Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Authentication and Authorization

wagmarcel edited this page Jan 10, 2018 · 1 revision

Access Roles

Most of the REST call need a specific access role. The following roles are defined:

  • anon - anonymous, not authorized,
  • device - IoT Device which is allowed to send data, configure the components, i.e. sensors and actuators
  • user - user of account(s) who can add/remove devices, configure rules, commands, etc.
  • admin - admin user of account(s) who's rights are a super set of the user's rights. Can e.g. add additional users to and account
  • sysadmin - sysadmin has access to all accounts (??), can e.g. delete accounts
  • system - role of component doing system wide analytics, e.g. role of the rule engine

JSON Web Token & Authentication

Before a REST call is executed, the authentication and access role of the caller is verified. The authentication is done by JWT (JSON Web Token) as specified in RFC7797. The JWT is conveyed in the HTTP (MQTT?) message by the Authorization header as follows:

Authorization: Bearer eyJ0eXAi..

A typical unencrypted JWS looks as follows:

{
    "header":
    {
        "typ":"JWT",
        "alg":"RS256"
    }
    "payload":
    {
        "jti":"cca94767-37c6-4079-ac4c-97e28f5c2350",
        "iss":"http://enableiot.com",
        "sub":"3077f07a-23f0-437b-a43e-06093b25aadf",
        "exp":"2017-10-06T11:31:21.162Z",
        "accounts":[
            {
                "id":"5f564b74-fcf7-40b8-8b22-b1ff50dc78f7",
                "name":"TestAccount",
                "role":"admin"
            },
            {
                "id":"4a8a612a-86da-4dd3-a61f-6fa84a309136",
                "name":"test2",
                "role":"admin"
            }
        ]
    }
}

with special field which are used by this framework:

  • sub: User ID of token owner
  • exp: Expiration data, user and admin tokens are valid for one day
  • accounts: List of accounts which the user has access to
  • id: Account ID
  • name: name of account
  • role: Role in Account. Can be user or admin

The access role system does not have specific accounts or user rights. Therefore this role adds a specific field to the payload:

"userRole":"system"

What about sysadmin?

Table of Contents

Clone this wiki locally