Versions Compared

Version Old Version 22 New Version Current
Changes made by

Jeff Slavin (Unlicensed)

Akash Sharma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The JWT must be passed in the CONNECT message’s password field when creating an MQTT client. A JWT must be included in each HTTP request’s header when connecting over HTTP.

Creating JWTs

JWTs have three sections: a header, payload (containing a claim set), and signature sections. The header and payload are JSON objects, serialized to UTF-8 bytes, then encoded using base64url encoding. ClearBlade has strict JWT base64url encoding requirements, unlike Google.

...

  • JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This is expressed as RS256 in the JWT header’s alg field in the JWT header.

  • JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the JWT header’s alg field in the JWT header.

In addition to the signing algorithm, you must supply the JWT token format.

...

Name

Description

Required for

iat

Issued at: The timestamp when the token was created, specified as seconds since 00:00:00 UTC, January 1, 1970. The server may report an error if this timestamp is too far in the past or future (allowing 10 minutes for skew).

MQTT, HTTP

exp

Expiration: The timestamp when the token stops being valid, specified as seconds since 00:00:00 UTC, January 1, 1970. The token’s maximum lifetime is 24 hours + skew.

  • The server will close all MQTT connections a few seconds after the token expires (allowing for skew) because MQTT cannot refresh credentials. A new token must be minted to reconnect. Because of the allowed skew, in practice, the token’s minimum lifetime will be equal to the acceptable clock skew, even if set to one second.
    For example, if a device sets its JWT’s exp to 01:10:20 UTC and skew is 10 minutes (current setting in IoT Core), then the server will disconnect the device at 01:20:20 UTC.

  • When connecting over HTTP, each HTTP request must include a JWT, regardless of expiration time.

  • Clients in Network Time Protocol (NTP)-capable devices can use the Google Public NTP Server to keep the device clock synchronized; the authentication requirement is to keep the clock synchronized with an up to 10-minute skew.

MQTT, HTTP

aud

Audience: This must be a single string containing the cloud project ID where the device is registered. The authentication will only be allowed with further analysis if the connection request matches this project ID.

MQTT

sk

System key: This must be a single string containing the ClearBlade registry’s system key. This can be obtained by clicking the API keys button (key icon) at the top-right of the ClearBlade Registry Details page.

HTTP

uid

User ID: This must be a single string containing the deviceId.

HTTP

ut

User type: This must be an integer hard-coded to value 3.

HTTP

...

Code Block
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJteS1wcm9qZWN0IiwiZXhwIjoxNTA5NjUwODAxLCJpYXQiOjE1MDk2NTQ0MDF9.F4iKO0R0wvHkpCcQoyrYttdGxE5FLAgDhbTJQLEHIBPsbL2WkLxXB9IGbDESn9rE7oxn89PJFRtcLn7kJwvdQkQcsPxn2RQorvDAnvAi1w3k8gpxYWo2DYJlnsi7mxXDqSUCNm1UCLRCW68ssYJxYLSg7B1xGMgDADGyYPaIx1EdN4dDbh-WeDyLLa7a8iWVBXdbmy1H3fEuiAyxiZpk2ll7DcQ6ryyMrU2XadwEr9PDqbLe5SrlaJsQbFi8RIdlQJSo_DZGOoAlA5bYTDYXb-skm7qvoaH5uMtOUb0rjijYuuxhNZvZDaBerEaxgmmlO0nQgtn12KVKjmKlisG79Q

...

Expiration of JWTs

As described in Required claims, tokens Tokens have expiration dates. If a device is connected over MQTT and its token expires, it automatically disconnects from ClearBlade IoT Core. You can prevent the device from disconnecting by automatically refreshing its token.