Search
Connect a Device
Cloud

Authenticate your PKI provider with OpenID Connect

Read More
Trond Snekvik
Trond Snekvik
5
0

In December, we introduced hosted PKI provider integration as a new way of authenticating devices with Golioth. Today, we’re happy to announce another step forward in device security with support for Identity Provider based authentication when connecting to your PKI provider.

The new authentication method takes advantage of OpenID Connect to allow you to grant Golioth access to your PKI provider without the need to create long term credentials. Although we’ll continue to support the existing access key based connection method, we recommend that all new designs utilize identity provider based authentication, as it allows Golioth to authenticate to AWS without storing any key material.

How does the identity provider work?

OpenID Connect is an open authentication standard built on top of OAuth 2.0, that allows web services to authenticate requests without any pre-shared key material. Golioth’s new ID Provider service allows your Golioth projects to authenticate themselves with JSON Web Tokens (JWTs) issued by Golioth’s internal ID Provider, allowing your project to make authenticated requests without storing an access key in Golioth’s backend.

JWTs are signed JSON objects that contain information about the holder of the token, as well as a URL external services can visit to verify the token’s authenticity. When a Golioth project wants to make an authenticated request to an external service, it can now make use of the new Golioth ID Provider service:

  1. Within Golioth’s backend, the project requests a JWT from Golioth’s ID Provider service.
  2. The ID Provider service issues a token containing the project’s ID, and signs the token with Golioth’s own signing key.
  3. The project attaches this token as a header when making a request to the external service it needs to talk to.
  4. The external service reads Golioth’s issuer URL from the token, and gets Golioth’s public key.
  5. The external service verifies the token signature with the public key, which proves that the request came from your project, and can proceed with the request.

For now, the ID Provider service is only enabled for PKI provider requests, but other services, such as pipelines will be able to authenticate with the ID provider service in the future.

Previous article
Golioth is now a part of Canonical
Trond Snekvik
Trond Snekvik
Trond is the lead frontend developer at Golioth. Despite his love for Typescript, he has extensive experience with embedded systems, and wrote a master thesis about building mesh networks on top of Bluetooth. During his 10 years at Nordic Semiconductor, Trond worked on the Bluetooth Mesh SDK and served as a Zephyr code owner, before turning to the dark side to build VS Code extensions for Zephyr. Trond enjoys pancakes, dogs, and cross country skiing.

Post Comments

No comments yet! Start the discussion at forum.golioth.io

More from this author

Golioth API

Getting Started with the Golioth Management API

The Golioth Management API is an easy to use interface to all your devices that are connecting through Golioth. This walkthrough shows you how to use TypeScript to interact with the API in a type-safe, low-friction way.
Trond Snekvik -
Read
Device Management

Introducing Certificate Rotation with Hosted PKI providers

Golioth pulls the IoT industry forward by making it easier than ever to rotate device certificates on embedded devices. A new Hosted PKI provider service is integrated with Amazon Private Certificate Authority (CA) and will include other Hosted PKI providers soon.
Trond Snekvik -
Read
Cloud

New Console Feature: The Certificate Generator

The Certificate Generator is now available on the Golioth Console, which makes provisioning devices in a secure way easier during the prototyping phase of using Golioth
Trond Snekvik -
Read

Related posts

Cloud

New Pipelines Data Destination: Amazon Kinesis

Amazon Kinesis is especially well-suited for high volume data and applications in which there are multiple consumers of the streamed data. Golioth pipelines added a destination that works directly with the Kinesis service.
Dan Mangum -
spot_img

Latest posts

Golioth is now a part of Canonical

Jonathan Beri - 0
We are thrilled to share that Golioth is now a part of Canonical, the company behind Ubuntu and a global leader in open source.

Why build hardware at a software company?

Chris Gammell - 0
Golioth has built a range of custom hardware to test out many of the aspects of our own IoT offering. These challenges mirror what our customers face with their IoT products. We continue to probe these challenges as hardware gets smaller, more power constrained, and takes on new capabilities.

Handling Button Press, Longpress, and Double-Tap with the Zephyr Input Subsystem

Mike Szczys - 0
Embedded engineers know the joys and pains with button inputs: debouncing them, triggering actions, and more advanced input patterns like long holding the button...

Want to stay up to date with the latest news?

Subscribe to our newsletter and get updates every 2 weeks. Follow the latest blogs and industry trends.

Learn how to develop enterprise-grade IoT on the Golioth blog.

Latest Posts

Golioth is now a part of Canonical

Jonathan Beri - 0
We are thrilled to share that Golioth is now a part of Canonical, the company behind Ubuntu and a global leader in open source.

Why build hardware at a software company?

Chris Gammell - 0
Golioth has built a range of custom hardware to test out many of the aspects of our own IoT offering. These challenges mirror what our customers face with their IoT products. We continue to probe these challenges as hardware gets smaller, more power constrained, and takes on new capabilities.

Handling Button Press, Longpress, and Double-Tap with the Zephyr Input Subsystem

Mike Szczys - 0
Embedded engineers know the joys and pains with button inputs: debouncing them, triggering actions, and more advanced input patterns like long holding the button...

Most Popular

How to Configure VS Code for Zephyr Development

Mike Szczys - 0
Jonathan Beri (CEO and founder of Golioth) gave a talk at the 2023 Embedded Open Source Summit about how to optimize VS Code for any Zephyr project.

Debugging Zephyr for Beginners: printk() and the Logging Subsystem

Mike Szczys - 0
Zephyr has a number of tools to aid in debugging during your development process. Today we're focusing on the most available and widely useful...

Program your microcontrollers from WSL2 with USB support

Jonathan Beri - 0
Microsoft has finally added USB support to WSL and I’ve been testing this long-awaited feature as part of my Windows development workflow. Today I will walk you through the basic steps of programming an embedded device over USB using WSL.

Fast Access

© Golioth | All rights reserved