin | O | Purchase PIN code. Change This is new field. | Number with the length of 4. e.g. 8798 |
| action | O | SUSPEND or ACTIVATE keywords. Defaults to no value. | SUSPEND or ACTIVATE keywords are allowed only. |
Error Codes
| Error Code | Description |
|---|---|
| 1407 | action value is invalid |
| 100 | User not found in the system |
| 1404 | email is invalid |
| 1406 | cid is invlid |