I wanted to check Device APIs and when I tried auth_request api for getting JWT token for a device, I am always getting the 401 unauthorized error. It would be great If I can get any help.
curl --location 'https://hosted.mender.io/api/devices/v1/authentication/auth_requests'; \
--header 'X-MEN-Signature: RSA' \
--header 'Content-Type: application/json' \
"pubkey": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAs3RWHybSSrmEA9OspDj1\nhqmUD/+mey7QIhvJYBmmpxAmgLgEJEOkkTTER4jum19ejPquD/WU4IhPky8T8Zsb\nbWI6uKYHiKgHKRBscjr1l4rLgkPBVLpN25MXSXsNbTSzRt5BoJPRhDedaMACcuWv\nu0It67WL0NK60JQK3dJT4OxvxDzilVhnP/BTgUZcMdaAPk0NJIU7L+pAVLrTkuBT\njCVZN1lGSgv0p0+bzvUVDo8MNAJUnnyUTtrvgF4JlmAtoZIfr3f9Hy9MpZDwFv76\nH00MdcFEIZo5/2MzIRnufD0U4ZSMlk0AtD2sR0g75wDQQu6NqP5OmEMU3pGiTxeu\nDRGe1zR9bbip8jnbCZtBwvou0+uQuzDU80T4nYF/dIsk059HaE/Mx/ETgOEKYyz6\nZ3KkEIn4SLt8ljDBegdgeB69vTqblWdaIdLSWskpgh1RWYDQ1hE0yxzyiz1ya4S8\nurTqExRo9WvtOAvgmo9CX0LC2PR79ttqrQo96mJt24tjAgAE=\n-----END PUBLIC KEY-----\n",
PS. I have not added correct keys so don’t worry.
According to the tutorial here, the
X-MEN-Signature needs to be derived from a key pair: How to write a custom client interfacing a Mender server
@TheYoctoJester Thanks for your reply. How can I get Private key of the device? I can see public key on hosted mender.
As the given tutorial describes, you need create a key pair yourself: How to write a custom client interfacing a Mender server
@TheYoctoJester To ensure proper functionality, is it imperative for the device status to be in a pending state? Is there a possibility of utilizing the public key of an accepted device in the API request? In case this isn’t feasible, as outlined in the tutorial, are we required to generate a new set of private and public keys, and should the resulting public key be employed exclusively for X-MEN-Signature purposes or also embedded in the device?
Maybe there is a misunderstanding here. The flow is like that:
- you generate a per-device key pair, and use that to call
- this returns
unauthorised, and places the device in “Pending” state on the management interface
- you accept the device in the management interface. The public key is displayed for verification here.
- upon the next call to
auth_request, the JWT token is returned.
@TheYoctoJester Thanks for sharing the flow. So once I generate the key pair and call the auth_request which returns the unauthorized then it will create a new device in a pending state and will be showing on the management interface. Is this understanding correct?
@vimoxshah that is correct, yes.
@TheYoctoJester I’ve tried to create a new key pair and called auth_request API and received unauthorized error which is expected. but I can’t see any new pending device on our interface? what could be the reason?
@TheYoctoJester As mentioned earlier I’ve tried to create a new key pair and called auth_request API and received unauthorized error which is expected. but I can’t see any new pending device on our interface? Can you please help what am I missing?
From the outside it’s hard to tell, so you have to go digging yourself now. A few places to start:
- if it is a self-hosted instance: look at the logs
- can you connect a device running the original Mender Client?
- what is the actual reason for replicating the authentication?
@TheYoctoJester actually we want to make device provisioning feature from our product but behind the scene we would like to use mender for OTA etc. so when end user actually confirm the device on our UI then only we would like to accept device on mender side also we would like to set few attributes for a device on mender side so we can distinguish it for each customers. so using device apis are really helpful for us. but we stuck on device auth at this moment. hope you get the idea of our requirements.
@vimoxshah to be honest, I don’t understand it, sorry.
What you’re describing is a whole different flow to me:
- the device runs Mender Client and requests authentication to the Mender Server
- the server puts the device into pending state
- the device is accepted. This can either be done through the web dashboard - or your custom logic, calling the device auth endpoint: Mender API docs
For specific device customisation, you can either set tags per device through the API (server-side), or use the configure AddOn to push configuration items to the device: Configure | Mender documentation
@TheYoctoJester We can use tags but management api do not return tags in api response.
@vimoxshah the device inventory endpoints (Mender API docs) do include the tags, so I still fail to understand the problem.
The only reason I can see for reimplementing the
auth_requests call is to write a custom client implementation - and as you stated not doing that, I just have to guess that something in your reasoning is either off, or you are not sharing an essential piece of information required to understand the problem.
@TheYoctoJester Simply I would like to set few fields in scope of device identity using APIs. To achieve this I require device JWT. Let me know how can I achieve it. I got your point that device inventory endpoint provide the details all scopes tags, inventory. but I don’t want to use tags for few important fields.
If you can provide tags data in List devices this endpoint then it would be great.
@vimoxshah sorry, but that reasoning is off.
Fields in the device inventory are set as either tags, or from the device itself during an inventory update. To add things from the device see Inventory | Mender documentation
The endpoint for adding tags I have already given. You also would not use a per device JWT for that, but a personal access token as described here: Using the APIs | Mender documentation.
We’re getting closer, I think. So you’re trying to get a list of devices based on some information. How about using inventory filters and search? Mender API docs
@TheYoctoJester That’s true. I am trying filter and search API but API is responding with empty result. I’ve created tags but do not know why result is coming as empty array
Progress then. Again, what kind of instance is this? Self-hosted OSS? How does your filter look like?