Skip to end of metadata
Go to start of metadata

Table of Contents


Using Universal SSO on the Roku Platform

This document defines a mechanism and protocols for the Universal Authentication Protocol for Single Sign-On (Universal SSO). Universal SSO is useful for channel partners using OAuth or alternate authentication protocols. Your channel can use the Roku StoreChannelCredData() method of roChannelStore to store an authentication artifact with Roku for a signed-in user, associating that user with a particular Roku account. When your channel launches and a user is not signed in, your channel requests the stored artifact using the GetChannelCred method, finds your matching customer, and signs them in.

Channel Activation Using Universal SSO

A user should have:

  • Activated their Roku player.
  • Linked the player to a Roku customer account. If the customer does not have a Roku account, they must create a new account at this time. 
  • Added your channel to the player. A channel must be added on the first player associated with the customer account. After that, the channel will be added automatically to subsequent players during activation.

Channel Activation Sequence

Whether a user has been authenticated or not changes the activation sequence.

For a user who has never been authenticated:

Step 1. Channel launches and the user is not signed in.

Step 2. Channel registry on the device indicates the user has not taken action to sign out, so there is no attempt to sign in the user.

NOTE: If a customer has actively signed out of the partner application, the local registry should know so that they are not automatically signed in upon the next launch of the channel.

Step 3. Channel makes call to GetAuthCred method and no OAuth token is returned.

Step 4. User signs up for or signs into partner service.

Step 5. Channel requests OAuth token from its server.

Step 6. Channel makes call to StoreChannelCredData method and stores OAuth token on Roku's server. The token is associated with both the partner and the Roku account. The channel stores an access and refreshes the token initial exchange.

  

For a previously authenticated user:

Step 1. Channel launches and the user is not signed in.

Step 2. Channel registry on the device indicates the user has not taken action to sign out, so there is no attempt to sign in the user.

NOTE: If a customer has actively signed out of the partner application, the local registry should know so that they are not automatically signed in upon the next launch of the channel.

Step 3. Channel makes call to GetAuthCred method and the previously stored OAuth token is returned.

Step 4. Channel sends token to partner service for validation.

Step 5. Partner service validates and returns token.

Step 6. Channel stores token and user signs in.

Activation Protocol Sequence

Request GetChannelCred

Available since firmware version 7.2

GetChannelCred request must be executed in the context of the channel application. This should occur at channel launch whenever the channel’s proprietary authentication credential is not in the channel’s local registry AND the user has not explicitly signed out of the channel.

You should invoke the BrightScript roChannelStore API to initiate this protocol interaction. 

 

store  = CreateObject(“roChannelStore”)
cred   = store.GetChannelCred(channel_data)

 

Response Example

An example of the contents of the associative array cred from a successful response follows:

 

{

    channelID: "12345"

    json: "{

      "error":null,

      "roku_pucid":"deedcafe-721c-59e1-8b82-a2a511d9b876",

      "token_type":"urn:roku:pucid:token_type:pucid_token",

      “stored_data” : <stored_data>

    }”

    publisherDeviceID: "7229876e-0d1e-5f60-b19b-7f6ccef2a8e8"

    status: 0

}

In this response stored_data is the data stored by Channel by calling StoreChannelCredData.

Request Error

An error response returns an empty json object and additional status information.

 

An example of a failed response follows:

 

{
    channelID: "12345"
    json:
    publisherDeviceID: "7229876e-0d1e-5f60-b19b-7f6ccef2a8e8"
    status:  400
}

Request StoreChannelCredData

Available since firmware version 8.1

StoreChannelCredData is used to store custom application data (such as an OAuth token or a custom token). This stored data can then be retrieved by calling GetChannelCred. The data is stored securely in cloud and can be retrieved by other devices linked to the same Roku account. 

 

store  = CreateObject(“roChannelStore”)

status = store.StoreChannelCredData(channel_data)

 

status : 0 represents that data was successfully stored. If there is an error, this value represents an error code.
  • No labels