Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

To authenticate to ClearBlade IoT Core, each device must prepare a JSON Web Token (JWT, RFC 7519). JWTs are used for short-lived authentication between devices and the MQTT or HTTP bridges. This page describes the ClearBlade IoT Core requirements for the JWT’s contents.

ClearBlade IoT Core does not require a specific token generation method. Helper client libraries can be found on JWT.io.

When creating an MQTT client, the JWT must be passed in the CONNECT message’s password field. When connecting over HTTP, a JWT must be included in each HTTP request’s header.

Creating JWTs

JWTs have three sections: a header, payload (containing a claim set), and signature. The header and payload are JSON objects, serialized to UTF-8 bytes, then encoded using base64url encoding.

The JWT's header, payload, and signature are concatenated with periods (.). As a result, a JWT typically takes the following form:

{Base64url encoded header}.{Base64url encoded payload}.{Base64url encoded signature}

JWT header

The JWT header consists of two fields that indicate the signing algorithm and token type. Both fields are mandatory, and each field has only one value. ClearBlade IoT Core supports the following signing algorithms:

  • JWT RS256 (RSASSA-PKCS1-v1_5 using SHA-256 RFC 7518 sec 3.3). This is expressed as RS256 in the alg field in the JWT header.

  • JWT ES256 (ECDSA using P-256 and SHA-256 RFC 7518 sec 3.4), defined in OpenSSL as the prime256v1 curve. This is expressed as ES256 in the alg field in the JWT header.

In addition to the signing algorithm, you must supply the JWT token format.

The header’s JSON representation is as follows:

For RSA keys:

{ "alg": "RS256", "typ": "JWT" }

For Elliptic Curve keys:

{ "alg": "ES256", "typ": "JWT" }

The header’s algorithm must match at least one of the public keys registered for the device.

Note: The JWT header differs from the HTTP header (if you're connecting over HTTP).

JWT claims

The JWT payload contains a set of claims, and it is signed using asymmetric keys. The JWT claim set includes information on the JWT, such as the token’s target, the issuer, the issued token time, and the token’s lifetime. Like the JWT header, the JWT claim set is a JSON object used in calculating the signature.

Required claims

ClearBlade IoT Core requires the following reserved claim fields. They may appear in any order in the claim set.

Name

Description

iat

("Issued At"): The timestamp when the token was created, specified as seconds since 00:00:00 UTC, January 1, 1970. The server may report an error if this timestamp is too far in the past or future (allowing 10 minutes for skew).

exp

("Expiration"): The timestamp when the token stops being valid, specified as seconds since 00:00:00 UTC, January 1, 1970. The maximum lifetime of a token is 24 hours + skew.

  • The server will close all MQTT connections a few seconds after the token expires (allowing for skew) because MQTT does not have a way to refresh credentials. A new token must be minted to reconnect. Because of the allowed skew, in practice, the minimum lifetime of a token will be equal to the acceptable clock skew, even if it is set to one second.

  • When connecting over HTTP, each HTTP request must include a JWT, regardless of expiration time.

  • Clients in Network Time Protocol (NTP)-capable devices can use the Google Public NTP Server to keep the device clock synchronized; the requirement for authentication is to keep the clock synchronized with a skew of up to 10 minutes.

aud

("Audience"): This must be a single string containing the cloud project ID where the device is registered. If the connection request does not match this project ID, the authentication will be denied without further analysis.

The nbf("Not Before") claim will be ignored and is not required.

A JSON representation of the required reserved fields in a ClearBlade IoT Core JWT claim set is shown below:

{
  "aud": "my-project",
  "iat": 1509654401,
  "exp": 1612893233
}

JWT signature

The JSON Web Signature (JWS) specification guides the mechanics of generating the signature for the JWT. The input for the signature is the following content’s byte array:

{Base64url encoded header}.{Base64url encoded claim set}

To compute the signature, sign the base64url-encoded header, base64-url encoded claim set, and a secret key (such as a rsa_private.pem file) using the algorithm you defined in the header. The signature is then base64url-encoded, and the result is the JWT. The following example shows a JWT before base64url encoding:

{"alg": "RS256", "typ": "JWT"}.{"aud": "my-project", "iat": 1509654401, "exp": 1612893233}.[signature bytes]

After the final encoding, the JWT looks like the following:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJteS1wcm9qZWN0IiwiZXhwIjoxNTA5NjUwODAxLCJpYXQiOjE1MDk2NTQ0MDF9.F4iKO0R0wvHkpCcQoyrYttdGxE5FLAgDhbTJQLEHIBPsbL2WkLxXB9IGbDESn9rE7oxn89PJFRtcLn7kJwvdQkQcsPxn2RQorvDAnvAi1w3k8gpxYWo2DYJlnsi7mxXDqSUCNm1UCLRCW68ssYJxYLSg7B1xGMgDADGyYPaIx1EdN4dDbh-WeDyLLa7a8iWVBXdbmy1H3fEuiAyxiZpk2ll7DcQ6ryyMrU2XadwEr9PDqbLe5SrlaJsQbFi8RIdlQJSo_DZGOoAlA5bYTDYXb-skm7qvoaH5uMtOUb0rjijYuuxhNZvZDaBerEaxgmmlO0nQgtn12KVKjmKlisG79Q

Refreshing JWTs

As described in required claims, tokens have expiration dates. If a device is connected over MQTT and its token expires, it automatically disconnects from ClearBlade IoT Core. You can prevent the device from disconnecting by automatically refreshing its token.

  • No labels