Credentials API Specification
The Credentials API is used by Protocol Adapters to retrieve credentials used to authenticate Devices connecting to the adapter. In particular, the API supports to look up shared secrets which are often used by IoT devices by means of username/password based authentication schemes.
Credentials are of a certain type which indicates which authentication mechanism the credentials can be used with. Each set of credentials also contains an authentication identity which is the identity claimed by the device during authentication. This authentication identity is usually different from the device-id the device has been registered under. A device may have multiple sets of credentials, using arbitrary authentication identities.
The Credentials API is defined by means of AMQP 1.0 message exchanges, i.e. a client needs to connect to Hono using an AMQP 1.0 client in order to invoke operations of the API as described in the following sections.
Preconditions for invoking the Credentials API
- Client has established an AMQP connection with the Credentials service.
- Client has established an AMQP link in role sender on the connection using target address
credentials/${tenant_id}. This link is used by the client to send commands to the Credentials service. - Client has established an AMQP link in role receiver on the connection using source address
credentials/${tenant_id}/${reply-to}where reply-to may be any arbitrary string chosen by the client. This link is used by the client to receive responses to the requests it has sent to the Credentials service. This link’s source address is also referred to as the reply-to address for the request messages.
Client connecting to Credentials service
Get Credentials
Protocol adapters use this command to look up credentials of a particular type for a device identity.
Message Flow
Client looking up credentials for a device
Request Message Format
The following table provides an overview of the properties a client needs to set on an get credentials message.
| Name | Mandatory | Location | AMQP Type | Description |
|---|---|---|---|---|
| correlation-id | no | properties | message-id | MAY contain an ID used to correlate a response message to the original request. If set, it is used as the correlation-id property in the response, otherwise the value of the message-id property is used. Either this or the message-id property MUST be set. |
| message-id | no | properties | string | MAY contain an identifier that uniquely identifies the message at the sender side. Either this or the correlation-id property MUST be set. |
| reply-to | yes | properties | string | MUST contain the source address that the client wants to receive response messages from. This address MUST be the same as the source address used for establishing the client’s receive link (see Preconditions). |
| subject | yes | properties | string | MUST contain the value get. |
The body of the request MUST consist of a single Data section containing a UTF-8 encoded string representation of a single JSON object having the following members:
| Name | Mandatory | JSON Type | Description |
|---|---|---|---|
| type | yes | string | The type of credentials to look up. Potential values include (but are not limited to) psk, x509-cert, hashed-password etc. |
| auth-id | yes | string | The authentication identifier to look up credentials for. |
| client-certificate | no | string | The client certificate the device authenticated with. If present, it MUST be the DER encoding of the (validated) X.509 client certificate as a Base64 encoded byte array and its subject DN MUST match the auth-id. |
The client-certificate property MAY be used by the service implementation for auto-provisioning of devices. To do so, the device registry needs to create credentials (and registration data) for the device if they do not already exist.
Additionally, the body MAY contain arbitrary properties that service implementations can use to determine a device’s identity.
The following request payload may be used to look up the hashed password for a device with the authentication identifier sensor1:
{
"type": "hashed-password",
"auth-id": "sensor1"
}
The following request payload may be used to look up or create x509-cert credentials for a device with the authentication identifier CN=device-1,O=ACME Corporation:
{
"type": "x509-cert",
"auth-id": "CN=device-1,O=ACME Corporation",
"client-certificate": "DeviceCert=="
}
Response Message Format
A response to a get credentials request contains the following properties:
| Name | Mandatory | Location | AMQP Type | Description |
|---|---|---|---|---|
| correlation-id | yes | properties | message-id | Contains the message-id (or the correlation-id, if specified) of the request message that this message is the response to. |
| content-type | no | properties | string | MUST be set to application/json if the invocation of the operation was successful and the body of the response message contains payload as described below. |
| status | yes | application-properties | int | Contains the status code indicating the outcome of the operation. Concrete values and their semantics are defined below. |
| cache_control | no | application-properties | string | Contains an RFC 2616 compliant cache directive. The directive contained in the property MUST be obeyed by clients that are caching responses. |
The response message payload MUST contain credential information as defined in Credentials Format if the status is 200 or 201.
The response message’s status property may contain the following codes:
| Code | Description |
|---|---|
| 200 | OK, the payload contains the credentials for the authentication identifier. |
| 201 | Created, the payload contains the newly created credentials for the authentication identifier. |
| 400 | Bad Request, the request message did not contain all mandatory properties or the subject DN of the certificate does not match the authentication identifier. |
| 404 | Not Found, there are no credentials registered matching the criteria. |
For status codes indicating an error (codes in the 400 - 499 range) the message body MAY contain a detailed description of the error that occurred.
In this case, the response message’s content-type property SHOULD be set accordingly.
Delivery States
The Credentials service uses the following AMQP message delivery states when receiving request messages from clients:
| Delivery State | Description |
|---|---|
| ACCEPTED | Indicates that the request message has been received and accepted for processing. |
| REJECTED | Indicates that the request message has been received but cannot be processed. The disposition frame’s error field contains information regarding the reason why. Clients should not try to re-send the request using the same message properties in this case. |
Credentials Format
Credential data is carried in the body of an AMQP message as part of a single Data section. The message’s content-type property must be set to application/json.
The credential data is contained in the Data section as a UTF-8 encoded string representation of a single JSON object. It is an error to include payload that is not of this type.
The table below provides an overview of the standard members defined for the JSON object:
| Name | Mandatory | JSON Type | Default Value | Description |
|---|---|---|---|---|
| device-id | yes | string | The ID of the device to which the credentials belong. | |
| type | yes | string | The credential type name. The value may be arbitrarily chosen by clients but SHOULD reflect the particular type of authentication mechanism the credentials are to be used with. Possible values include (but are not limited to) psk, x509-cert, hashed-password etc. |
|
| auth-id | yes | string | The identity that the device should be authenticated as. | |
| enabled | no | boolean | true | If set to false the credentials are not supposed to be used to authenticate devices any longer. This may e.g. be used to disable a particular mechanism for authenticating the device. NB It is the responsibility of the protocol adapter to make use of this information. |
| secrets | yes | array | A list of secrets scoped to a particular time period. See Secrets Format for details. NB This array must contain at least one element - an empty array is considered an error. |
For each set of credentials the combination of auth-id and type MUST be unique within a tenant.
The device registry may choose to not return information which is not suitable for authentication a device. This includes for example the enabled property. If set to false, then the device registry may choose to treat this request as if no credentials would be found. For secrets for example, this could mean that the device registry does not return secrets which are not valid at the current point in time.
Care needs to be taken that the value for the authentication identifier is compliant with the authentication mechanism(s) it is supposed to be used with. For example, when using standard HTTP Basic authentication, the username part of the Basic Authorization header value (which corresponds to the auth-id) MUST not contain any colon (:) characters, because the colon character is used as the separator between username and password. Similar constraints may exist for other authentication mechanisms, so the authentication identifier needs to be chosen with the anticipated mechanism(s) being used in mind. Otherwise, devices may fail to authenticate with protocol adapters, even if the credentials provided by the device match the credentials registered for the device. In general, using only characters from the [a-zA-Z0-9_-] range for the authentication identifier should be compatible with most mechanisms.
Secrets Format
Each set of credentials may contain arbitrary secrets scoped to a particular validity period during which the secrets may be used for authenticating a device. The validity periods MAY overlap in order to support the process of changing a secret on a device that itself doesn’t support the definition of multiple secrets for gapless authentication across adjacent validity periods.
The table below contains the properties used to define the validity period of a single secret:
| Name | Mandatory | JSON Type | Default Value | Description |
|---|---|---|---|---|
| not-before | no | string | null |
The point in time from which on the secret may be used to authenticate devices. If not null, the value MUST be an ISO 8601 compliant combined date and time representation in extended format. NB It is up to the discretion of the protocol adapter to make use of this information. |
| not-after | no | string | null |
The point in time until which the secret may be used to authenticate devices. If not null, the value MUST be an ISO 8601 compliant combined date and time representation in extended format. NB It is up to the discretion of the protocol adapter to make use of this information. |
Examples
Below is an example for a payload containing a hashed password for device 4711 with auth-id sensor1 using SHA512 as the hashing function with a 4 byte salt (Base64 encoding of 0x32AEF017). Note that the payload does not contain a not-before property, thus it may be used immediately up until X-mas eve 2017.
{
"device-id": "4711",
"type": "hashed-password",
"auth-id": "sensor1",
"enabled": true,
"secrets": [{
"not-after": "2017-12-24T19:00:00+0100",
"pwd-hash": "AQIDBAUGBwg=",
"salt": "Mq7wFw==",
"hash-function": "sha-512"
}]
}
The next example contains two pre-shared keys with overlapping validity periods for device myDevice with PSK identity little-sensor2.
{
"device-id": "myDevice",
"type": "psk",
"auth-id": "little-sensor2",
"enabled": true,
"secrets": [{
"not-after": "2017-07-01T00:00:00+0100",
"key": "cGFzc3dvcmRfb2xk"
},{
"not-before": "2017-06-29T00:00:00+0100",
"key": "cGFzc3dvcmRfbmV3"
}]
}
Credential Verification
Protocol Adapters are responsible for authenticating devices when they connect. The Credentials API provides the Get Credentials operation to support Protocol Adapters in doing so as illustrated below:
The following sequence diagram illustrates the flow of messages involved in a Protocol Adapter authenticating a device. This is shown for the MQTT Protocol Adapter as example how a device authenticates with a username and a hashed-password. The mechanism can be transferred to other protocols in a similar manner.
MQTT Adapter authenticates device using the Credentials service
Protocol adapters MUST comply with the following rules when verifying credentials presented by a device:
-
Credentials that have their enabled property set to
falseMUST NOT be used for authentication. -
Adapters MUST only consider secrets for authentication which
- have their not-before property set to either
nullor the current or a past point in time and - have their not-after property set to either
nullor the current or a future point in time.
- have their not-before property set to either
Standard Credential Types
The following sections define some standard credential types and their properties. Applications are encouraged to make use of these types. However, the types are not enforced anywhere in Hono and clients may of course add application specific properties to the credential types.
Common Properties
All credential types used with Hono MUST contain device-id, type, auth-id, enabled and secrets properties as defined in Credentials Format.
Hashed Password
A credential type for storing a (hashed) password for a device.
Example:
{
"device-id": "4711",
"type": "hashed-password",
"auth-id": "sensor1",
"secrets": [{
"pwd-hash": "AQIDBAUGBwg=",
"salt": "Mq7wFw==",
"hash-function": "sha-512"
}]
}
| Name | Mandatory | JSON Type | Default | Description |
|---|---|---|---|---|
| type | yes | string | The credential type name, always hashed-password. |
|
| auth-id | yes | string | The identity that the device should be authenticated as. | |
| pwd-hash | yes | string | The password hash (see table below for details). | |
| salt | no | string | The Base64 encoding of the salt used in the password hash (see table below for details). | |
| no | string | sha-256 |
The name of the hash function used to create the password hash. The hash functions supported by Hono are described in the table below. |
It is strongly recommended to use salted password hashes only. Furthermore, the salt should be unique per user and password, so no lookup table or rainbow table attacks can be used to crack the salt-hashed password. Whenever a password is updated for a user, the salt should change as well.
The example above does not contain any of the not-before, not-after and enabled properties, thus the credentials can be used at any time according to the rules defined in Credential Verification.
The table below describes the hash functions supported by Hono and how they map to the secret structure.
| Name | Salt Usage | Salt Location | Password Hash Format |
|---|---|---|---|
| sha-256 | optional | salt field | The Base64 encoding of the bytes resulting from applying the sha-256 hash function to the byte array consisting of the salt bytes (if a salt is used) and the UTF-8 encoding of the clear text password. |
| sha-512 | optional | salt field | The Base64 encoding of the bytes resulting from applying the sha-512 hash function to the byte array consisting of the salt bytes (if a salt is used) and the UTF-8 encoding of the clear text password. |
| bcrypt | mandatory | pwd-hash value | The output of applying the Bcrypt hash function to the clear text password. The salt is contained in the password hash. NB Hono (currently) uses Spring Security for matching clear text passwords against Bcrypt hashes. However, this library only supports hashes containing the $2a$ prefix (see https://github.com/fpirsch/twin-bcrypt#about-prefixes) so Hono will fail to verify any passwords for which the corresponding Bcrypt hashes returned by the Credentials service contain e.g. the $2y$ prefix. |
Pre-Shared Key
A credential type for storing a Pre-shared Key as used in (D)TLS handshakes.
Example:
{
"device-id": "4711",
"type": "psk",
"auth-id": "little-sensor2",
"secrets": [{
"key": "AQIDBAUGBwg="
}]
}
| Name | Mandatory | JSON Type | Description |
|---|---|---|---|
| type | yes | string | The credential type name, always psk. |
| auth-id | yes | string | The PSK identity. |
| key | yes | string | The Base64 encoded bytes representing the shared (secret) key. |
The example above does not contain any of the not-before, not-after and enabled properties, thus the credentials can be used at any time according to the rules defined in Credential Verification.
X.509 Certificate
A credential type for storing the RFC 2253 formatted subject DN of a client certificate that is used to authenticate the device as part of a (D)TLS handshake.
Example:
{
"device-id": "4711",
"type": "x509-cert",
"auth-id": "CN=device-1,O=ACME Corporation",
"secrets": [{}]
}
| Name | Mandatory | JSON Type | Description |
|---|---|---|---|
| type | yes | string | The credential type name, always x509-cert. |
| auth-id | yes | string | The subject DN of the client certificate in the format defined by RFC 2253. |
The example above does not contain any of the not-before, not-after and enabled properties. The not-before
and not-after properties should be omitted if the validity period is the same as the period indicated by the client
certificate’s corresponding properties. It is still necessary to provide a (empty) JSON object in the secrets array,
though.
Raw Public Key
A credentials type for storing a public key as used in the JSON Web Token based Authentication to authenticate a device.
Example with public key:
{
"device-id": "4711",
"type": "rpk",
"auth-id": "sensor1",
"secrets": [
{
"key": "MIIBIjANBgkqhki...yn7qGrzgQIDAQAB"
}
]
}
Example with X.509 certificate:
{
"device-id": "4711",
"type": "rpk",
"auth-id": "sensor1",
"secrets": [
{
"cert": "MIIDezCCAmOgAwI...GCfMrYD6dnpbg=="
}
]
}
| Name | Mandatory | JSON Type | Description |
|---|---|---|---|
| type | yes | string | The credential type name, always rpk. |
| auth-id | yes | string | The identity that the device should be authenticated as. |
| key or cert | yes | string | The Base64 encoded binary DER encoding of the public key (key) or X.509 certificate (cert). In case a certificate is provided the public key will be extracted from it and the certificate discarded. |
The example above does not contain any of the not-before, not-after and enabled properties, thus the credentials can be used at any time according to the rules defined in Credential Verification.