Authenticate as a user

The Bosch IoT Things service offers various ways to authenticate as a user.

You can use

  • a Bosch-ID,
  • a user from Bosch IoT Permissions service, or
  • a Google Account.

Bosch-ID

A user registered at the Bosch-ID service can be authenticated via JWT. The JWT can be passed to Bosch IoT Things API with the Authorization header using the prefix Bearer.

Example

The Bosch-ID OAuth flow is implemented in an example project: Bosch IoT Permissions > Developer Guide > Example project for Identity Provider integration.


Bosch IoT Permissions service

In order to get full control of your users, their group membership and role assignments, you will need your own tenant representation within the Bosch IoT Permissions service. Bosch IoT Permissions entities like users, groups and roles can be applied as authorized subjects for the policy of your thing.

  • See Bosch IoT Permissions - Developer Guide > Basic Entities for details on the Bosch IoT Permissions entities.
  • See Basic concepts > Policies for details on the permissions in the context of our Things service.

Prepare your tenant representation

Bosch IoT Permissions is a fully managed cloud service.

  1. Follow the instructions at Register a user to create an own Bosch IoT Permissions instance for your project.
  2. Use the Bosch IoT Permissions - Administrator UI to create further users, groups or roles
    and link them to each other according to your usage scenario, see Bosch IoT Permissions - Basic Entities.
  3. Bind your application to your Bosch IoT Permissions service instance.

Basic authentication

For basic authentication you will need the username composed of the tenant name and the username, separated by a backslash (\) character.

Example
tenantx-user

Identity Context ID

A soon as a user is authenticated via Basic Authentication at Bosch IoT Permissions service (via Service API 1) the service creates an Identity Context ID.
This Identity Context ID can be passed to Bosch IoT Things API with the x-im-context-id header.

Find an example how generate it at Bosch IoT Permissions > Developer Guide > Create an Identity Context using the Bosch IoT Permissions Service API 1 with Username-Password Authentication.

Example
im-context-id

JSON Web Token (JWT)

A soon as a user is authenticated via Basic authentication at the Bosch IoT Permissions service (via Service API 2) the service creates a JSON Web Token (JWT).

Bosch IoT Permissions service can issue two types: ID Token and Authorization Token, which both can be used at the Bosch IoT Things for user authentication.
Although both types of token are supported, we recommend to use the Authorization Token, which can additionally contain groups and roles information, and thus you could set a group ID or role ID in policies of your things.

The JWT can be passed to Bosch IoT Things API with the Authorization Header using the prefix Bearer.

Example

To create the JWT, perform the following steps:

  1. Use the Service API 2 at https://apidocs.bosch-iot-suite.com/?urls.primaryName=Bosch%20IoT%20Permissions
    • Authenticate with ClientAccessToken - i.e. clientId:clientSecret which you have received at service booking
  2. Request an ID Token at the Login resource /authentication/{user_tenant}
    • Make the fields visible with Try it out
    • In the Authorization field enter your Basic Auth header containing the credentials base64(username:password)
    • In the user-tenant field enter the ID or the name of the user’s tenant (which is tenant name or tenant ID)
    • Click Execute to submit the request
    • Copy the id_token from the response
  3. Request an Authorization Token at resource/authorization/{user_tid}
    • Enter Bearer and paste the ID Token in Authorization
    • Enter your Tenant ID in user_tid
    • Enter trid,gid (tenant role IDs and group IDs) in scope
    • The result is a Bearer token which contains the tenant roles and groups which are assigned to that user.

Google Account

A Google user can be authenticated via JWT.

The JWT can be passed to Bosch IoT Things API with the Authorization header using the prefix Bearer.

For more information on Google authentication see developers.google.com.

Imprint Legal info Privacy statement