Several options to authenticate to t6 IoT platform
The purpose of authentication is to make sure the users are valid and the identity is known on t6 platform. This authentication process on t6 IoT can be done using multiple ways depending on the use-case.
Tagged on #security, #jwt, #authentication,
HTTP Basic Authentication
HTTP Basic Authentication can only be used in the Web Sockets use case. This process expect a socket connection to t6 using an extra Autorization Header with the base64 encoded credentials as value. Credentials is a base64 string made from user-Api-Key : user-Api-Secret
e.g.:
Authorization: Basic dXNlci1hcGkta2V5OnVzZXItYXBpLXNlY3JldA==
JWT Bearer Authentication
t6 follows JWT basic concept so that Clients are claiming who they are using a server signed Jwt. t6 allows multiple process to generate such Jwt tokens. Each Jwt token last 5 minutes before expiration and a refresh token mechanizme is also available within a 24 hours period of time.
By providing a valid username + password
This process is the common password
grant_type and require the user to sign in by providing his username (email address) and password.
Once the identification on t6 server is done and successful, a Jwt token is forged and sent back to the user.
Then, on every next call from that user (before token expires), the client should sent that Jwt token on the headers to claims who the requester is.
t6 server will reject malformed or non valid signature Jwt token. Only t6 server can sign the token with the valid signature.
Please note username
and password
are sent from the client to t6 using SSL.
e.g.:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImVtYWlsQGludmFsaWQtZG9tYWluLmludmFsaWQiLCJmaXJzdE5hbWUiOiJmaXJzdE5hbWUiLCJpZCI6IjM1ZjA1NDc5LWI5MiIsImxhc3ROYW1lIjoibGFzdE5hbWUiLCJsb2NhdGlvbiI6eyJnZW8iOnt9LCJpcCI6IiJ9LCJtYWlsX2hhc2giOiJjYWZlMWZhKioqKioqKioqKio5NDY1OWQ1NzNiIiwicGFzc3dvcmRMYXN0VXBkYXRlZCI6IjE0ODMxKioqKioqOTMiLCJyZW1pbmRlck1haWwiOjE0ODU4MDAwMDAwMDksInJvbGUiOiJ1c2VyIiwic3Vic2NyaXB0aW9uX2RhdGUiOiIxNDYwMDAwMDA2MTkzIiwidW5zdWJzY3JpcHRpb25fdG9rZW4iOiJqZ1pjdHV5UE1LZkN5T01idlNkVmlOSWtWdUNLRW5NRUN5T01DeU9NYmJNYmtPUENSQlhwSGdDeU9NYnhoQ3lPTWJrRnhCbHVMY2hqeFhWUGJoTSIsIm5ld3NsZXR0ZXIiOjE2MzYwMDAwMDAyMTYsInVuc3Vic2NyaXB0aW9uIjp7Im5ld3NsZXR0ZXIiOiIxMDAwMDAwMzU1MzMyIiwiY2hhbmdlUGFzc3dvcmQiOiIxNTcwMDAwMDAzNTk1IiwicmVtaW5kZXIiOiIxMDAwMDAwMzY1Nzc3In0sInVwZGF0ZV9kYXRlIjoiMTU0MDEwMDAwMDA2NiIsInB1c2hTdWJzY3JpcHRpb24iOnt9LCJzdWJzY3JpcHRpb24iOnsiY2hhbmdlUGFzc3dvcmQiOm51bGwsIm5ld3NsZXR0ZXIiOm51bGwsIm1vbnRobHlyZXBvcnQiOm51bGwsInJlbWluZGVyIjpudWxsfSwidG9rZW5fdHlwZSI6IkJlYXJlciIsInNjb3BlIjoiQXBwbGljYXRpb24iLCJzdWIiOiIvdXNlcnMvMzVmMDU0NzktYjkyIiwiaXNzIjoiIiwiaWF0IjoxNjY0NTYyODQwLCJleHAiOjE2NjQ1NjMxNDB9.Cszy91AEzr2udkwLXHZ0adWTvNi5uht9Dia74FGpA3k
By providing a valid user-Api-Key + user-Api-Secret on the POST payload
t6 provide a dedicated endpoint to generate Key+Secret Tokens. Those tokens allows to define a custom memo
so that you can remember where you are using the Key+Secret credentials. Additionally, you can customize the duration (1 day, 1 week, 1 month or 1 year).
Key+Secret can also be revoked in case you don’t need them anymore or when you needs credential to become invalid (for security purpose for instance).
POSTing Key+Secret credentials to t6 Authenticate process will also forge a regular Jwt Token with the same attributes as the other processes.
Beta : Key+Secret credentials can also be sent directly on the X-headers specifically on the datapoint.
Refresh a Jwt Token
Whatever the identification process, t6 will send back a Jwt Token as well as a refresh token. Both are having their own expiration (5 min for Jwt and 24 hours for refresh_token). This Refresh Token can be used to get a fresh Jwt Token.
Tagged on #security, #jwt, #authentication,