Google Git
Sign in
eclipse / gerrit / www.eclipse.org / hono / 297ddc65f85a847b8f74164b2cfceb53088fed76 / . / docs / 1.3 / api / credentials / index.html
blob: 86186bf175fd89204bdb3f3cf0651ca925763003 [file] [log] [blame]
<!DOCTYPE html>
<html lang="1.3" class="js csstransforms3d">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Hugo 0.81.0" />
<meta name="description" content="A set of micro-services for connecting millions of devices.">
<meta name="author" content="The Eclipse Hono Project">
<link rel="apple-touch-icon" sizes="180x180" href="/hono/docs/favicon/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="48x48" href="/hono/docs/favicon/favicon-48x48.png">
<link rel="icon" type="image/png" sizes="32x32" href="/hono/docs/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/hono/docs/favicon/favicon-16x16.png">
<link rel="manifest" href="/hono/docs/favicon/site.webmanifest">
<link rel="mask-icon" href="/hono/docs/favicon/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="/hono/docs/favicon/favicon.ico">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="msapplication-config" content="/hono/docs/favicon/browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<title>Credentials API Specification :: Eclipse Hono&trade; Vers.: 1.3</title>
<link href="/hono/docs/css/nucleus.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/fontawesome-all.min.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/hybrid.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/featherlight.min.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/perfect-scrollbar.min.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/auto-complete.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/atom-one-dark-reasonable.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/theme.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/hugo-theme.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/theme-hono.css?1626138728" rel="stylesheet">
<link href="/hono/docs/css/hono.css?1626138728" rel="stylesheet">
<script src="/hono/docs/js/jquery-3.3.1.min.js?1626138728"></script>
<style>
:root #header + #content > #left > #rlblock_left{
display:none !important;
}
:not(pre) > code + span.copy-to-clipboard {
display: none;
}
</style>
<link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/vendor/cookieconsent/cookieconsent.min.css">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@EclipseHono">
<meta name="twitter:title" content="Credentials API Specification :: Eclipse Hono&amp;trade; Vers.: 1.3">
<meta name="twitter:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png">
<meta name="twitter:description" content="A set of micro-services for connecting millions of devices.">
<meta property="og:title" content="Credentials API Specification :: Eclipse Hono&amp;trade; Vers.: 1.3" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.eclipse.org/hono/docs/1.3/api/credentials//" />
<meta property="og:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png" />
</head>
<body class="" data-url="/hono/docs/1.3/api/credentials/">
<nav id="sidebar" class="">
<div id="header-wrapper">
<div id="header">
<a href="https://www.eclipse.org/hono/">
<img src="/hono/docs/images/HONO-Logo_Bild-Wort_quer-w-310x120px.svg" alt="Hono logo" class="logo-img">
</a>
</div>
<div class="searchbox">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input id="search-by" type="search" placeholder="Search...">
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
<script type="text/javascript" src="/hono/docs/js/lunr.min.js?1626138728"></script>
<script type="text/javascript" src="/hono/docs/js/auto-complete.js?1626138728"></script>
<script type="text/javascript">
var baseurl = "https:\/\/www.eclipse.org\/hono\/docs\/\/1.3";
</script>
<script type="text/javascript" src="/hono/docs/js/search.js?1626138728"></script>
</div>
<div class="highlightable">
<ul class="topics">
<li data-nav-id="/hono/docs/1.3/concepts/" title="Concepts" class="dd-item
">
<a href="/hono/docs/1.3/concepts/">
<i class="far fa-lightbulb"></i> Concepts
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/concepts/device-identity/" title="Device Identity" class="dd-item ">
<a href="/hono/docs/1.3/concepts/device-identity/">
Device Identity
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/tenancy/" title="Multi-Tenancy" class="dd-item ">
<a href="/hono/docs/1.3/concepts/tenancy/">
Multi-Tenancy
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/device-provisioning/" title="Device Provisioning" class="dd-item ">
<a href="/hono/docs/1.3/concepts/device-provisioning/">
Device Provisioning
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/connecting-devices/" title="Connecting Devices" class="dd-item ">
<a href="/hono/docs/1.3/concepts/connecting-devices/">
Connecting Devices
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/device-notifications/" title="Device Notifications" class="dd-item ">
<a href="/hono/docs/1.3/concepts/device-notifications/">
Device Notifications
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/command-and-control/" title="Command &amp; Control" class="dd-item ">
<a href="/hono/docs/1.3/concepts/command-and-control/">
Command &amp; Control
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/resource-limits/" title="Resource limits" class="dd-item ">
<a href="/hono/docs/1.3/concepts/resource-limits/">
Resource limits
</a>
</li>
<li data-nav-id="/hono/docs/1.3/concepts/connection-events/" title="Connection Events" class="dd-item ">
<a href="/hono/docs/1.3/concepts/connection-events/">
Connection Events
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/" title="User Guide" class="dd-item
">
<a href="/hono/docs/1.3/user-guide/">
<i class="fas fa-book-reader"></i> User Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/user-guide/mongodb-based-device-registry/" title="MongoDB Based Device Registry" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/mongodb-based-device-registry/">
MongoDB Based Device Registry
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/file-based-device-registry/" title="File Based Device Registry" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/file-based-device-registry/">
File Based Device Registry
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/http-adapter/" title="HTTP Adapter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/http-adapter/">
HTTP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/mqtt-adapter/" title="MQTT Adapter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/mqtt-adapter/">
MQTT Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/amqp-adapter/" title="AMQP Adapter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/amqp-adapter/">
AMQP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/coap-adapter/" title="CoAP Adapter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/coap-adapter/">
CoAP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/kura-adapter/" title="Kura Adapter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/kura-adapter/">
Kura Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/sigfox-adapter/" title="Sigfox Adapter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/sigfox-adapter/">
Sigfox Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.3/user-guide/jmeter_load_tests/" title="Load Tests with JMeter" class="dd-item ">
<a href="/hono/docs/1.3/user-guide/jmeter_load_tests/">
Load Tests with JMeter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/" title="Admin Guide" class="dd-item
">
<a href="/hono/docs/1.3/admin-guide/">
<i class="fas fa-sliders-h"></i> Admin Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/admin-guide/common-config/" title="Common Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/common-config/">
Common Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/auth-server-config/" title="Auth Server Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/auth-server-config/">
Auth Server Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/mongodb-device-registry-config/" title="MongoDB Based Device Registry Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/mongodb-device-registry-config/">
MongoDB Based Device Registry Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/file-based-device-registry-config/" title="File Based Device Registry Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/file-based-device-registry-config/">
File Based Device Registry Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/device-connection-config/" title="Configuring the Device Connection Service" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/device-connection-config/">
Device Connection Service Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/http-adapter-config/" title="HTTP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/http-adapter-config/">
HTTP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/mqtt-adapter-config/" title="MQTT Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/mqtt-adapter-config/">
MQTT Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/amqp-adapter-config/" title="AMQP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/amqp-adapter-config/">
AMQP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/coap-adapter-config/" title="CoAP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/coap-adapter-config/">
CoAP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/kura-adapter-config/" title="Kura Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/kura-adapter-config/">
Kura Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/hono-client-configuration/" title="Hono Client Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/hono-client-configuration/">
Hono Client Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/amqp-network-config/" title="AMQP 1.0 Messaging Network Configuration" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/amqp-network-config/">
AMQP 1.0 Messaging Network Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/secure_communication/" title="Secure Communication" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/secure_communication/">
Secure Communication
</a>
</li>
<li data-nav-id="/hono/docs/1.3/admin-guide/monitoring-tracing-config/" title="Monitoring &amp; Tracing" class="dd-item ">
<a href="/hono/docs/1.3/admin-guide/monitoring-tracing-config/">
Monitoring &amp; Tracing
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.3/dev-guide/" title="Developer Guide" class="dd-item
">
<a href="/hono/docs/1.3/dev-guide/">
<i class="fas fa-tools"></i> Developer Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/dev-guide/building_hono/" title="Building from Source" class="dd-item ">
<a href="/hono/docs/1.3/dev-guide/building_hono/">
Building from Source
</a>
</li>
<li data-nav-id="/hono/docs/1.3/dev-guide/amqp_adapter_client/" title="AMQP Adapter Client for Java" class="dd-item ">
<a href="/hono/docs/1.3/dev-guide/amqp_adapter_client/">
AMQP Adapter Client for Java
</a>
</li>
<li data-nav-id="/hono/docs/1.3/dev-guide/java_client_consumer/" title="Consuming Messages from Java" class="dd-item ">
<a href="/hono/docs/1.3/dev-guide/java_client_consumer/">
Consuming Messages from Java
</a>
</li>
<li data-nav-id="/hono/docs/1.3/dev-guide/custom_http_adapter/" title="Implement a Custom Hono HTTP Protocol Adapter" class="dd-item ">
<a href="/hono/docs/1.3/dev-guide/custom_http_adapter/">
Implement a Custom Hono HTTP Protocol Adapter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.3/api/" title="API" class="dd-item
parent
">
<a href="/hono/docs/1.3/api/">
&nbsp;<i class='fas fa-plug'></i>&nbsp;API
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/api/telemetry/" title="Telemetry API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/telemetry/">
Telemetry API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/event/" title="Event API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/event/">
Event API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/command-and-control/" title="Command &amp; Control API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/command-and-control/">
Command &amp; Control API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/tenant/" title="Tenant API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/tenant/">
Tenant API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/device-connection/" title="Device Connection API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/device-connection/">
Device Connection API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/device-registration/" title="Device Registration API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/device-registration/">
Device Registration API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/credentials/" title="Credentials API Specification" class="dd-item active">
<a href="/hono/docs/1.3/api/credentials/">
Credentials API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/authentication/" title="Authentication API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/authentication/">
Authentication API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/management/" title="Device Registry Management API Specification" class="dd-item ">
<a href="/hono/docs/1.3/api/management/">
Device Registry Management API
</a>
</li>
<li data-nav-id="/hono/docs/1.3/api/metrics/" title="Metrics" class="dd-item ">
<a href="/hono/docs/1.3/api/metrics/">
Metrics
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.3/deployment/" title="Deployment" class="dd-item
">
<a href="/hono/docs/1.3/deployment/">
<i class="fas fa-shipping-fast"></i> Deployment
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/deployment/helm-based-deployment/" title="Helm based Deployment" class="dd-item ">
<a href="/hono/docs/1.3/deployment/helm-based-deployment/">
Helm based Deployment
</a>
</li>
<li data-nav-id="/hono/docs/1.3/deployment/openshift/" title="OpenShift / OKD" class="dd-item ">
<a href="/hono/docs/1.3/deployment/openshift/">
OpenShift / OKD
</a>
</li>
<li data-nav-id="/hono/docs/1.3/deployment/create-kubernetes-cluster/" title="Setting up a Kubernetes Cluster" class="dd-item ">
<a href="/hono/docs/1.3/deployment/create-kubernetes-cluster/">
Setting up a Kubernetes Cluster
</a>
</li>
<li data-nav-id="/hono/docs/1.3/deployment/resource-limitation/" title="Limiting Resource Usage" class="dd-item ">
<a href="/hono/docs/1.3/deployment/resource-limitation/">
Limiting Resource Usage
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.3/architecture/" title="Architecture" class="dd-item
">
<a href="/hono/docs/1.3/architecture/">
<i class="fas fa-landmark"></i> Architecture
</a>
<ul>
<li data-nav-id="/hono/docs/1.3/architecture/component-view/" title="Component View" class="dd-item ">
<a href="/hono/docs/1.3/architecture/component-view/">
Component View
</a>
</li>
<li data-nav-id="/hono/docs/1.3/architecture/auth/" title="Authentication/Authorization" class="dd-item ">
<a href="/hono/docs/1.3/architecture/auth/">
Authentication/Authorization
</a>
</li>
</ul>
</li>
</ul>
<section id="shortcuts">
<h3></h3>
<ul>
<li>
<a class="padding" href="https://www.eclipse.org/hono/" title="Hono&#39;s Homepage"><i class='fas fa-home'></i> Hono Home</a>
</li>
<li>
<a class="padding" href="https://www.eclipse.org/hono/getting-started/" title="Getting started with Eclipse Hono"><i class='fas fa-plane-departure'></i> Getting Started</a>
</li>
</ul>
</section>
<section id="prefooter">
<hr/>
<ul>
<li>
<div id="select-box-wrapper">
<div id="select-box">
<a class="padding">
Version:&nbsp;
<div class="select-style">
<select id="select-language" onchange="location = this.value;">
<option id="stable" value="https://www.eclipse.org/hono/docs/api/credentials/">stable (1.8)</option>
<option id="1.8" value="https://www.eclipse.org/hono/docs/1.8/api/credentials/">1.8</option>
<option id="1.7" value="https://www.eclipse.org/hono/docs/1.7/api/credentials/">1.7</option>
<option id="1.6" value="https://www.eclipse.org/hono/docs/1.6/api/credentials/">1.6</option>
<option id="1.5" value="https://www.eclipse.org/hono/docs/1.5/api/credentials/">1.5</option>
<option id="1.4" value="https://www.eclipse.org/hono/docs/1.4/api/credentials/">1.4</option>
<option id="1.3" value="https://www.eclipse.org/hono/docs/1.3/api/credentials/" selected>1.3</option>
<option id="1.2" value="https://www.eclipse.org/hono/docs/1.2/api/credentials/">1.2</option>
<option id="1.1" value="https://www.eclipse.org/hono/docs/1.1/api/credentials/">1.1</option>
<option id="1.0" value="https://www.eclipse.org/hono/docs/1.0/api/credentials/">1.0</option>
<option id="dev" value="https://www.eclipse.org/hono/docs/dev/api/credentials/">dev</option>
</select>
<svg version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="255px" height="255px" viewBox="0 0 255 255" style="enable-background:new 0 0 255 255;" xml:space="preserve">
<g>
<g id="arrow-drop-down">
<polygon points="0,63.75 127.5,191.25 255,63.75 " />
</g>
</g>
</svg>
</div>
</a>
</div>
</div>
</li>
</ul>
</section>
<section id="footer">
<p>&copy; 2021 <a href="https://www.eclipse.org/hono/">The Eclipse Hono Project</a></p>
<p>
Documentation built with
<a href="https://gohugo.io/" target="_blank">Hugo</a>
using the
<a href="https://github.com/matcornic/hugo-theme-learn" target="_blank">Learn</a> theme.
</p>
<div class="eclipse-logo">
<a href="https://www.eclipse.org" target="_blank">
<img src="https://www.eclipse.org/hono/docs/images/eclipse_foundation_logo.svg"/>
</a>
</div>
</section>
</div>
</nav>
<section id="body">
<div id="overlay"></div>
<div class="old-version-hint">
<p>This page refers to version <em>1.3</em>.
You might want to use the <a href="https://www.eclipse.org/hono/docs/">current stable</a> version.
</p>
</div>
<div class="padding highlightable">
<div>
<div id="top-bar">
<div id="top-github-link">
<a class="github-link" title='Edit this page' href="https://github.com/eclipse/hono/edit/master/site/documentation/content/api/credentials/index.md" target="blank">
<i class="fas fa-code-branch"></i>
<span id="top-github-link-text">Edit this page</span>
</a>
</div>
<div id="breadcrumbs" itemscope="" itemtype="http://data-vocabulary.org/Breadcrumb">
<span id="sidebar-toggle-span">
<a href="#" id="sidebar-toggle" data-sidebar-toggle="">
<i class="fas fa-bars"></i>
</a>
</span>
<span id="toc-menu"><i class="fas fa-list-alt"></i></span>
<span class="links">
<a href='/hono/docs/1.3/'>Documentation</a> > <a href='/hono/docs/1.3/api/'>API</a> > Credentials API Specification
</span>
</div>
<div class="progress">
<div class="wrapper">
<nav id="TableOfContents">
<ul>
<li><a href="#preconditions-for-invoking-the-credentials-api">Preconditions for invoking the Credentials API</a></li>
<li><a href="#get-credentials">Get Credentials</a></li>
<li><a href="#delivery-states">Delivery States</a></li>
<li><a href="#credentials-format">Credentials Format</a>
<ul>
<li><a href="#secrets-format">Secrets Format</a></li>
<li><a href="#examples">Examples</a></li>
</ul>
</li>
<li><a href="#credential-verification">Credential Verification</a></li>
<li><a href="#standard-credential-types">Standard Credential Types</a>
<ul>
<li><a href="#common-properties">Common Properties</a></li>
<li><a href="#hashed-password">Hashed Password</a></li>
<li><a href="#pre-shared-key">Pre-Shared Key</a></li>
<li><a href="#x509-certificate">X.509 Certificate</a></li>
</ul>
</li>
</ul>
</nav>
</div>
</div>
</div>
</div>
<div id="head-tags">
</div>
<div id="body-inner">
<h1>
Credentials API Specification
</h1>
<p>The <em>Credentials API</em> is used by <em>Protocol Adapters</em> to retrieve credentials used to authenticate <em>Devices</em> connecting to the adapter. In particular, the API supports to look up <em>shared secrets</em> which are often used by IoT devices by means of <em>username/password</em> based authentication schemes.</p>
<p>Credentials are of a certain <em>type</em> which indicates which authentication mechanism the credentials can be used with. Each set of credentials also contains an <em>authentication identity</em> which is the identity claimed by the device during authentication. This authentication identity is usually different from the <em>device-id</em> the device has been registered under. A device may have multiple sets of credentials, using arbitrary <em>authentication identities</em>.</p>
<p>The Credentials API is defined by means of AMQP 1.0 message exchanges, i.e. a client needs to connect to Hono using an AMQP 1.0 client in order to invoke operations of the API as described in the following sections.</p>
<p><a name="preconditions"></a></p>
<h2 id="preconditions-for-invoking-the-credentials-api">Preconditions for invoking the Credentials API</h2>
<ol>
<li>Client has established an AMQP connection with the Credentials service.</li>
<li>Client has established an AMQP link in role <em>sender</em> on the connection using target address <code>credentials/${tenant_id}</code>. This link is used by the client to send commands to the Credentials service.</li>
<li>Client has established an AMQP link in role <em>receiver</em> on the connection using source address <code>credentials/${tenant_id}/${reply-to}</code> where <em>reply-to</em> may be any arbitrary string chosen by the client. This link is used by the client to receive responses to the requests it has sent to the Credentials service. This link&rsquo;s source address is also referred to as the <em>reply-to</em> address for the request messages.</li>
</ol>
<figure>
<img src="preconditions.svg"
alt="A client establishes an AMQP connection and the links required to invoke operations of the Credentials service"/> <figcaption>
<h4>Client connecting to Credentials service</h4>
</figcaption>
</figure>
<h2 id="get-credentials">Get Credentials</h2>
<p>Protocol adapters use this command to <em>look up</em> credentials of a particular type for a device identity.</p>
<p><strong>Message Flow</strong></p>
<figure>
<img src="get-credentials-success.svg"
alt="A client sends a request message for looking up device credentials and receives a response containing the credentials"/> <figcaption>
<h4>Client looking up credentials for a device</h4>
</figcaption>
</figure>
<p><strong>Request Message Format</strong></p>
<p>The following table provides an overview of the properties a client needs to set on an <em>get credentials</em> message.</p>
<table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">Location</th>
<th style="text-align:left">AMQP Type</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>correlation-id</em></td>
<td style="text-align:center">no</td>
<td style="text-align:left"><em>properties</em></td>
<td style="text-align:left"><em>message-id</em></td>
<td style="text-align:left">MAY contain an ID used to correlate a response message to the original request. If set, it is used as the <em>correlation-id</em> property in the response, otherwise the value of the <em>message-id</em> property is used. Either this or the <em>message-id</em> property MUST be set.</td>
</tr>
<tr>
<td style="text-align:left"><em>message-id</em></td>
<td style="text-align:center">no</td>
<td style="text-align:left"><em>properties</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">MAY contain an identifier that uniquely identifies the message at the sender side. Either this or the <em>correlation-id</em> property MUST be set.</td>
</tr>
<tr>
<td style="text-align:left"><em>reply-to</em></td>
<td style="text-align:center">yes</td>
<td style="text-align:left"><em>properties</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">MUST contain the source address that the client wants to receive response messages from. This address MUST be the same as the source address used for establishing the client&rsquo;s receive link (see <a href="#preconditions-for-invoking-the-credentials-api">Preconditions</a>).</td>
</tr>
<tr>
<td style="text-align:left"><em>subject</em></td>
<td style="text-align:center">yes</td>
<td style="text-align:left"><em>properties</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">MUST contain the value <code>get</code>.</td>
</tr>
</tbody>
</table>
<p>The body of the request MUST consist of a single <em>Data</em> section containing a UTF-8 encoded string representation of a single JSON object having the following members:</p>
<table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">JSON Type</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>type</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The type of credentials to look up. Potential values include (but are not limited to) <code>psk</code>, <code>x509-cert</code>, <code>hashed-password</code> etc.</td>
</tr>
<tr>
<td style="text-align:left"><em>auth-id</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The authentication identifier to look up credentials for.</td>
</tr>
<tr>
<td style="text-align:left"><em>client-certificate</em></td>
<td style="text-align:center"><em>no</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The client certificate the device authenticated with. If present, it MUST be the DER encoding of the (validated) X.509 client certificate as a Base64 encoded byte array and it&rsquo;s subject DN MUST match the <em>auth-id</em>.</td>
</tr>
</tbody>
</table>
<p>The <em>client-certificate</em> property MAY be used by the service implementation for auto-provisioning of devices.
To do so, the device registry needs to create credentials (and registration data) for the device if they do not already exist.</p>
<p>Additionally, the body MAY contain arbitrary properties that service implementations can use to determine a device&rsquo;s identity.</p>
<p>The following request payload may be used to look up the hashed password for a device with the authentication identifier <code>sensor1</code>:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;hashed-password&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;sensor1&#34;</span>
}
</code></pre></div><p>The following request payload may be used to look up <em>or create</em> <code>x509-cert</code> credentials for a device with the authentication identifier <code>CN=device-1,O=ACME Corporation</code>:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;x509-cert&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;CN=device-1,O=ACME Corporation&#34;</span>,
<span style="color:#f92672">&#34;client-certificate&#34;</span>: <span style="color:#e6db74">&#34;DeviceCert==&#34;</span>
}
</code></pre></div><p><strong>Response Message Format</strong></p>
<p>A response to a <em>get credentials</em> request contains the following properties:</p>
<table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">Location</th>
<th style="text-align:left">AMQP Type</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>correlation-id</em></td>
<td style="text-align:center">yes</td>
<td style="text-align:left"><em>properties</em></td>
<td style="text-align:left"><em>message-id</em></td>
<td style="text-align:left">Contains the <em>message-id</em> (or the <em>correlation-id</em>, if specified) of the request message that this message is the response to.</td>
</tr>
<tr>
<td style="text-align:left"><em>content-type</em></td>
<td style="text-align:center">no</td>
<td style="text-align:left"><em>properties</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">MUST be set to <code>application/json</code> if the invocation of the operation was successful and the body of the response message contains payload as described below.</td>
</tr>
<tr>
<td style="text-align:left"><em>status</em></td>
<td style="text-align:center">yes</td>
<td style="text-align:left"><em>application-properties</em></td>
<td style="text-align:left"><em>int</em></td>
<td style="text-align:left">Contains the status code indicating the outcome of the operation. Concrete values and their semantics are defined below.</td>
</tr>
<tr>
<td style="text-align:left"><em>cache_control</em></td>
<td style="text-align:center">no</td>
<td style="text-align:left"><em>application-properties</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">Contains an <a href="https://tools.ietf.org/html/rfc2616#section-14.9">RFC 2616</a> compliant <em>cache directive</em>. The directive contained in the property MUST be obeyed by clients that are caching responses.</td>
</tr>
</tbody>
</table>
<p>The response message payload MUST contain credential information as defined in <a href="#credentials-format">Credentials Format</a> if the <em>status</em> is <code>200</code> or <code>201</code>.</p>
<p>The response message&rsquo;s <em>status</em> property may contain the following codes:</p>
<table>
<thead>
<tr>
<th style="text-align:left">Code</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>200</em></td>
<td style="text-align:left">OK, the payload contains the credentials for the authentication identifier.</td>
</tr>
<tr>
<td style="text-align:left"><em>201</em></td>
<td style="text-align:left">Created, the payload contains the newly created credentials for the authentication identifier.</td>
</tr>
<tr>
<td style="text-align:left"><em>400</em></td>
<td style="text-align:left">Bad Request, the request message did not contain all mandatory properties or the subject DN of the certificate does not match the authentication identifier.</td>
</tr>
<tr>
<td style="text-align:left"><em>404</em></td>
<td style="text-align:left">Not Found, there are no credentials registered matching the criteria.</td>
</tr>
</tbody>
</table>
<p>For status codes indicating an error (codes in the <code>400 - 499</code> range) the message body MAY contain a detailed description of the error that occurred.
In this case, the response message&rsquo;s <em>content-type</em> property SHOULD be set accordingly.</p>
<h2 id="delivery-states">Delivery States</h2>
<p>The Credentials service uses the following AMQP message delivery states when receiving request messages from clients:</p>
<table>
<thead>
<tr>
<th style="text-align:left">Delivery State</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>ACCEPTED</em></td>
<td style="text-align:left">Indicates that the request message has been received and accepted for processing.</td>
</tr>
<tr>
<td style="text-align:left"><em>REJECTED</em></td>
<td style="text-align:left">Indicates that the request message has been received but cannot be processed. The disposition frame&rsquo;s <em>error</em> field contains information regarding the reason why. Clients should not try to re-send the request using the same message properties in this case.</td>
</tr>
</tbody>
</table>
<h2 id="credentials-format">Credentials Format</h2>
<p>Credential data is carried in the body of an AMQP message as part of a single <em>Data</em> section. The message&rsquo;s <em>content-type</em> property must be set to <code>application/json</code>.</p>
<p>The credential data is contained in the Data section as a UTF-8 encoded string representation of a single JSON object. It is an error to include payload that is not of this type.</p>
<p>The table below provides an overview of the standard members defined for the JSON object:</p>
<table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">JSON Type</th>
<th style="text-align:left">Default Value</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>device-id</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The ID of the device to which the credentials belong.</td>
</tr>
<tr>
<td style="text-align:left"><em>type</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The credential type name. The value may be arbitrarily chosen by clients but SHOULD reflect the particular type of authentication mechanism the credentials are to be used with. Possible values include (but are not limited to) <code>psk</code>, <code>x509-cert</code>, <code>hashed-password</code> etc.</td>
</tr>
<tr>
<td style="text-align:left"><em>auth-id</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The identity that the device should be authenticated as.</td>
</tr>
<tr>
<td style="text-align:left"><em>enabled</em></td>
<td style="text-align:center"><em>no</em></td>
<td style="text-align:left"><em>boolean</em></td>
<td style="text-align:left"><em>true</em></td>
<td style="text-align:left">If set to <em>false</em> the credentials are not supposed to be used to authenticate devices any longer. This may e.g. be used to disable a particular mechanism for authenticating the device. <strong>NB</strong> It is the responsibility of the protocol adapter to make use of this information.</td>
</tr>
<tr>
<td style="text-align:left"><em>secrets</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>array</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">A list of secrets scoped to a particular time period. See <a href="#secrets-format">Secrets Format</a> for details. <strong>NB</strong> This array must contain at least one element - an empty array is considered an error.</td>
</tr>
</tbody>
</table>
<p>For each set of credentials the combination of <em>auth-id</em> and <em>type</em> MUST be unique within a tenant.</p>
<p>The device registry may choose to not return information which is not suitable for authentication a device. This includes for example the <code>enabled</code> property. If set to <code>false</code>, then the device registry may choose to treat this request as if no credentials would be found. For secrets for example, this could mean that the device registry does not return secrets which are not valid at the current point in time.</p>
<p><strong>NB</strong> Care needs to be taken that the value for the <em>authentication identifier</em> is compliant with the authentication mechanism(s) it is supposed to be used with. For example, when using standard HTTP Basic authentication, the <em>username</em> part of the Basic Authorization header value (which corresponds to the <em>auth-id</em>) MUST not contain any <em>colon</em> (<code>:</code>) characters, because the colon character is used as the separator between username and password. Similar constraints may exist for other authentication mechanisms, so the <em>authentication identifier</em> needs to be chosen with the anticipated mechanism(s) being used in mind. Otherwise, devices may fail to authenticate with protocol adapters, even if the credentials provided by the device match the credentials registered for the device. In general, using only characters from the <code>[a-zA-Z0-9_-]</code> range for the authentication identifier should be compatible with most mechanisms.</p>
<h3 id="secrets-format">Secrets Format</h3>
<p>Each set of credentials may contain arbitrary <em>secrets</em> scoped to a particular <em>validity period</em> during which the secrets may be used for authenticating a device. The validity periods MAY overlap in order to support the process of changing a secret on a device that itself doesn&rsquo;t support the definition of multiple secrets for gapless authentication across adjacent validity periods.</p>
<p>The table below contains the properties used to define the validity period of a single secret:</p>
<table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">JSON Type</th>
<th style="text-align:left">Default Value</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>not-before</em></td>
<td style="text-align:center"><em>no</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"><code>null</code></td>
<td style="text-align:left">The point in time from which on the secret may be used to authenticate devices. If not <em>null</em>, the value MUST be an <a href="https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations">ISO 8601 compliant <em>combined date and time representation in extended format</em></a>. <strong>NB</strong> It is up to the discretion of the protocol adapter to make use of this information.</td>
</tr>
<tr>
<td style="text-align:left"><em>not-after</em></td>
<td style="text-align:center"><em>no</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"><code>null</code></td>
<td style="text-align:left">The point in time until which the secret may be used to authenticate devices. If not <em>null</em>, the value MUST be an <a href="https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations">ISO 8601 compliant <em>combined date and time representation in extended format</em></a>. <strong>NB</strong> It is up to the discretion of the protocol adapter to make use of this information.</td>
</tr>
</tbody>
</table>
<h3 id="examples">Examples</h3>
<p>Below is an example for a payload containing <a href="#hashed-password">a hashed password</a> for device <code>4711</code> with auth-id <code>sensor1</code> using SHA512 as the hashing function with a 4 byte salt (Base64 encoding of <code>0x32AEF017</code>). Note that the payload does not contain a <code>not-before</code> property, thus it may be used immediately up until X-mas eve 2017.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;device-id&#34;</span>: <span style="color:#e6db74">&#34;4711&#34;</span>,
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;hashed-password&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;sensor1&#34;</span>,
<span style="color:#f92672">&#34;enabled&#34;</span>: <span style="color:#66d9ef">true</span>,
<span style="color:#f92672">&#34;secrets&#34;</span>: [{
<span style="color:#f92672">&#34;not-after&#34;</span>: <span style="color:#e6db74">&#34;2017-12-24T19:00:00+0100&#34;</span>,
<span style="color:#f92672">&#34;pwd-hash&#34;</span>: <span style="color:#e6db74">&#34;AQIDBAUGBwg=&#34;</span>,
<span style="color:#f92672">&#34;salt&#34;</span>: <span style="color:#e6db74">&#34;Mq7wFw==&#34;</span>,
<span style="color:#f92672">&#34;hash-function&#34;</span>: <span style="color:#e6db74">&#34;sha-512&#34;</span>
}]
}
</code></pre></div><p>The next example contains two <a href="#pre-shared-key">pre-shared keys</a> with overlapping validity periods for device <code>myDevice</code> with PSK identity <code>little-sensor2</code>.</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;device-id&#34;</span>: <span style="color:#e6db74">&#34;myDevice&#34;</span>,
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;psk&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;little-sensor2&#34;</span>,
<span style="color:#f92672">&#34;enabled&#34;</span>: <span style="color:#66d9ef">true</span>,
<span style="color:#f92672">&#34;secrets&#34;</span>: [{
<span style="color:#f92672">&#34;not-after&#34;</span>: <span style="color:#e6db74">&#34;2017-07-01T00:00:00+0100&#34;</span>,
<span style="color:#f92672">&#34;key&#34;</span>: <span style="color:#e6db74">&#34;cGFzc3dvcmRfb2xk&#34;</span>
},{
<span style="color:#f92672">&#34;not-before&#34;</span>: <span style="color:#e6db74">&#34;2017-06-29T00:00:00+0100&#34;</span>,
<span style="color:#f92672">&#34;key&#34;</span>: <span style="color:#e6db74">&#34;cGFzc3dvcmRfbmV3&#34;</span>
}]
}
</code></pre></div><h2 id="credential-verification">Credential Verification</h2>
<p>Protocol Adapters are responsible for authenticating devices when they connect. The Credentials API provides the <a href="#get-credentials">Get Credentials</a> operation to support Protocol Adapters in doing so as illustrated below:</p>
<p>The following sequence diagram illustrates the flow of messages involved in a <em>Protocol Adapter</em> authenticating a device.
This is shown for the <em>MQTT Protocol Adapter</em> as example how a device authenticates with a username and a hashed-password.
The mechanism can be transferred to other protocols in a similar manner.</p>
<figure>
<img src="mqtt_adapter_device_authentication.svg"
alt="The MQTT Adapter sends a request message for looking up credentials presented by a device and receives a response containing the credentials for verification"/> <figcaption>
<h4>MQTT Adapter authenticates device using the Credentials service</h4>
</figcaption>
</figure>
<p>Protocol adapters MUST comply with the following rules when verifying credentials presented by a device:</p>
<ul>
<li>
<p>Credentials that have their <em>enabled</em> property set to <code>false</code> MUST NOT be used for authentication.</p>
</li>
<li>
<p>Adapters MUST only consider secrets for authentication which</p>
<ul>
<li>have their <em>not-before</em> property set to either <code>null</code> or the current or a past point in time <strong>and</strong></li>
<li>have their <em>not-after</em> property set to either <code>null</code> or the current or a future point in time.</li>
</ul>
</li>
</ul>
<h2 id="standard-credential-types">Standard Credential Types</h2>
<p>The following sections define some standard credential types and their properties. Applications are encouraged to make use of these types. However, the types are not enforced anywhere in Hono and clients may of course add application specific properties to the credential types.</p>
<h3 id="common-properties">Common Properties</h3>
<p>All credential types used with Hono MUST contain <code>device-id</code>, <code>type</code>, <code>auth-id</code>, <code>enabled</code> and <code>secrets</code> properties as defined in <a href="#credentials-format">Credentials Format</a>.</p>
<h3 id="hashed-password">Hashed Password</h3>
<p>A credential type for storing a (hashed) password for a device.</p>
<p>Example:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;device-id&#34;</span>: <span style="color:#e6db74">&#34;4711&#34;</span>,
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;hashed-password&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;sensor1&#34;</span>,
<span style="color:#f92672">&#34;secrets&#34;</span>: [{
<span style="color:#f92672">&#34;pwd-hash&#34;</span>: <span style="color:#e6db74">&#34;AQIDBAUGBwg=&#34;</span>,
<span style="color:#f92672">&#34;salt&#34;</span>: <span style="color:#e6db74">&#34;Mq7wFw==&#34;</span>,
<span style="color:#f92672">&#34;hash-function&#34;</span>: <span style="color:#e6db74">&#34;sha-512&#34;</span>
}]
}
</code></pre></div><table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">JSON Type</th>
<th style="text-align:left">Default</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>type</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The credential type name, always <code>hashed-password</code>.</td>
</tr>
<tr>
<td style="text-align:left"><em>auth-id</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The identity that the device should be authenticated as.</td>
</tr>
<tr>
<td style="text-align:left"><em>pwd-hash</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The password hash (see table below for details).</td>
</tr>
<tr>
<td style="text-align:left"><em>salt</em></td>
<td style="text-align:center"><em>no</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"></td>
<td style="text-align:left">The Base64 encoding of the <em>salt</em> used in the password hash (see table below for details).</td>
</tr>
<tr>
<td style="text-align:left"><nobr><em>hash-function</em><nobr></td>
<td style="text-align:center"><em>no</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left"><code>sha-256</code></td>
<td style="text-align:left">The name of the hash function used to create the password hash. The hash functions supported by Hono are described in the table below.</td>
</tr>
</tbody>
</table>
<p><strong>NB</strong> It is strongly recommended to use salted password hashes only. Furthermore, the salt should be unique per user and password, so no lookup table or rainbow table attacks can be used to crack the salt-hashed password.
Whenever a password is updated for a user, the salt should change as well.</p>
<p><strong>NB</strong> The example above does not contain any of the <code>not-before</code>, <code>not-after</code> and <code>enabled</code> properties, thus the credentials can be used at any time according to the rules defined in <a href="#credential-verification">Credential Verification</a>.</p>
<p>The table below describes the hash functions supported by Hono and how they map to the <em>secret</em> structure.</p>
<table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Salt Usage</th>
<th style="text-align:left">Salt Location</th>
<th style="text-align:left">Password Hash Format</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>sha-256</em></td>
<td style="text-align:center">optional</td>
<td style="text-align:left"><em>salt</em> field</td>
<td style="text-align:left">The Base64 encoding of the bytes resulting from applying the <em>sha-256</em> hash function to the byte array consisting of the salt bytes (if a salt is used) and the UTF-8 encoding of the clear text password.</td>
</tr>
<tr>
<td style="text-align:left"><em>sha-512</em></td>
<td style="text-align:center">optional</td>
<td style="text-align:left"><em>salt</em> field</td>
<td style="text-align:left">The Base64 encoding of the bytes resulting from applying the <em>sha-512</em> hash function to the byte array consisting of the salt bytes (if a salt is used) and the UTF-8 encoding of the clear text password.</td>
</tr>
<tr>
<td style="text-align:left"><em>bcrypt</em></td>
<td style="text-align:center">mandatory</td>
<td style="text-align:left"><em>pwd-hash</em> value</td>
<td style="text-align:left">The output of applying the <em>Bcrypt</em> hash function to the clear text password. The salt is contained in the password hash.<br><strong>NB</strong> Hono (currently) uses <a href="https://docs.spring.io/spring-security/site/docs/4.2.7.RELEASE/reference/htmlsingle/#core-services-password-encoding">Spring Security</a> for matching clear text passwords against Bcrypt hashes. However, this library only supports hashes containing the <code>$2a$</code> prefix (see <a href="https://github.com/fpirsch/twin-bcrypt#about-prefixes">https://github.com/fpirsch/twin-bcrypt#about-prefixes</a>) so Hono will fail to verify any passwords for which the corresponding Bcrypt hashes returned by the Credentials service contain e.g. the <code>$2y$</code> prefix.</td>
</tr>
</tbody>
</table>
<h3 id="pre-shared-key">Pre-Shared Key</h3>
<p>A credential type for storing a <em>Pre-shared Key</em> as used in (D)TLS handshakes.</p>
<p>Example:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;device-id&#34;</span>: <span style="color:#e6db74">&#34;4711&#34;</span>,
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;psk&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;little-sensor2&#34;</span>,
<span style="color:#f92672">&#34;secrets&#34;</span>: [{
<span style="color:#f92672">&#34;key&#34;</span>: <span style="color:#e6db74">&#34;AQIDBAUGBwg=&#34;</span>
}]
}
</code></pre></div><table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">JSON Type</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>type</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The credential type name, always <code>psk</code>.</td>
</tr>
<tr>
<td style="text-align:left"><em>auth-id</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The PSK identity.</td>
</tr>
<tr>
<td style="text-align:left"><em>key</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The Base64 encoded bytes representing the shared (secret) key.</td>
</tr>
</tbody>
</table>
<p><strong>NB</strong> The example above does not contain any of the <code>not-before</code>, <code>not-after</code> and <code>enabled</code> properties, thus the credentials can be used at any time according to the rules defined in <a href="#credential-verification">Credential Verification</a>.</p>
<h3 id="x509-certificate">X.509 Certificate</h3>
<p>A credential type for storing the <a href="https://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a> formatted <em>subject DN</em> of a client certificate that is used to authenticate the device as part of a (D)TLS handshake.</p>
<p>Example:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
<span style="color:#f92672">&#34;device-id&#34;</span>: <span style="color:#e6db74">&#34;4711&#34;</span>,
<span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;x509-cert&#34;</span>,
<span style="color:#f92672">&#34;auth-id&#34;</span>: <span style="color:#e6db74">&#34;CN=device-1,O=ACME Corporation&#34;</span>,
<span style="color:#f92672">&#34;secrets&#34;</span>: [{}]
}
</code></pre></div><table>
<thead>
<tr>
<th style="text-align:left">Name</th>
<th style="text-align:center">Mandatory</th>
<th style="text-align:left">JSON Type</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><em>type</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The credential type name, always <code>x509-cert</code>.</td>
</tr>
<tr>
<td style="text-align:left"><em>auth-id</em></td>
<td style="text-align:center"><em>yes</em></td>
<td style="text-align:left"><em>string</em></td>
<td style="text-align:left">The subject DN of the client certificate in the format defined by <a href="https://www.ietf.org/rfc/rfc2253.txt">RFC 2253</a>.</td>
</tr>
</tbody>
</table>
<p><strong>NB</strong> The example above does not contain any of the <code>not-before</code>, <code>not-after</code> and <code>enabled</code> properties. The <code>not-before</code> and <code>not-after</code> properties should be omitted if the validity period is the same as the period indicated by the client certificate&rsquo;s corresponding properties. It is still necessary to provide a (empty) JSON object in the <em>secrets</em> array, though.</p>
<footer class="footline">
</footer>
</div>
</div>
<div id="navigation">
</div>
</section>
<div style="left: -1000px; overflow: scroll; position: absolute; top: -1000px; border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;">
<div style="border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;"></div>
</div>
<script src="/hono/docs/js/clipboard.min.js?1626138730"></script>
<script src="/hono/docs/js/perfect-scrollbar.min.js?1626138730"></script>
<script src="/hono/docs/js/perfect-scrollbar.jquery.min.js?1626138730"></script>
<script src="/hono/docs/js/jquery.sticky.js?1626138730"></script>
<script src="/hono/docs/js/featherlight.min.js?1626138730"></script>
<script src="/hono/docs/js/highlight.pack.js?1626138730"></script>
<script>hljs.initHighlightingOnLoad();</script>
<script src="/hono/docs/js/modernizr.custom-3.6.0.js?1626138730"></script>
<script src="/hono/docs/js/learn.js?1626138730"></script>
<script src="/hono/docs/js/hugo-learn.js?1626138730"></script>
<link href="/hono/docs/mermaid/mermaid.css?1626138730" rel="stylesheet" />
<script src="/hono/docs/mermaid/mermaid.js?1626138730"></script>
<script>
mermaid.initialize({ startOnLoad: true });
</script>
<script>
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5WLCZXC');
</script>
<script src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/javascript/vendor/cookieconsent/default.min.js"></script>
</body>
</html>