Signing in using a session token obtained by a head-end system
Overview
OpenTV Video Platform provides a way for an operator’s head-end system to obtain a session token that it can then pass to a client app, which can then use it to sign in without having to prompt the user for credentials.
This mechanism can be used for example to authorise an end user on a mobile client app using a QR code that contains the session token which is displayed by a set-top box or smart TV.
You can also do this the other way around, where a device (typically a smartphone) that is already signed in can be used to generate an authorisation code for another device, such as a STB or smart TV, where entering credentials using a remote and an on-screen keyboard is inconvenient.
Procedure
This process consists of the following main steps (see also the sequence diagram below):
The end user accesses the operator’s head-end service (for example, a web portal that the user accesses through a set-top box).
The user initiates the flow to sign in on a second device (typically a smartphone).
The head-end service gets the available authentication services and their endpoints.
The service uses a shared secret to encode the account ID and tenant ID as a JWT token.
The service requests a session token, passing the JWT token as a header.
OPF returns the requested session token to the service.
The service encodes the token as a QR code and displays it to the user.
The client app (which is running on the second device) scans and decodes the QR code to get the session token.
The client app uses the session token to sign in.
Once the app is signed in, it must re-authenticate periodically using the refresh token it receives at sign-on.
The following wireframes show what this might look like in an application running on a set-top box or smart TV.
1. Select Devices from the Settings menu
2. Select Add a Device
3. Scan the QR code that is displayed
Sequence diagram
