This repository has been archived by the owner on Jan 8, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
Authentication and Authorization
wagmarcel edited this page Jan 10, 2018
·
1 revision
Most of the REST call need a specific access role. The following roles are defined:
- anon - anonymous, not authorized,
- device - IoT Device which is allowed to send data, configure the components, i.e. sensors and actuators
- user - user of account(s) who can add/remove devices, configure rules, commands, etc.
- admin - admin user of account(s) who's rights are a super set of the user's rights. Can e.g. add additional users to and account
- sysadmin - sysadmin has access to all accounts (??), can e.g. delete accounts
- system - role of component doing system wide analytics, e.g. role of the rule engine
Before a REST call is executed, the authentication and access role of the caller is verified. The authentication is done by JWT (JSON Web Token) as specified in RFC7797. The JWT is conveyed in the HTTP (MQTT?) message by the Authorization
header as follows:
Authorization: Bearer eyJ0eXAi..
A typical unencrypted JWS looks as follows:
{
"header":
{
"typ":"JWT",
"alg":"RS256"
}
"payload":
{
"jti":"cca94767-37c6-4079-ac4c-97e28f5c2350",
"iss":"http://enableiot.com",
"sub":"3077f07a-23f0-437b-a43e-06093b25aadf",
"exp":"2017-10-06T11:31:21.162Z",
"accounts":[
{
"id":"5f564b74-fcf7-40b8-8b22-b1ff50dc78f7",
"name":"TestAccount",
"role":"admin"
},
{
"id":"4a8a612a-86da-4dd3-a61f-6fa84a309136",
"name":"test2",
"role":"admin"
}
]
}
}
with special field which are used by this framework:
- sub: User ID of token owner
- exp: Expiration data, user and admin tokens are valid for one day
- accounts: List of accounts which the user has access to
- id: Account ID
- name: name of account
- role: Role in Account. Can be user or admin
The access role system does not have specific accounts or user rights. Therefore this role adds a specific field to the payload:
"userRole":"system"
What about sysadmin?
- Home
-
Overview
- Rule Engine
- Service Hub
- Dashboard
- Data Backend
- Integration of Analytics
- IoT Agent
- Using Docker
- Authentication and Authorization
- Rest API
- Configuration
- Build