Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Another proposal for sensors authentication

10 views

Skip to first unread message

Fernando Jiménez Moreno

unread,

Sep 12, 2016, 6:01:35 AM9/12/16

to mozilla-de...@lists.mozilla.org

Hello,

I draw a new diagram [1] to illustrate a simpler authentication flow for sensors.

For this authentication flow, the SensorWeb client needs to get an API key and API secret by an external mechanism outside of the scope of this flow. For now, it can be an offline and manual process. 3rd party devs can contact us directly in order to register new clients.

In this model, sensors will authenticate themselves with a bearer token (a signed JWT [2]) that they will get as part of its registration process. Each token will be unique per sensor and it will link it to the specific API client.

The registration flow for a new sensor would be something like:

1. With an API key and secret a SensorWeb client can start a sensor registration flow by requesting a registration token to the SensorWeb server. This request needs to be authenticated with a JWT containing the client's API key in its claims and signed with the client's API secret.

2. If the server receives a valid request, it will generate a signed registration token with a short TTL (i.e. 15 min) and scope sensor:air:register. Where "air" is the type of sensor to register. I'm not so sure about the scopes namespacing yet as this depends on how we design the rest of the API, but I guess you can get the idea.

3. During the first run or during the setup process, the sensor station will have to generate a unique device ID. The SensorWeb client will get this device ID from the sensor station.

4. With the device ID and the registration token, the SensorWeb client can make an authenticated registration request to the SensorWeb server.

5. If the registration request is valid, the server will register the device with the given device ID and will generate a new signed JWT with unlimited TTL and with claims like { clientId: clientId, deviceId: deviceId, scope: sensor:air:post, ... }.

6. With this JWT, sensor stations can post data by making authenticated requests with a header like:

{ "Authorization": "Bearer <jwt>" }

The whole flow obviously relies on TLS.

What do you think?

Cheers,

/ Fernando

[1] https://www.gliffy.com/go/publish/image/11083803/L.png
[2] https://jwt.io/

0 new messages