Both authentication methods in authentication rules

To allow some IoT devices to authorize requests with mutual authentication and some other devices with JWTs, you can configure the JWT and mutual authentication behaviors in your property, each in a separate rule. This lets you match requests based on the authentication method that the device uses and extract authorization details with the relevant configuration.

The Authentication with a client certificate rule is the first rule that you need to configure in your property. It includes two mutual authentication behaviors that you can configure to extract a client ID and authorization groups from client certificates. This rule’s match criteria only apply the mutual authentication configuration to requests that present client certificates in the authorization process. If no client certificate is present in the request, the rule lets the Authentication without a client certificate rule handle it.

The Authentication without a client certificate rule is the other rule that you need to configure in your property. It includes the JWT behavior that you can configure to extract a client ID and authorization groups from JWTs passed in the requests. This rule’s match criteria only apply the JWT configuration to requests that don’t present client certificates to the edge servers in the authorization process.

How to

  1. In the Property Configuration Settings section, click Add Rule.
  2. From the list of available rules, select the Authentication with a client certificate.
    A rule with two mutual authentication behaviors appears.
  3. Verify that the match criteria apply to all requests that present Client certificate and that the Provided box is checked.
  4. Depending on your configuration, set up the mutual authentication behaviors to extract client IDs, authorization groups, or both from client certificates.
    You can also add variable hash, variable regex, and variable substring transformation behaviors to manage variables extracted from a client certificate. See Configure the Mutual Authentication behavior.
  5. In the Property Configuration Settings section, click Add Rule.
  6. From the list of available rules, select the Authentication without a client certificate.
    A rule with the JWT behavior appears.
  7. Verify that the match criteria apply to all requests that don’t present Client certificate and that the Provided box is unchecked.
  8. Depending on your configuration, set up the JWT behavior to extract client IDs, authorization groups, or both from the JWTs passed in requests.

Example

Suppose you have two IoT devices, one authorizing its requests with a client certificate and the other with JWTs. For the first device’s requests, this property uses the mutual authentication configuration, extracts both a client ID and authorization groups, and grants access to the relevant resources based on this authorization data. For the other device’s requests, this property uses the JWT authorization configuration, extracts both a client ID and authorization groups, and grants access to the relevant resources based on this authorization data.
Mutual authentication configuration in an authentication rule


JWT configured in an authentication rule