Authentication Management

1. Principles

Credentials are used by any third-party services of service providers that needs to be integrated with NAGRA SSP. Credentials are used to sign and encrypt JWT tokens that needs to be associated with each requests performed to NAGRA SSP. Those tokens are checked by SSP to authenticate the origin of the request.

2. Credentials

Credentials are JSON files containing in particular a Key Id (kid) and AES keys, one dedicated for signature (signingKey), and one dedicated for encryption of tokens. Credentials have associated privileges enabling them to be used to access a particular subset of NAGRA SSP services.

NAGRA SSP provides to service provider mechanisms to create, download and revoke credentials by their Key Id. Those credentials are expected to be configured into each and every service interfaced with SSP. For multi-tenant service interfaced with SSP, NAGRA expects those services to let service provider configure the credentials used in their context.

2.1. Example of 'Credentials.json'

^{{ "tenantId": "CSL265ZK", "credentialName": "Credential_SMS", "credentialId": "816794", "signingKey": "X+aIz8wSHorkoscGhbiz/dMvlug2JlEdPRm3T5XGl20=", "privilege": ["SMS"] }}

3. Authentication Token

Refer to (23.48) Authentication Token (AuthN) definition

4. Request to SSP SaaS

SSP SaaS only supports HTTPS request. In addition to perform authentication of the origin of the request, SSP looks for tokens provided in any request coming from third-party services. All SSP services support token provided into “nv-authorizations” header in the HTTP followed by the standard base64 JWT token as follows:

^{“nv-authorizations”:
“eyJraWQiOiI0ODIxODIiLCJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ2ZXIiOiIxLjAiLCJ0eXAiOiJBdXRoTiIsImV4cCI6MTU4NDMxNTM0MX0.zgIAbETvW3ycBDxwjrT7g5BpsRsyqYx78OjirplVT8U”}