Important
If the configuration property OWNER_CLAIM is changed, each user is required to have this claim present.
Devices are organized in the Identity Store service by the owner ID retrieved from the JWT token. The plgd API will be based on this value to identify the user and grant him the permissions only to devices he owns. By default, JWT claim sub is used as the owner ID. In case you connect the plgd authorization service with the Auth0, each logged-in user can access only his devices. This behaviour can be changed by changing the OWNER_CLAIM configuration property and adding custom claim to your Auth0 users.
Go to Users & Roles
Find your user and edit his details
Extend the user_metadata by a custom claim, e.g.
{
"tenant": "e3e0102d-a45b-5cb2-a22e-3a0410deb8d6"
}
Key: tenantValue: *Go to Rules and create new one
Copy and paste the function below, which uses custom claim https://plgd.dev/tenant
function addTenantToAccessToken(user, context, callback) {
var tenantClaim = 'https://plgd.dev/tenant';
var tenant = (user && user.user_metadata && user.user_metadata.tenant) || (context && context.clientMetadata && context.clientMetadata.tenant) || null;
if (tenant) {
context.accessToken[tenantClaim] = tenant;
context.idToken[tenantClaim] = tenant;
}
return callback(null, user, context);
}
After the rule is created, Auth0 include into every access tokens custom claim https://plgd.dev/tenant used to group users and “their” devices. In case the custom OWNER_CLAIM is configured, devices are no more owned by a single user, but in this case, by the tenant. Each user who is a member of the tenant A will be able to access all the devices of this tenant.
If the configuration property OWNER_CLAIM is changed, each user is required to have this claim present.
plgd makes it simpler to build a successful IoT initiative – to create a proof of concept, evaluate, optimize, and scale.
