CableLabs Micronets

Developer documentation for CableLabs Micronets

Authorization Server

Abstract

The Authorization Server is an OAUTH compliant server that is part of the MSO infrastructure. It is used for authentication and authorization functions, the latter implemented as an OAUTH API for granting access tokens.

Origins

The Authorization Server was initially part of IdOra, a project that was originally developed by Bob Lund (CableLabs). This implementation is a derivation of the original codebase, with minor changes required to integrate it into the Micronets ecosystem.

Developers

The repository for the Authorization Server is micronets-auth-server

Overview

The Authorization Server provides authentication for subscriber logins and for the generation of OAUTH access tokens to be used at a later time for remote logins (by scanning a QRCode instead of providing username/password)

Messaging

The Authorization Server communicates with the following Micronets components: * Registration Server + IN Accepts redirects to allow subscriber to authorize the onboarding of devices. * Idora Server + IN OAUTH API for creating/revoking access tokens + IN Remote login requests sent on behalf of the subscriber via a QRCode Scan + IN Login screen to authorize remote login service * MSO Portal + OUT Request a registration token to begin the device onboard sequence + OUT Request subscriber metadata + OUT (TBD) Subscriber authorization endpoint

Detailed descriptions of the APIs for this server can be found here

Storage

The following data is stored locally by the Authorization Server. Currently the storage mechanism is NEDB. * authorization records (user meta + access tokens) * subscriber records (username/password). NOTE: This is temporary and will be replaced with a login endpoint on MSO Portal

Operation

Website (service) Setup

The subscriber navigates to the IdOra portal at https://mycable.co/idora. The subscriber logs in and then clicks the Websites tab to set up an authorized service. The subscriber will be redirected (OAUTH2) to this server’s login screen. If the subscriber accepts the described action, an access token will be generated and returned to the Idora portal. More information here-(credential-server)

Remote Login

The subscriber navigates (or is redirected) to the login screen for a service that has been previously authorized (see above). When the QRCode appears, the subscriber scans it with the MSO provided mobile app. (The subscriber has already logged in to the IdOra account from the mobile app). The metadata (serviceID, sessionID) from the QRCode is sent to the IdOra Server along with the subscriber’s ID. If IdOra has an access token for that subscriber/service, a remote login request is sent to this server and the subscriber is automatically logged in.

Installation

Detailed instructions for building and installing the Authorization Server can be found here