User Stories
High level diagrams
Manufacturing process
Entone has a certificate authority (CA).
At the time of manufacture an RSA keypair signed by this CA will be added to the box.
User provisioning
The user purchases a STB.
The retail partner provisions a user account by calling the user management API
The retail partner links the STB to the user
The retail partner only needs to inform Amino of the STB serial number
You can see details of how to manage the user account here on this page.
User login
Note:
The Entone API will include the STB public key as one of the claims of the signed JWT token.
Detailed flow
Details of logging in with JWT
Sequence overview
- Client calls the Entone API to get a JWT used for logging in
- Client sends login JWT token to Middleware
- Middleware responds with two tokens that can be used to authenticate future requests
This is diagrammed in the section "user login" above.
Entone API
The View team will add a new function to the API with the following signature:
String ENTONE.stb.createJWT(algorithm, claim)
Where claim is a object containing the payload of the JWT, algorithm is the mechanism to sign the signature.
The returned string is a JWT which is based64 encoded string.
Parameters to pass to Entone API
The algorithm must be one of the values supported as the "alg" parameter in the JWT spec (here). The only algorithm supported is RSA with sha-256 and so the algorithm parameter value should always be "RS256".
The client MUST use this format for the claim object:
$claim = [
"iss" => "EntoneAPI",
"iat" => time(),
"exp" => time() + TEN_MINUTES,
"aud" => "www.aminocom.com",
"sn" => "Serial number 25-1234567",
"cdsn" => "Client Device-allocated Serial Number 48318382081",
'certificate' => "String containing the STB public key"
'batchCACertificate' => "String containing the STB batch CA certificate",
];
It will receive a JWT from EntoneAPI and must then call the MoveAPI endpoint as below.
Example of generating a JWT
What is the STB serial number?
Amino STBs with Irdeto Chipset contain several identifiers, two of them are:
- SN - basic serial number (printed on the STB) (73-2345532)
- CDSN - secure SN, which is stored on the device. STB UI gets it via Entone JS API, sends it to Amino backend. Entitlements with Irdeto are based on this identifier (6454386863). This is device id.
The basic STB serial number is composed of two parts: the hw model prefix and the ESN. e.g. 87(hw model)-6593553 (ESN). and the mac address is derived from the ESN of the STB.
MoveAPI
Endpoint
| Method type | URL | Authorization | Parameters |
|---|---|---|---|
| POST | https://domain.tld/api/stb/auth | Service-Token | The JWT must be passed as POST body parameter named "Token" |
Validation rules
The MoveAPI must validate the JWT as follows:
- Decode the JWT
- Retrieve the supplied public key from the "certificate" claim
- Retrieve the suppled CA certificate from the "batchCACertificate" claim
- If it is omitted then read the CA certificate for batch 0133 from disk
- Verify that:
- The issuer is EntoneAPI
- The audience is www.aminocom.com
- The token has not expired
- The token was issued in the past, or otherwise within a tolerable window to allow for server time drift
- JWT was signed with the key you obtained in step 2
- Verify that the CA certificate is signed by the Entone CA certificate
- Obtain the "sn" claim
- Find the user associated with the STB serial code indicated in the "sn" claim
It is important that the JWT is signed with the supplied key AND that the key was generated from the Entone root CA
If the CDSN is stored in the STBDevice table then the API needs to compare the "cdsn" claim
Response
The Move Middleware will respond with two JWT tokens that can be used for authentication in future requests.
| 200 | { | JWT token both jwt and refresh_token are encrypted using a pass phrase and HS256 encryption. Pass phrase is configurable by config file and will be shared separately. JWT Sample Data { |
| 401 | none | - |
Refreshing the access token
The JWT is valid for an hour, configurable at deployment time. The client should use the refresh token to obtain a new access token when access token is expired or about to expire.
This can be done by calling
POST https://boox.fi/api/stb/auth/refresh_token?refresh_token=123abc...
The refresh token should be supplied as a query string parameter.
The API will respond with a new access token and refresh token
Logout STB
API to handle logout request of STB
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://customer.domain/api/stb/logout | STB (Using JWT), Service (Using service_token) |
POST Body
Please note that M is for Mandatory and O is for Optional.
| Body Fields | M/O | Description | Values |
|---|---|---|---|
service_token | M | Token generated for a service. This token is generated from Backend and provided to application developers. This token should be kept in a secured location on application, i.e STB | String of Alpha numeric values. Mostly MD5 or SHA1 string. e.g. 8f9cf3f5789e16124f38936954a98668 |
Headers
Please note that M is for Mandatory and O is for Optional.
| Header | M/O | Description |
|---|---|---|
Authorization: Bearer | M | JWT json web token provided by backend after STB authenticated successfully |
Response
| HTTP Code | Response |
|---|---|
| 200 | none |
| 401 | none |
Link STB to a User
After user bought a STB this API need to be called. This API link or grant ownership of a STB to a user.
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://boox.fi/api/management/stb/link_user | IP, Service (Digest Authentication) |
POST Data Parameters
Please note that M is for Mandatory and O is for Optional.
| Parameters | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
serial_no | M | Serial Number of STB. If device does not exists with provided serial no then it will be added. | Alpha numeric string. |
| M | Email address (being used as an user identifier in AminoTV) of user who is provisioned for using the STB | Valid email address. e.g. john.doe@example.com | |
public_keys | O | Public keys which will be used to authenticate the STB. Maximum 8 keys. | key0_base64;key1_base64;...........;key7_base64 (no limit on max length). where each public key is base-64 encoded,semicolon(;) is used between keys as separator. |
| chipset_id | O | STB device chipset number/ID. | chipset_id is a random list of characters (max 32 characters). |
| mac | O | Ethernet interface MAC address. | mac is a random list of characters (max 18 characters). |
Response
| HTTP Code | Response |
|---|---|
| 200 | { |
| 400 | |
| 401 | none |
Error Codes
| Error Code | Description |
|---|---|
| 1414 | Email does not exist |
| 1426 | Parameter is required |
| 1427 | Invalid length of chipset_id |
| 1428 | Invalid length of mac |
| 1433 | STB exists and linked |
| 1434 | Record already exists for value |
| 1435 | STB is already assigned |
| 1436 | Invalid email address format |
Unlink STB from User
This API remove ownership of a STB from an user. Use cases: when user sells his/her device, when a device got stolen.
Request
| Method | URL | Authorization |
|---|---|---|
POST | https://customer.domain/api/management/stb/unlink_user | IP, Service (Digest Authentication) |
POST Data Parameters
Please note that M is for Mandatory and O is for Optional.
| Parameters | M/O | Description | Values |
|---|---|---|---|
| service | M | Service to which the user belongs. | String of service username. Shared separately. |
serial_no | M | Serial Number of STB | Alpha numeric string. e.g. 615507895162 |
| M | Email address of user who is provisioned for using the STB | Valid email address. e.g. john.doe@example.com |
Response
| HTTP Code | Response |
|---|---|
| 200 | none |
| 400 | |
| 401 | none |
Error Codes
| Error Code | Description |
|---|---|
| 1414 | Email does not exist |
| 1426 | Parameter is required |
| 1432 | serial_no does not exists |
| 1418 | Invalid STB link |
| 1436 | Invalid email address format |