At coap-gateway you can set up mutual TLS, which verify the signature of the identity certificate of the device via configuration:
api:
coap:
tls:
# default
clientCertificateRequired: true
After that, only devices which have signed identity certificates by CA configured in coap-gateway can access the hub.
When the device makes one of the calls sign up, sign in, sign out or sign off, coap-gateway needs to resolve the device ID.
api.coap.authorization.deviceIDClaim then it will be resolved from JWT token. If JWT token doesn’t contain https://<YOUR_DOMAIN>/deviceId it returns code Unauthorized and closes the connection.api.coap.tls.clientCertificateRequired then it will be resolved from the device identity certificate.When api.coap.tls.clientCertificateRequired and api.coap.authorization.deviceIDClaim are set, coap-gateway matches deviceID from certificate and JWT token. If they are not the same, then coap-gateway returns code Unauthorized and closes the connection.
First, you need to create a rule at Auth pipeline->Rules with code:
function (user, context, callback) {
var deviceIdClaim = 'https://<YOUR_DOMAIN>/deviceId';
var deviceId = (context && context.request && context.request.query && context.request.query.device_id) || null;
if (deviceId) {
context.accessToken[deviceIdClaim] = deviceId;
}
return callback(null, user, context);
}
After that, if you call authorize endpoint to obtain authorization code for a device with query parameter device_id=<deviceId>,
and the device makes sign up with that code, the returned JWT access token will contain deviceId claim like https://<YOUR_DOMAIN>/deviceId: <deviceId>.
For validation of device ID claim by coap-gateway the api.coap.authorization.deviceIDClaim must be set to https://<YOUR_DOMAIN>/deviceId.
plgd makes it simpler to build a successful IoT initiative – to create a proof of concept, evaluate, optimize, and scale.
