At coap-gateway you can set up mutual TLS, which verify the signature of the identity certificate of the device via configuration:
api:
coap:
tls:
# default
clientCertificateRequired: true
After that, only devices which have signed identity certificates by CA configured in coap-gateway can access the hub.
When the device makes one of the calls sign up, sign in, sign out or sign off, coap-gateway needs to resolve the device ID.
api.coap.authorization.deviceIDClaim
then it will be resolved from JWT token. If JWT token doesn’t contain https://<YOUR_DOMAIN>/deviceId
it returns code Unauthorized
and closes the connection.api.coap.tls.clientCertificateRequired
then it will be resolved from the device identity certificate.When api.coap.tls.clientCertificateRequired
and api.coap.authorization.deviceIDClaim
are set, coap-gateway matches deviceID from certificate and JWT token. If they are not the same, then coap-gateway returns code Unauthorized
and closes the connection.
First, you need to create a rule at Auth pipeline->Rules
with code:
function (user, context, callback) {
var deviceIdClaim = 'https://<YOUR_DOMAIN>/deviceId';
var deviceId = (context && context.request && context.request.query && context.request.query.device_id) || null;
if (deviceId) {
context.accessToken[deviceIdClaim] = deviceId;
}
return callback(null, user, context);
}
After that, if you call authorize endpoint to obtain authorization code for a device with query parameter device_id=<deviceId>
,
and the device makes sign up with that code, the returned JWT access token will contain deviceId claim like https://<YOUR_DOMAIN>/deviceId: <deviceId>
.
For validation of device ID claim by coap-gateway the api.coap.authorization.deviceIDClaim
must be set to https://<YOUR_DOMAIN>/deviceId
.
plgd makes it simpler to build a successful IoT initiative – to create a proof of concept, evaluate, optimize, and scale.