To authenticate IoT devices to our IdP, we rely on the state-of-art authentication method called private key JWT authentication. This requires the IoT device to create a private key JWT which is a JSON object that consists of three parts, a header, a body, as well as a signature.
A private key JWT is a base64 encoded JSON object that is composed of the three parts concatenated and separated by a dot. An example of how a fully assembled JWT may look is displayed below.
Now, let's have a look at the individual components and which claims they have to contain in order to use the JWT to authenticate an IoT device with our IoT IdP.
The header object contains three claims:
- alg: The cryptographic algorithm used to generate the signature of the JWT.
- typ: The type of JWT the object represents. Has to be set to
- kid: The id of the key used to generate the signature of the JWT. This claim has to correspond to the device ID registered with IoT IdP.
An example of how a JWT header may look is displayed below.
The body has two contain two claims
- sub: The subject of the JWT. This claim has to correspond to the device ID registered with the IoT IdP.
- jti: The JWT ID is a 32-character long hexadecimal random number, which has to be unique. As a result, preventing replay attacks and ensures that an issued JWT can only be used once for each device.
An example of how a JWT body may look is displayed below.
The signature is generated using the private key that corresponds to the registered public key and the defined algorithm in the alg claim of the header, e.g. for the above-displayed header the signature is calculated as follows.
base64UrlEncode(header) + "." +