Tags:
Categories:

Channels configuration in Spain

The aim of this document is to describe how to configure a channel to access to all the needed Kernel APIs in Spain

Security Channel ES OB

Spain Security Team has included a validation in the generated tokens, in order to validate both which application is consuming the APIs and which application authenticated the user.

The affected APIs are UserProfile, Consents and all Telco related APIs, such as billing or balance, for instance.

To validate which and on _whose behalf _ the requests are done, they will use:

  • The app credentials that generated the accessToken that is consuming the API.
  • The channel_id that was included when the authorization_id was created.
    • If no channel_id was included, then the one sent during the accessToken as param will be used.

This is evaluated in a step called token_exchange, executed before letting a request accessing one of the protected APIs.

The nomenclature used by the OB is:

  • consumer_id: name of the application that has generated the accesstoken of the API call. Example: ‘aura-bot’ (client-id of Kernel. No further modification of this field is necessary).
  • channel_Id field is an optional channel identifier, readable and created for security. This channel_Id must be sent in the generation of the authorization_id or the one sent in the generation of the accessToken. If the first one is present, this one will always be used.

This pair builds what is called a provinience, meaning that access to an API is granted or not.

channel_Id will be configured in the security object in the main root of the channel definition:

{
    "channel_id": "45494a5b-835a-4fff-a813-b3d2be529dbe",
    "fpa_auth_purposes": "customer-self-service identify-customer aura-technical-problems-purpose",
    "fpa_auth_scopes": "",
    "name": "novum-mytelco",
    "nlp": {
      "enabled": true,
        "enabled": true
      }
    },
    "prefix": "nov",
    "security": {
      "channelId": "novum-mytelco"
    },
    "dialogLibraries": [...]
}

This change affects to ES as a matter of priority for now.

Scopes and purposes

In order to access the APIs that the use cases require, it is necessary to indicate the scopes and purposes at channel level, with fpa_auth_purposes and fpa_auth_scopes fields:

{
    ...
    "channel_id": "60f0ffda-e58a-4a96-aad9-d42be70b7b42",
    "fpa_auth_purposes": "wifi-management video-personalized video-usage aura-send-bot-events customer-self-service",
    "fpa_auth_scopes": "video:search-read video:browse-read video:related-read video:content-details-read video:content-highlighted-read video:epg-read video:channels-read video:now-showing-read",
    "name": "movistar-plus"
    ...
}
Last modified May 18, 2026: Remove KGB (52b04d91)