Skip to content

Authentication Policy

During the interactions with the Arrowhead Core and Support systems, all clients are required to prove their identity by providing appropriate identity info. The authentication can be done based on the given identity info.

Three authentication policies are offered: declared, certificate and outsourced.

The actual policy in force is depending on how the Core and Support systems are configured. See the authentication.policy configuration property under the general configurations.

Policies

declared

Applying the declared authentication policy results in no real identity verification taking place. The Core and Supports systems simply accept the identity provided by the application systems. This policy is not recommended for use in production environment.

Applicable to HTTP and MQTT interface protocols.

certificate

Applying the certificate authentication policy results in requiring client side system profile certificate being provided by the application systems. The issuer and the identity related content of the certificate are always verified during every interaction with the Arrowhead Core and Support systems.

Applicable to HTTP and MQTT interface protocols.

outsourced

Applying the outsourced authentication policy results in requiring the identity service being provided by a core/support system within the Local Cloud. This dedicated system can be the offical Authentication Core System or any third party solution that implements this service.

The actual credentials required to be authenticated and to join the Local Cloud always depend on the actual authentication method behind the identity service, but the outcome is always an identity token (and optionally an expiration time) that the authenticated system is required to use to prove its own identity when interacting with the Arrowhead Core and Support systems.

The interactions between the consumers and providers should never contain identity tokens in order to prevent any kind of identity theft. Identities should only be shared with the trusted Arrowhead Core and Support systems.

Applicable to HTTP and MQTT interface protocols.

Usage

HTTP

declared-http

The declared identity info is the unique system name itself that must be present in the HTTP Authorization request header according to the following scheme: 

Bearer SYSTEM//<system-name>

Example:

curl -X 'DELETE' \
  'http://localhost:8443/serviceregistry/system-discovery/revoke' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer SYSTEM//temperature-consumer1'

certificate-http

The certificate identity info is contained in the client certificate that must be attached to the HTTPS request.

Example:

curl -X 'DELETE' \
  'https://localhost:8443/serviceregistry/system-discovery/revoke' \
  -H 'accept: */*' \
  --cert my-cert.p12 --cert-type P12 --pass 123456

outsourced-http

The outsourced identity info is a string token generated by a dedicated Core or Support system and obtained as a result of a successful authentication attempt. This token must be present in the HTTP Authorization request header according to the following scheme: 

Bearer IDENTITY-TOKEN//<token>

Example:

curl -X 'DELETE' \
  'http://localhost:8443/serviceregistry/system-discovery/revoke' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer IDENTITY-TOKEN//3d7b084d-1259-4a04-8789-880b7da3a530'

MQTT

declared-mqtt

The declared identiy info is the unique system name itself that must be present in the authentication field of the MqttRequestTemplate according to the following scheme: 

SYSTEM//<system-name>

Example:

Topic: arrowhead/serviceregistry/system-discovery/revoke

{
   "traceId":"abc123",
   "authentication":"SYSTEM//temperature-consumer1",
   "responseTopic":"my/response/topic",
   "qosRequirement":2

}

certificate-mqtt

The certificate identity info is contained by the client certificate that must be present in the authentication field of the MqttRequestTemplate where the PEM format of the certificate is expected as a Base64 encoded string.

Example:

Topic: arrowhead/serviceregistry/system-discovery/revoke

{
   "traceId":"abc123",
   "authentication":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUgvVENDQmVXZ0...",
   "responseTopic":"my/response/topic",
   "qosRequirement":2

}

outsourced-mqtt

The outsourced identity info is a string token generated by a dedicated Core or Support system and obtained as a result of a successful authentication attempt. This token must be present in the authentication field of the MqttRequestTemplate according to the following scheme:

IDENTITY-TOKEN//<token>

Example:

Topic: arrowhead/serviceregistry/system-discovery/revoke

{
   "traceId":"abc123",
   "authentication":"IDENTITY-TOKEN//3d7b084d-1259-4a04-8789-880b7da3a530",
   "responseTopic":"my/response/topic",
   "qosRequirement":2

}