Re: Issue JWT Token to EdgeX service


Hi Jihun,

On Tue, Apr 10, 2018 at 8:24 AM, Jihun Ha <jihun.ha@...> wrote:

Hello, Mr. Draskovic.

I've read your proposed EdgeX auth service document and have a few of question on that:

What if EdgeX services on different devices need to communicate with each other WITHOUT any user's interaction?
All the flow described in the doc happens without human interaction.

According to your proposal, service on the client side should have its JWT token and send it to the peer service. That means, it sounds like the client service should get JWT token through login procedure.
No - this token is a permanent bearer token (a key) that is flashed
into the device firmware in the factory. Note that expiration time for
these kind of tokens is usually set to never expire,in order to
simulate simple bearer token (although refreshing a token is also
possible scenario, if the server supports this feature).

JWT token can also be revoked (if server supports), or/and replaced if
the device's firmware supports this operation.

But it is hard for me to imagine how a service can login to Auth service to get JWT token without any user's input. It is because I think it is very hard to put account/password to every single services to get their own JWT token.
No need for login or any user accounts: device just presents it's key
(JWT token), and if the token is valid we authenticate device (we let
requests from this device pass into the system).

Is that any way for EdgeX service to get JWT token or something to service authentication without user's account and password? Or, other authentication method like certificate-based authentication should be used in case of service authentication?
Certificate-based auth is complex because you would need to maintain
PKI infrastructure on the server side. Simple bearer tokens (in this
case JWT) are much more simpler.

Best regards,
Mainflux Author and Technical Advisor | Industrial IoT Cloud
Engineering Division | Paris, France

Twitter: @draskodraskovic

Join to automatically receive all group messages.