Verify device auth in custom server

I’m trying to figure out a solution to the problem mentioned in this post, where preauthorized devices don’t get updates when they first turn on and a device that gets shut off in the middle of an update won’t try to update on its own. As mentioned in that thread, a custom tool that uses the API is the best way to go about doing this. I probably will just poll periodically to ask the Mender server if any new devices have come online, and if so, to send an update. However, for redeploying “failed” updates (that were restarted in the Download phase), I would prefer to have the device ask for a redeployment, so I don’t keep sending updates that fail in later stages and need to be rolled back. I’m imagining having a custom update module or state script that sets a flag in the download enter phase, clears it on install begin, and if it’s present at boot, then send a request to a custom server to re-deploy.

If I were to write a custom server like that, what is the best way for me to authorize an arbitrary device without modifying the Mender server source? Right now, I’m thinking the best solution is to call /auth_requests from the server side, and then if that API call is successful, create a new deployment. Is there a better way to do this (if so, ignore the rest of this)? I think I need to re-implement part of the Mender client to call all the identity scripts, grab the tokens and keys, and send that data to my server, where my server will forward it to Mender, and look at the JWT that’s returned.

  • Is id_data, which is part of AuthRequest, compared just as data, or does it need to have the exact same order and formatting as the Mender client? i.e. is the JSON data unpacked before being put into the database, or is it stored as-is as a string? This forum post mentions that This command will trim newlines, and it is very important to do this, otherwise the data will not match what is sent out, and this also means that the signature would be invalid: is this just a bash thing in terms of some commands will trim newlines and some won’t (and using another language won’t have this problem), or does exact spacing matter in the Mender server?
    • Do I even need to include id_data? Will it be overwritten if I just submit {}, or ignored after the initial authentication?
  • Is the sub in the JWT the same as the devices array when creating a new deployment?