Validate device JWT authentication token on custom server

General Discussions
,
1

We want to use the device JWT authentication token on our custom server to identify a device. The plan is to get a token via D-Bus with the GetJwtToken Method and use it as the bearer-token to call our server.
As we want to validate the token on the server side we would need the public key of the key pair that signed the token. We use a hosted solution.

  • Is the public key of the hosted solution somewhere available?
  • Is there another mechanism in place to validate a JWT token?
  • Is it possible to check if the JWT token has been revoked? (The jti field implies that such a mechanism exists Doc)
2

hello @anysomewhere

thank you for your interest in Mender.
one idea that comes to mind is:

jwt=`dbus-send --system --dest=io.mender.AuthenticationManager --print-reply /io/mender/AuthenticationManager io.mender.Authentication1.GetJwtToken | grep -F string | grep -vF http | sed -e 's/[ ]*string //' -e 's/"//g'`

curl -v -X GET -H "Authorization: Bearer $jwt" -H "Content-Type: application/json;"  "https://hosted.mender.io/api/devices/v1/deviceconnect/connect"

if the above call returns 401 HTTP Unauthorized it means the token was not valid. on the other hand if the above call returns 400 HTTP with error about upgrading to websocket, then it means the token was valid.

at the moment we do not advertise the public key, and if the token has been revoked it will not pass the above test.

best regards,
peter

3

Hello @peter

Thank you for the hint. Looks like a valid way to check the token. We will implement it like that with some caching on our side of course.

4

Hello @anysomewhere

good to hear that.
I am super curious about your use case, could you describe it in more details? The reason I am asking is: I want to know how we can help you. If the material is confidential please drop me an email peter@northern.tech

best regards,
peter

5

Hello @peter

I think I can give you enough details here. As I think the root cause for my question is of interest for alot of members here.

We are using Mender to manage the software of devices worldwide. Those devices produce some telemetry data and alerts that we need to collect in the cloud (Google Cloud Platform in our case).
The first idea was to use the integration in Google IoT Core. This way we don’t need to manage two sets of identites for the devices*. The problem is that Google will shut down its IoT Core Platform in about a year and we don’t want to build something that will stop working anyways.

The solution we came up is to use Google Cloud Functions to provide an API that will accept the telemetry data and use the existing JWT token of the device as authentication (for the same reason as above*).

We are open for easier or better solutions. If you need more details, please let me know and I will drop you an email.

Thank you for your support.

Best regards,
Yann