Request a demo
Menu

Cloud2Cloud Gateway

10 minutes read
Edit on GitHub

C2C Gateway implements Open Connectivity Foundation’s Cloud API for Cloud Services providing API’s to mirror user’s devices to a different OCF standardized hub.

Docker Image

Copy
Copied
SOURCE Copy
Copied
        docker pull ghcr.io/plgd-dev/hub/cloud2cloud-gateway:latest

YAML Configuration

Copy
Copied

A configuration template is available in cloud2cloud-gateway/config.yaml.

Logging

Copy
Copied
PropertyTypeDescriptionDefault
log.levelstringLogging enabled from level."info"
log.encodingstringLogging format. The supported values are: "json", "console""json"
log.stacktrace.enabledboolLog stacktrace.false
log.stacktrace.levelstringStacktrace from level."warn"
log.encoderConfig.timeEncoderstringTime format for logs. The supported values are: "rfc3339nano", "rfc3339"."rfc3339nano"

HTTP API

Copy
Copied
PropertyTypeDescriptionDefault
apis.http.addressstringListen specification <host>:<port> for http client connection."0.0.0.0:9100"
apis.http.readTimeoutstringThe maximum duration for reading the entire request, including the body by the server. A zero or negative value means there will be no timeout.8s
apis.http.readHeaderTimeoutstringThe amount of time allowed to read request headers by the server. If readHeaderTimeout is zero, the value of readTimeout is used. If both are zero, there is no timeout.4s
apis.http.writeTimeoutstringThe maximum duration before the server times out writing of the response. A zero or negative value means there will be no timeout.16s
apis.http.idleTimeoutstringThe maximum amount of time the server waits for the next request when keep-alives are enabled. If idleTimeout is zero, the value of readTimeout is used. If both are zero, there is no timeout.30s
apis.http.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
apis.http.tls.keyFilestringFile path to private key in PEM format.""
apis.http.tls.certFilestringFile path to certificate in PEM format.""
apis.http.tls.clientCertificateRequiredboolIf true, require client certificate.true
apis.http.authorization.authoritystringAuthority is the address of the token-issuing authentication server. Services will use this URI to find and retrieve the public key that can be used to validate the token’s signature.""
apis.http.authorization.audiencestringIdentifier of the API configured in your OAuth provider.""
apis.http.authorization.http.maxIdleConnsintIt controls the maximum number of idle (keep-alive) connections across all hosts. Zero means no limit.16
apis.http.authorization.http.maxConnsPerHostintIt optionally limits the total number of connections per host, including connections in the dialing, active, and idle states. On limit violation, dials will block. Zero means no limit.32
apis.http.authorization.http.maxIdleConnsPerHostintIf non-zero, controls the maximum idle (keep-alive) connections to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.16
apis.http.authorization.http.idleConnTimeoutstringThe maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. Zero means no limit.30s
apis.http.authorization.http.timeoutstringA time limit for requests made by this Client. A Timeout of zero means no timeout.10s
apis.http.authorization.http.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
apis.http.authorization.http.tls.keyFilestringFile path to private key in PEM format.""
apis.http.authorization.http.tls.certFilestringFile path to certificate in PEM format.""
apis.http.authorization.http.tls.useSystemCAPoolboolIf true, use system certification pool.false
apis.http.authorization.tokenTrustVerification.cacheExpirationstringDuration for which a valid token is kept in a runtime cache before re-verification is required.30s

Event Bus

Copy
Copied

plgd hub uses NATS messaging system as an event bus.

PropertyTypeDescriptionDefault
clients.eventBus.nats.urlstringURL to nats messaging system."nats://localhost:4222"
clients.eventBus.nats.pendingLimits.msgLimitintLimit number of messages in queue. -1 means unlimited524288
clients.eventBus.nats.pendingLimits.bytesLimitintLimit buffer size of queue. -1 means unlimited67108864
clients.eventBus.nats.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
clients.eventBus.nats.tls.keyFilestringFile name of private key in PEM format.""
clients.eventBus.nats.tls.certFilestringFile name of certificate in PEM format.""
clients.eventBus.nats.tls.useSystemCAPoolboolIf true, use system certification pool.false
clients.eventBus.nats.leadResourceType.enabledboolIf true, subscribe to NATS with lead resource type subject token included.false

GRPC Gateway Client

Copy
Copied

Client configurations to internally connect to GRPC Gateway service.

PropertyTypeDescriptionDefault
clients.grpcGateway.grpc.addressstringGRPC Gateway service address."127.0.0.1:9100"
clients.grpcGateway.grpc.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
clients.grpcGateway.grpc.tls.keyFilestringFile path to private key in PEM format.""
clients.grpcGateway.grpc.tls.certFilestringFile path to certificate in PEM format.""
clients.grpcGateway.grpc.tls.useSystemCAPoolboolIf true, use system certification pool.false
clients.grpcGateway.grpc.keepAlive.timestringAfter a duration of this time if the client doesn't see any activity it pings the server to see if the transport is still alive.10s
clients.grpcGateway.grpc.keepAlive.timeoutstringAfter having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed.20s
clients.grpcGateway.grpc.keepAlive.permitWithoutStreamboolIf true, client sends keepalive pings even with no active RPCs. If false, when there are no active RPCs, Time and Timeout will be ignored and no keepalive pings will be sent.false

Resource Aggregate Client

Copy
Copied

Client configurations to internally connect to the Resource Aggregate service.

PropertyTypeDescriptionDefault
clients.resourceAggregate.grpc.addressstringResource aggregate service address."127.0.0.1:9100"
clients.resourceAggregate.grpc.keepAlive.timestringAfter a duration of this time if the client doesn't see any activity it pings the server to see if the transport is still alive.10s
clients.resourceAggregate.grpc.keepAlive.timeoutstringAfter having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed.20s
clients.resourceAggregate.grpc.keepAlive.permitWithoutStreamboolIf true, client sends keepalive pings even with no active RPCs. If false, when there are no active RPCs, Time and Timeout will be ignored and no keepalive pings will be sent.false
clients.resourceAggregate.grpc.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
clients.resourceAggregate.grpc.tls.keyFilestringFile path to private key in PEM format.""
clients.resourceAggregate.grpc.tls.certFilestringFile path to certificate in PEM format.""
clients.resourceAggregate.grpc.tls.useSystemCAPoolboolIf true, use system certification pool.false

Storage

Copy
Copied

plgd hub uses MongoDB database as the owner’s device store.

PropertyTypeDescriptionDefault
clients.storage.mongoDB.uristringURI to mongo database."mongodb://localhost:27017"
clients.storage.mongoDB.databasestringName of database."cloud2cloudGateway"
clients.storage.mongoDB.maxPoolSizeintLimits number of connections.16
clients.storage.mongoDB.maxConnIdleTimestringClose connection when idle time reach the value.4m
clients.storage.mongoDB.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
clients.storage.mongoDB.tls.keyFilestringFile path to private key in PEM format.""
clients.storage.mongoDB.tls.certFilestringFile path to certificate in PEM format.""
clients.storage.mongoDB.tls.useSystemCAPoolboolIf true, use system certification pool.false

Subscription

Copy
Copied
PropertyTypeDescriptionDefault
clients.subscription.http.reconnectIntervalstringtry to reconnect after interval to resource-directory when connection was closed"10s"
clients.subscription.http.emitEventTimeoutstringtimeout for send event"5s"
clients.subscription.http.tls.caPool[]stringFile paths to the root certificates in PEM format. The file may contain multiple certificates.[]
clients.subscription.http.tls.keyFilestringFile path to private key in PEM format.""
clients.subscription.http.tls.certFilestringFile path to certificate in PEM format.""
clients.subscription.http.tls.useSystemCAPoolboolIf true, use system certification pool.false

Open telemetry exporter

Copy
Copied

The plgd open telemetry exporter configuration.

PropertyTypeDescriptionDefault
clients.openTelemetryCollector.grpc.enabledboolEnable OTLP gRPC exporterfalse
clients.openTelemetryCollector.grpc.addressstringThe gRPC collector to which the exporter is going to send data""
clients.openTelemetryCollector.grpc.keepAlive.timestringAfter a duration of this time if the client doesn't see any activity it pings the server to see if the transport is still alive.10s
clients.openTelemetryCollector.grpc.keepAlive.timeoutstringAfter having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed.20s
clients.openTelemetryCollector.grpc.keepAlive.permitWithoutStreamboolIf true, client sends keepalive pings even with no active RPCs. If false, when there are no active RPCs, Time and Timeout will be ignored and no keepalive pings will be sent.true
clients.openTelemetryCollector.grpc.tls.caPoolstringFile path to the root certificate in PEM format which might contain multiple certificates in a single file.""
clients.openTelemetryCollector.grpc.tls.keyFilestringFile path to private key in PEM format.""
clients.openTelemetryCollector.grpc.tls.certFilestringFile path to certificate in PEM format.""
clients.openTelemetryCollector.grpc.tls.useSystemCAPoolboolIf true, use system certification pool.false

Task Queue

Copy
Copied
PropertyTypeDescriptionDefault
taskQueue.goPoolSizeintMaximum number of running goroutine instances.1600
taskQueue.sizeintSize of queue. If it exhausted, submit returns error.2097152
taskQueue.maxIdleTimestringSets up the interval time of cleaning up goroutines. Zero means never cleanup.10m
Note

Note that the string type related to time (i.e. timeout, idleConnTimeout, expirationTime) is decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “1.5h” or “2h45m”. Valid time units are “ns”, “us”, “ms”, “s”, “m”, “h”.

API

Copy
Copied

Follow OCF Cloud API For Cloud Services Specification

Commands

Copy
Copied
  • get all devices
  • get the device by ID
  • retrieve / update resource values
  • subscribe to / unsubscribe from events against the set of devices
  • subscribe to / unsubscribe from events against a specific device
  • subscribe to / unsubscribe from events against a specific resource
  • swagger

How to try

Copy
Copied

Steps

Copy
Copied
  1. Authorize the user: Request the user’s authorization and redirect back to your application with an authorization code.
  2. Request tokens: Exchange your authorization code for tokens.
  3. Call your API: Use the retrieved Access Token to call your API.
  4. Refresh Tokens: Use a Refresh Token to request new tokens when the existing ones expire.

Authorize the User

Copy
Copied
  • Authenticating the user;
  • Redirecting the user to an Identity Provider to handle authentication;
  • Checking for active Single Sign-on (SSO) sessions;
  • Obtaining user consent for the requested permission level, unless consent has been previously given.

To authorize the user, your app must send the user to the authorization URL.

Authorize with try.plgd.cloud

Copy
Copied
SOURCE Copy
Copied
        https://auth.plgd.cloud/authorize?
    response_type=code&
    client_id=9XjK2mCf2J0or4Ko0ow7wCmZeDTjC1mW&
    redirect_uri=http://localhost:8080/callback&
    scope=r:deviceinformation:* r:resources:* w:resources:* w:subscriptions:* offline_access&
    audience=https://openapi.try.plgd.cloud/&
    state=STATE

If all goes well, you’ll receive an HTTP 302 response. The authorization code is included at the end of the URL:

SOURCE Copy
Copied
        http://localhost:8080/callback?code=s65bpdt-ry7QEh6O&state=STATE

Request Tokens

Copy
Copied

Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL.

Request Tokens with try.plgd.cloud

Copy
Copied
SOURCE Copy
Copied
        curl --request POST \
  --url 'https://auth.plgd.cloud/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data 'client_id=9XjK2mCf2J0or4Ko0ow7wCmZeDTjC1mW' \
  --data client_secret=UTeeIsSugTuDNbn4QMdBaNLDnMiBQzQaa6elm4SDuWOdZUou-aH00EPSbBhgppFD \
  --data code={YOUR_AUTHORIZATION_CODE} \
  --data 'redirect_uri=http://localhost:8080/callback'

If all goes well, you’ll receive an HTTP 200 response with a payload containing access_token, refresh_token, scope, expires_in and token_type values:

SOURCE Copy
Copied
        {
  "access_token":"ey...ojg",
  "refresh_token":"pL...btL",
  "scope":"r:deviceinformation:* r:resources:* w:resources:* w:subscriptions:* offline_access",
  "expires_in":86400,
  "token_type":"Bearer"
}

Call the C2C API

Copy
Copied

To call the C2C API as an authorized user, the application must pass the retrieved Access Token as a Bearer token in the Authorization header of your HTTP request.

SOURCE Copy
Copied
        curl --request GET \
  --url https://openapi.try.plgd.cloud/api/v1/devices \
  --header 'authorization: Bearer eyJ...lojg' \
  --header 'content-type: application/json' \
  --header 'accept: application/json'

Refresh the token

Copy
Copied

You can use the Refresh Token to get a new Access Token. The application communicating with the C2C Endpoint needs a new Access Token only after the previous one expires. It’s bad practice to call the endpoint to get a new Access Token every time you call an API, and pluggedin.cloud maintains rate limits that will throttle the amount of requests to the endpoint that can be executed using the same token from the same IP.

To refresh your token, make a POST request to the token endpoint, using grant_type=refresh_token.

SOURCE Copy
Copied
        curl --request POST \
  --url 'https://auth.plgd.cloud/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=refresh_token \
  --data 'client_id=9XjK2mCf2J0or4Ko0ow7wCmZeDTjC1mW' \
  --data refresh_token={YOUR_REFRESH_TOKEN}

Now you’re able to authorize the user, request the token, communicate with the C2C API and refresh the token before it expires.

Device Onboarding

Copy
Copied

To be able to see the devices through the try.plgd.cloud C2C API, first you need to onboard the device. When you have your device ready, go to the https://plgd.dev website and click Try Live. This redirects you to the try.plgd.cloud Portal.

First thing you need is an authorization code. In the try.plgd.cloud Portal go to Devices and click Onboard Device. This displays you the code needed to onboard the device. Values which should be set to the coapcloudconf device resource are:

Unsecured device

Copy
Copied
  • apn : plgd
  • cis : coap+tcp://try.plgd.cloud:5683
  • sid : adebc667-1f2b-41e3-bf5c-6d6eabc68cc6
  • at : CODE_FROM_PORTAL

Secured device

Copy
Copied
  • apn : plgd
  • cis : coaps+tcp://try.plgd.cloud:5684
  • sid : adebc667-1f2b-41e3-bf5c-6d6eabc68cc6
  • at : CODE_FROM_PORTAL

Conditions:

  • Device must be owned.
  • Cloud CA must be set as TRUST CA with subject adebc667-1f2b-41e3-bf5c-6d6eabc68cc6 in device.
  • Cloud CA in PEM:
SOURCE Copy
Copied
        -----BEGIN CERTIFICATE-----
MIIBhDCCASmgAwIBAgIQdAMxveYP9Nb48xe9kRm3ajAKBggqhkjOPQQDAjAxMS8w
LQYDVQQDEyZPQ0YgQ2xvdWQgUHJpdmF0ZSBDZXJ0aWZpY2F0ZXMgUm9vdCBDQTAe
Fw0xOTExMDYxMjAzNTJaFw0yOTExMDMxMjAzNTJaMDExLzAtBgNVBAMTJk9DRiBD
bG91ZCBQcml2YXRlIENlcnRpZmljYXRlcyBSb290IENBMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEaNJi86t5QlZiLcJ7uRMNlcwIpmFiJf9MOqyz2GGnGVBypU6H
lwZHY2/l5juO/O4EH2s9h3HfcR+nUG2/tFzFEaMjMCEwDgYDVR0PAQH/BAQDAgEG
MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAM7gFe39UJPIjIDE
KrtyPSIGAk0OAO8txhow1BAGV486AiEAqszg1fTfOHdE/pfs8/9ZP5gEVVkexRHZ
JCYVaa2Spbg=
-----END CERTIFICATE-----
  • ACL for Cloud (Subject: adebc667-1f2b-41e3-bf5c-6d6eabc68cc6) must be set with full access to all published resources in device.

See Also

Copy
Back Certificate Authority
Next Device Provisioning Service
Oct 1, 2021

Get started

plgd makes it simpler to build a successful IoT initiative – to create a proof of concept, evaluate, optimize, and scale.

Try free Talk to us
Get Started Illustration Get Started Illustration