Device Auth API Post Help

I am using this guide,https://docs.mender.io/1.3/apis/device-apis/device-authentication#auth_requests-post, to get this to work but I am having difficulty.

I am able to get the X-MEN-signature by following these steps:

  1. Generate Public key from deviceauth, openssl rsa -in private.key -pubout -out pubkey.pem
  2. Sign and output to SHA256, openssl dgst -sha256 -sign private.key -out request.sha256 request.txt
  3. Use Base64 to output the results, openssl base64 -in request.sha256 -out request.signature.sha256

I call the request via a ARC chrome add on and I get the following message:

{

“error”: “signature verification failed”,

“request_id”: “3ae482d5-e25f-4b53-a8e2-d78c72c8be8d”

}

The documentation says to use the The device’s public key, generated by the device or pre-provisioned by the vendor, but I am not sure what private / public key pair to use. Also, the documentation has the json object malformatted, which is odd.

Thanks,
– Jorge

This tutorial might be helpful,

Thanks for the help. I was able to get the custom fields working. I can’t filter by custom fields but maybe that will be fixed in the UI later? I also see now that I have two Authorization public keys and only one of them can be active at a time. So yes, I can update and add custom field names but I can not update the firmware unless I switch back to the previous Authorization public key set. Is this being addressed in the future or just something that we have to be aware of? Is there anyway we can update the device custom fields from an administrator account? I tried to use the API for getting the devices but I get a 404 Not found for “api/management/v1/admission/devices”.

 curl   -k  -H "Content-Type: application/json"  -H "Authorization: Bearer $JWT" ${MENDER_SERVER_URL}/api/management/v1/admission/devices
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>openresty/1.13.6.2</center>
</body>

Also using the JWT I get the following 401 error:
curl -k -H "Authorization: Bearer {JWT}" {MENDER_SERVER_URL}/api/management/v1/inventory/devices

401 Authorization Required

401 Authorization Required



openresty/1.13.6.2

I could use the JWT token to update the curl-client device so the token is working. I’ll try and update the docker UI, as it’s in 2.2.1 , to see if it helps.

Thanks,
– Jorge

You should be able manage the authentication sets of the device under the “Device” tab in the GUI.

I tried to use the API for getting the devices but I get a 404 Not found for “api/management/v1/admission/devices”.

This does not seem to be a valid endpoint, can you try with /api/management/v2/devauth/devices ?

I see both sets, the question is why can’t the device download the firmware when the device auth set is being used? Is that just as designed or is this going to change in the future?

I still get the same error, this url works:
/api/devices/v1/deployments/device/deployments/next?artifact_name=2020.02.13&device_type=raspberrypi4

but not the one you pointed me to, I still get 401 Authorization Required.

It is by design, only one authset can be valid at any given time and if your device has two authsets, you probably need to authorize the “new” set and “discard” the old one to give the device access.

Typically the authset of a device should not change trough out the lifecycle, unless you rotate the keys on the device.

/api/management/v2/devauth/devices

This is a management API and there is a different authorization workflow for this, compared to the /api/devices/…

To access the managment API you need to login, using https://docs.mender.io/2.2/apis/open-source/management-apis/user-administration-and-authentication#auth-login-post.

But accessing the management API is typically not something that you would do from a device, and instead is instead for 3rd-party services on the server side of things.

Ok, so I found the mender-agent private key, which was located in /data/mender/mender-agent.pem and I am using that. That seems to work as expected. Here is the summary:

Using New Auth Set from Device

  • Can Change Fields
  • Can not Update firmware

Using Mender-Agent Auth Set

  • Can Change Fields
  • Can Update firmware

Based on the link you gave me I thought I had to create my own device auth set, in this case I do not want to do this. Using the mender-agent auth set will work to get the JWT and to add the new fields.

I was able to login using basic authb but I did not find any PUT methods that I could update the device attributes. It seems that the only way to update the device attributes is using the device attribute put method, is that correct?

Thanks for your help.