Google Git
Sign in
eclipse / gerrit / www.eclipse.org / hono / 297ddc65f85a847b8f74164b2cfceb53088fed76 / . / docs / 1.2 / architecture / auth / index.html
blob: 15c768cd382619854038c37dcfe6c539b6ea80dc [file] [log] [blame]
<!DOCTYPE html>
<html lang="1.2" class="js csstransforms3d">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Hugo 0.81.0" />
<meta name="description" content="A set of micro-services for connecting millions of devices.">
<meta name="author" content="The Eclipse Hono Project">
<link rel="apple-touch-icon" sizes="180x180" href="/hono/docs/favicon/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="48x48" href="/hono/docs/favicon/favicon-48x48.png">
<link rel="icon" type="image/png" sizes="32x32" href="/hono/docs/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/hono/docs/favicon/favicon-16x16.png">
<link rel="manifest" href="/hono/docs/favicon/site.webmanifest">
<link rel="mask-icon" href="/hono/docs/favicon/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="/hono/docs/favicon/favicon.ico">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="msapplication-config" content="/hono/docs/favicon/browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<title>Authentication/Authorization :: Eclipse Hono&trade; Vers.: 1.2</title>
<link href="/hono/docs/css/nucleus.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/fontawesome-all.min.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/hybrid.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/featherlight.min.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/perfect-scrollbar.min.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/auto-complete.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/atom-one-dark-reasonable.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/theme.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/hugo-theme.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/theme-hono.css?1626138730" rel="stylesheet">
<link href="/hono/docs/css/hono.css?1626138730" rel="stylesheet">
<script src="/hono/docs/js/jquery-3.3.1.min.js?1626138730"></script>
<style>
:root #header + #content > #left > #rlblock_left{
display:none !important;
}
:not(pre) > code + span.copy-to-clipboard {
display: none;
}
</style>
<link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/vendor/cookieconsent/cookieconsent.min.css">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@EclipseHono">
<meta name="twitter:title" content="Authentication/Authorization :: Eclipse Hono&amp;trade; Vers.: 1.2">
<meta name="twitter:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png">
<meta name="twitter:description" content="A set of micro-services for connecting millions of devices.">
<meta property="og:title" content="Authentication/Authorization :: Eclipse Hono&amp;trade; Vers.: 1.2" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.eclipse.org/hono/docs/1.2/architecture/auth//" />
<meta property="og:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png" />
</head>
<body class="" data-url="/hono/docs/1.2/architecture/auth/">
<nav id="sidebar" class="">
<div id="header-wrapper">
<div id="header">
<a href="https://www.eclipse.org/hono/">
<img src="/hono/docs/images/HONO-Logo_Bild-Wort_quer-w-310x120px.svg" alt="Hono logo" class="logo-img">
</a>
</div>
<div class="searchbox">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input id="search-by" type="search" placeholder="Search...">
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
<script type="text/javascript" src="/hono/docs/js/lunr.min.js?1626138730"></script>
<script type="text/javascript" src="/hono/docs/js/auto-complete.js?1626138730"></script>
<script type="text/javascript">
var baseurl = "https:\/\/www.eclipse.org\/hono\/docs\/\/1.2";
</script>
<script type="text/javascript" src="/hono/docs/js/search.js?1626138730"></script>
</div>
<div class="highlightable">
<ul class="topics">
<li data-nav-id="/hono/docs/1.2/concepts/" title="Concepts" class="dd-item
">
<a href="/hono/docs/1.2/concepts/">
<i class="far fa-lightbulb"></i> Concepts
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/concepts/device-identity/" title="Device Identity" class="dd-item ">
<a href="/hono/docs/1.2/concepts/device-identity/">
Device Identity
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/tenancy/" title="Multi-Tenancy" class="dd-item ">
<a href="/hono/docs/1.2/concepts/tenancy/">
Multi-Tenancy
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/device-provisioning/" title="Device Provisioning" class="dd-item ">
<a href="/hono/docs/1.2/concepts/device-provisioning/">
Device Provisioning
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/connecting-devices/" title="Connecting Devices" class="dd-item ">
<a href="/hono/docs/1.2/concepts/connecting-devices/">
Connecting Devices
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/device-notifications/" title="Device Notifications" class="dd-item ">
<a href="/hono/docs/1.2/concepts/device-notifications/">
Device Notifications
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/command-and-control/" title="Command &amp; Control" class="dd-item ">
<a href="/hono/docs/1.2/concepts/command-and-control/">
Command &amp; Control
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/resource-limits/" title="Resource limits" class="dd-item ">
<a href="/hono/docs/1.2/concepts/resource-limits/">
Resource limits
</a>
</li>
<li data-nav-id="/hono/docs/1.2/concepts/connection-events/" title="Connection Events" class="dd-item ">
<a href="/hono/docs/1.2/concepts/connection-events/">
Connection Events
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/" title="User Guide" class="dd-item
">
<a href="/hono/docs/1.2/user-guide/">
<i class="fas fa-book-reader"></i> User Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/user-guide/device-registry/" title="Device Registry" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/device-registry/">
Device Registry
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/http-adapter/" title="HTTP Adapter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/http-adapter/">
HTTP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/mqtt-adapter/" title="MQTT Adapter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/mqtt-adapter/">
MQTT Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/amqp-adapter/" title="AMQP Adapter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/amqp-adapter/">
AMQP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/coap-adapter/" title="CoAP Adapter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/coap-adapter/">
CoAP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/kura-adapter/" title="Kura Adapter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/kura-adapter/">
Kura Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/sigfox-adapter/" title="Sigfox Adapter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/sigfox-adapter/">
Sigfox Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.2/user-guide/jmeter_load_tests/" title="Load Tests with JMeter" class="dd-item ">
<a href="/hono/docs/1.2/user-guide/jmeter_load_tests/">
Load Tests with JMeter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/" title="Admin Guide" class="dd-item
">
<a href="/hono/docs/1.2/admin-guide/">
<i class="fas fa-sliders-h"></i> Admin Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/admin-guide/common-config/" title="Common Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/common-config/">
Common Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/auth-server-config/" title="Auth Server Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/auth-server-config/">
Auth Server Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/device-registry-config/" title="Device Registry Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/device-registry-config/">
Device Registry Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/device-connection-config/" title="Configuring the Device Connection Service" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/device-connection-config/">
Device Connection Service Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/http-adapter-config/" title="HTTP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/http-adapter-config/">
HTTP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/amqp-adapter-config/" title="AMQP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/amqp-adapter-config/">
AMQP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/mqtt-adapter-config/" title="MQTT Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/mqtt-adapter-config/">
MQTT Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/kura-adapter-config/" title="Kura Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/kura-adapter-config/">
Kura Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/hono-client-configuration/" title="Hono Client Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/hono-client-configuration/">
Hono Client Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/amqp-network-config/" title="AMQP 1.0 Messaging Network Configuration" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/amqp-network-config/">
AMQP 1.0 Messaging Network Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/secure_communication/" title="Secure Communication" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/secure_communication/">
Secure Communication
</a>
</li>
<li data-nav-id="/hono/docs/1.2/admin-guide/monitoring-tracing-config/" title="Monitoring &amp; Tracing" class="dd-item ">
<a href="/hono/docs/1.2/admin-guide/monitoring-tracing-config/">
Monitoring &amp; Tracing
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.2/dev-guide/" title="Developer Guide" class="dd-item
">
<a href="/hono/docs/1.2/dev-guide/">
<i class="fas fa-tools"></i> Developer Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/dev-guide/building_hono/" title="Building from Source" class="dd-item ">
<a href="/hono/docs/1.2/dev-guide/building_hono/">
Building from Source
</a>
</li>
<li data-nav-id="/hono/docs/1.2/dev-guide/amqp_adapter_client/" title="AMQP Adapter Client for Java" class="dd-item ">
<a href="/hono/docs/1.2/dev-guide/amqp_adapter_client/">
AMQP Adapter Client for Java
</a>
</li>
<li data-nav-id="/hono/docs/1.2/dev-guide/java_client_consumer/" title="Consuming Messages from Java" class="dd-item ">
<a href="/hono/docs/1.2/dev-guide/java_client_consumer/">
Consuming Messages from Java
</a>
</li>
<li data-nav-id="/hono/docs/1.2/dev-guide/custom_http_adapter/" title="Implement a Custom Hono HTTP Protocol Adapter" class="dd-item ">
<a href="/hono/docs/1.2/dev-guide/custom_http_adapter/">
Implement a Custom Hono HTTP Protocol Adapter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.2/api/" title="API" class="dd-item
">
<a href="/hono/docs/1.2/api/">
&nbsp;<i class='fas fa-plug'></i>&nbsp;API
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/api/telemetry/" title="Telemetry API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/telemetry/">
Telemetry API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/event/" title="Event API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/event/">
Event API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/command-and-control/" title="Command &amp; Control API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/command-and-control/">
Command &amp; Control API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/tenant/" title="Tenant API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/tenant/">
Tenant API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/device-connection/" title="Device Connection API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/device-connection/">
Device Connection API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/device-registration/" title="Device Registration API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/device-registration/">
Device Registration API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/credentials/" title="Credentials API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/credentials/">
Credentials API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/authentication/" title="Authentication API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/authentication/">
Authentication API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/management/" title="Device Registry Management API Specification" class="dd-item ">
<a href="/hono/docs/1.2/api/management/">
Device Registry Management API
</a>
</li>
<li data-nav-id="/hono/docs/1.2/api/metrics/" title="Metrics" class="dd-item ">
<a href="/hono/docs/1.2/api/metrics/">
Metrics
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.2/deployment/" title="Deployment" class="dd-item
">
<a href="/hono/docs/1.2/deployment/">
<i class="fas fa-shipping-fast"></i> Deployment
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/deployment/helm-based-deployment/" title="Helm based Deployment" class="dd-item ">
<a href="/hono/docs/1.2/deployment/helm-based-deployment/">
Helm based Deployment
</a>
</li>
<li data-nav-id="/hono/docs/1.2/deployment/openshift/" title="OpenShift / OKD" class="dd-item ">
<a href="/hono/docs/1.2/deployment/openshift/">
OpenShift / OKD
</a>
</li>
<li data-nav-id="/hono/docs/1.2/deployment/create-kubernetes-cluster/" title="Setting up a Kubernetes Cluster" class="dd-item ">
<a href="/hono/docs/1.2/deployment/create-kubernetes-cluster/">
Setting up a Kubernetes Cluster
</a>
</li>
<li data-nav-id="/hono/docs/1.2/deployment/resource-limitation/" title="Limiting Resource Usage" class="dd-item ">
<a href="/hono/docs/1.2/deployment/resource-limitation/">
Limiting Resource Usage
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.2/architecture/" title="Architecture" class="dd-item
parent
">
<a href="/hono/docs/1.2/architecture/">
<i class="fas fa-landmark"></i> Architecture
</a>
<ul>
<li data-nav-id="/hono/docs/1.2/architecture/component-view/" title="Component View" class="dd-item ">
<a href="/hono/docs/1.2/architecture/component-view/">
Component View
</a>
</li>
<li data-nav-id="/hono/docs/1.2/architecture/auth/" title="Authentication/Authorization" class="dd-item active">
<a href="/hono/docs/1.2/architecture/auth/">
Authentication/Authorization
</a>
</li>
</ul>
</li>
</ul>
<section id="shortcuts">
<h3></h3>
<ul>
<li>
<a class="padding" href="https://www.eclipse.org/hono/" title="Hono&#39;s Homepage"><i class='fas fa-home'></i> Hono Home</a>
</li>
<li>
<a class="padding" href="https://www.eclipse.org/hono/getting-started/" title="Getting started with Eclipse Hono"><i class='fas fa-plane-departure'></i> Getting Started</a>
</li>
</ul>
</section>
<section id="prefooter">
<hr/>
<ul>
<li>
<div id="select-box-wrapper">
<div id="select-box">
<a class="padding">
Version:&nbsp;
<div class="select-style">
<select id="select-language" onchange="location = this.value;">
<option id="stable" value="https://www.eclipse.org/hono/docs/architecture/auth/">stable (1.8)</option>
<option id="1.8" value="https://www.eclipse.org/hono/docs/1.8/architecture/auth/">1.8</option>
<option id="1.7" value="https://www.eclipse.org/hono/docs/1.7/architecture/auth/">1.7</option>
<option id="1.6" value="https://www.eclipse.org/hono/docs/1.6/architecture/auth/">1.6</option>
<option id="1.5" value="https://www.eclipse.org/hono/docs/1.5/architecture/auth/">1.5</option>
<option id="1.4" value="https://www.eclipse.org/hono/docs/1.4/architecture/auth/">1.4</option>
<option id="1.3" value="https://www.eclipse.org/hono/docs/1.3/architecture/auth/">1.3</option>
<option id="1.2" value="https://www.eclipse.org/hono/docs/1.2/architecture/auth/" selected>1.2</option>
<option id="1.1" value="https://www.eclipse.org/hono/docs/1.1/architecture/auth/">1.1</option>
<option id="1.0" value="https://www.eclipse.org/hono/docs/1.0/architecture/auth/">1.0</option>
<option id="dev" value="https://www.eclipse.org/hono/docs/dev/architecture/auth/">dev</option>
</select>
<svg version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="255px" height="255px" viewBox="0 0 255 255" style="enable-background:new 0 0 255 255;" xml:space="preserve">
<g>
<g id="arrow-drop-down">
<polygon points="0,63.75 127.5,191.25 255,63.75 " />
</g>
</g>
</svg>
</div>
</a>
</div>
</div>
</li>
</ul>
</section>
<section id="footer">
<p>&copy; 2021 <a href="https://www.eclipse.org/hono/">The Eclipse Hono Project</a></p>
<p>
Documentation built with
<a href="https://gohugo.io/" target="_blank">Hugo</a>
using the
<a href="https://github.com/matcornic/hugo-theme-learn" target="_blank">Learn</a> theme.
</p>
<div class="eclipse-logo">
<a href="https://www.eclipse.org" target="_blank">
<img src="https://www.eclipse.org/hono/docs/images/eclipse_foundation_logo.svg"/>
</a>
</div>
</section>
</div>
</nav>
<section id="body">
<div id="overlay"></div>
<div class="old-version-hint">
<p>This page refers to version <em>1.2</em>.
You might want to use the <a href="https://www.eclipse.org/hono/docs/">current stable</a> version.
</p>
</div>
<div class="padding highlightable">
<div>
<div id="top-bar">
<div id="top-github-link">
<a class="github-link" title='Edit this page' href="https://github.com/eclipse/hono/edit/master/site/documentation/content/architecture/auth/index.md" target="blank">
<i class="fas fa-code-branch"></i>
<span id="top-github-link-text">Edit this page</span>
</a>
</div>
<div id="breadcrumbs" itemscope="" itemtype="http://data-vocabulary.org/Breadcrumb">
<span id="sidebar-toggle-span">
<a href="#" id="sidebar-toggle" data-sidebar-toggle="">
<i class="fas fa-bars"></i>
</a>
</span>
<span id="toc-menu"><i class="fas fa-list-alt"></i></span>
<span class="links">
<a href='/hono/docs/1.2/'>Documentation</a> > <a href='/hono/docs/1.2/architecture/'>Architecture</a> > Authentication/Authorization
</span>
</div>
<div class="progress">
<div class="wrapper">
<nav id="TableOfContents">
<ul>
<li><a href="#requirements">Requirements</a></li>
<li><a href="#how-it-works-today">How it works today</a>
<ul>
<li><a href="#device-auth">Device Auth</a></li>
<li><a href="#system-component-auth">System Component Auth</a></li>
<li><a href="#application-auth">Application Auth</a></li>
<li><a href="#management-of-identities-and-authorities">Management of Identities and Authorities</a></li>
</ul>
</li>
<li><a href="#future-approach">Future Approach</a></li>
</ul>
</nav>
</div>
</div>
</div>
</div>
<div id="head-tags">
</div>
<div id="body-inner">
<h1>
Authentication/Authorization
</h1>
<p>This page describes how authentication and authorization of devices, consumers (back end applications) and system components works in Hono.</p>
<h2 id="requirements">Requirements</h2>
<ol>
<li>Devices are authenticated and authorized when they connect to a protocol adapter.</li>
<li>Consumers are authenticated and authorized when they connect to a <em>Dispatch Router</em> instance.</li>
<li>System components are authenticated and authorized when they connect to each other.</li>
<li>Credentials and authorization rules can be managed centrally, i.e. credentials and rules do not need to be configured manually on each component.</li>
</ol>
<h2 id="how-it-works-today">How it works today</h2>
<p>The following diagram provides an overview of the components involved in use cases requiring authentication and authorization.</p>
<figure>
<img src="Hono-Auth-Overview-Today.jpg"/>
</figure>
<h3 id="device-auth">Device Auth</h3>
<p>Both the HTTP adapter as well as the MQTT adapter require devices to authenticate during connection establishment by default. Both rely on the <a href="/hono/docs/1.2/api/credentials/">Credentials API</a> to help in verifying credentials provided by a device. Please refer to <a href="/hono/docs/1.2/concepts/device-identity/">Device Authentication</a> for a general overview of Hono&rsquo;s approach to authenticating devices and to the <a href="/hono/docs/1.2/user-guide/">protocol adapter user guides</a> for specifics regarding how devices can authenticate to the corresponding protocol adapters.</p>
<h3 id="system-component-auth">System Component Auth</h3>
<p>Client components opening an AMQP connection to a server component are authenticated using SASL PLAIN as specified in <a href="https://tools.ietf.org/html/rfc4422">RFC 4422</a>. The server component takes the authentication information provided by the client component and opens a connection to the <em>Auth Server</em>, using the credentials provided by the client in its SASL PLAIN exchange with the server component. On successful authentication the <em>Auth Server</em> issues a JSON Web Token (JWT) asserting the client&rsquo;s identity and its granted authorities to the server component. The server component then <em>attaches</em> this token to its AMQP connection with the client and from then on uses it to make authorization decisions regarding the client&rsquo;s requests. See <a href="/hono/docs/1.2/api/authentication/">Authentication API</a> for details regarding the authentication process and the format of the tokens issued by the <em>Auth Server</em>.</p>
<p>Based on the components shown above, the following sequence diagram shows how the <em>MQTT Adapter</em> connects to the <em>Device Registry</em> and gets authenticated transparently using the <em>Auth Server</em>.</p>
<figure>
<img src="MQTT-Adapter-authentication-today.png" width="80%"/>
</figure>
<p>Client components are authorized whenever they open a new AMQP link on an existing connection to the server. When a client tries to open a receiver link, the server checks if the client is authorized to <em>read</em> from the source address the client has specified in its AMQP <em>attach</em> frame. Analogously, when a client tries to open a sender link, the server checks if the client is authorized to <em>write</em> to the target address from the client&rsquo;s <em>attach</em> frame.</p>
<p>Service implementations may additionally authorize individual (request) messages received from the client, e.g. based on the message&rsquo;s <em>subject</em> property which is used by Hono&rsquo;s AMQP 1.0 based APIs to indicate the operation to invoke. In such a case the server checks if the client is authorized to <em>execute</em> the operation indicated by the message <em>subject</em> on the link&rsquo;s target address.</p>
<h3 id="application-auth">Application Auth</h3>
<p><em>Business Applications</em> connect to the AMQP 1.0 Messaging Network in order to consume telemetry data and events and send commands to devices. It is therefore the responsibility of the AMQP Network to properly authenticate and authorize the application.</p>
<p>The Apache Qpid Dispatch Router which is used in Hono&rsquo;s example deployment can be configured to authenticate consumers using arbitrary SASL mechanisms. Access to addresses for receiving messages can be restricted to certain identities. The Dispatch Router instance which is used in the example deployment is configured to delegate authentication of clients to the <em>Auth Server</em> by means of its <em>Auth Service Plugin</em> mechanism. This mechanism works in a very similar way as described above for the authentication of system components. The main difference is that the clients' authorities are not transferred by means of a JSON Web Token but instead are carried in a property of the Auth Server&rsquo;s AMQP <em>open</em> frame.</p>
<h3 id="management-of-identities-and-authorities">Management of Identities and Authorities</h3>
<p>The identities and corresponding authorities that the <em>Auth Server</em> uses for verifying credentials and issuing tokens are defined in a configuration file (<code>services/auth/src/main/resources/permissions.json</code>) read in during start-up of the <em>Auth Server</em>. These authorities are used for authenticating and authorizing system components as well as <em>Business Applications</em>.</p>
<p>Please refer to the <a href="http://qpid.apache.org/components/dispatch-router/index.html">Dispatch Router documentation</a> for details regarding configuration of <em>Dispatch Router</em> security.</p>
<h2 id="future-approach">Future Approach</h2>
<p>In the long run Hono will still use tokens for authenticating clients but will use a policy based approach for authorizing requests, i.e. authorization decisions will be made by a central <em>policy enforcement</em> component. Hono services will pass in the client&rsquo;s token, the resource being accessed and the intended action along with potentially other attributes to the policy enforcement component which will then make the authorization decision based on the configured rules (policy) and return the outcome to the component.</p>
<footer class="footline">
</footer>
</div>
</div>
<div id="navigation">
</div>
</section>
<div style="left: -1000px; overflow: scroll; position: absolute; top: -1000px; border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;">
<div style="border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;"></div>
</div>
<script src="/hono/docs/js/clipboard.min.js?1626138731"></script>
<script src="/hono/docs/js/perfect-scrollbar.min.js?1626138731"></script>
<script src="/hono/docs/js/perfect-scrollbar.jquery.min.js?1626138731"></script>
<script src="/hono/docs/js/jquery.sticky.js?1626138731"></script>
<script src="/hono/docs/js/featherlight.min.js?1626138731"></script>
<script src="/hono/docs/js/highlight.pack.js?1626138731"></script>
<script>hljs.initHighlightingOnLoad();</script>
<script src="/hono/docs/js/modernizr.custom-3.6.0.js?1626138731"></script>
<script src="/hono/docs/js/learn.js?1626138731"></script>
<script src="/hono/docs/js/hugo-learn.js?1626138731"></script>
<link href="/hono/docs/mermaid/mermaid.css?1626138731" rel="stylesheet" />
<script src="/hono/docs/mermaid/mermaid.js?1626138731"></script>
<script>
mermaid.initialize({ startOnLoad: true });
</script>
<script>
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5WLCZXC');
</script>
<script src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/javascript/vendor/cookieconsent/default.min.js"></script>
</body>
</html>