-
Notifications
You must be signed in to change notification settings - Fork 78
Single Sign On Tokens User Authentication
The single-sign-on user authentication scheme is used in situations where a third-party provides a unified multi-device user experience. Examples include Microsoft Xbox Live, Apple’s iOS, and Samsung Hub.
This scheme is identified by the string SSO.
authdata = {
"#mandatory" : [ "mechanism", "token" ],
"#conditions" : "((not email and not password and not netflixid and not securenetflixid)
xor (email and password)
xor (netflixid and securenetflixid))",
"mechanism" : "string",
"token" : "binary",
"email" : "string",
"password" : "string",
"netflixid" : "string",
"securenetflixid" : "string"
}| Field | Description |
|---|---|
| user email address | |
| netflixid | Netflix ID cookie |
| mechanism | SSO mechanism |
| password | user password |
| securenetflixid | Secure Netflix ID cookie |
| token | third-party SSO token |
The SSO token is issued by a third-party and authenticated by the mechanism provided by the third-party. It contains the third-party user ID. Possession of the token is considered sufficient proof of the third-party user ID.
If only an SSO token is provided then only authentication is performed. The user identity associated with the third-party user ID, if any, is assumed. If there is no associated user identity then authentication fails.
If an SSO token is provided in conjunction with either email/password or Netflix ID cookies then both authentication and association is performed. The email/password or Netflix ID cookies are used to authenticate the user and that user identity is then associated with the third-party user ID.
A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs
- Introduction
- Encoding & Normalization
- Cryptography
- Versioning
- MSL Networks
- Entity Authentication
- User Authentication
- Key Exchange
- Service Tokens
- Messages
- Error Messages
- Application Security Requirements
- Protocol Implementation
- Configuration Guide