JWT with Edge Connect
Let’s analyze the most popular scenario for using JWTs to identify the IoT Edge Connect clients and grant them access to the topics permitted with the token.
First, let’s have a look at the sample namespace configuration in the IoT Edge Connect application. To publish or subscribe to the topics defined in the access control lists of the sample Diagnostics - JP namespace configuration, you need to provide a JWT. When building the token, you need to include the authorization groups whose permissions you want to grant to the client and sign it with a private RSA key. Signed JWTs act as temporary user credentials and allow you to communicate with the topics until the specified expiration time. See IoT-supported registered claims.
Now let’s analyze how this sample IoT Edge Connect property configuration
tells the Akamai platform to search for and process JWTs in requests. Here, it directs
edge servers to check the
X-JWT-Location request header for tokens, use the public keys stored in
the EdgeConnectKeySet key collection to authenticate the client by checking
the integrity of their JWT signatures, and extract authorization and client specific
information from the
clientId claims in these tokens.
Once the edge server extracts the JWT from the request and validates the client’s identity, it checks the payload and permits the client to access the topics that the included authorization groups are entitled to in the Diagnostics - JP namespace configuration. Also, the client may use the token with a client identifier to access topics specified by device identity topic filters.