Approaches for provisioning and application level authentication?


#1

Hi

We are starting deploy a number of devices and looking at how we can simplify/automate to the configuration process.

There are two things I need to try and solve to make this process easier.

We need to register gateways and devices.
Individual gateways have some specific configuration files we need to distribute to the gateway

I plan to automate the registration of the gateway and associated peripherals via the REST api, however at this point we can only use User based auth for interacting with that API. This is somewhat problematic when we start building an application to do this rather than a user. We have discussed this is in the past, do you have a roadmap for application level AUTH ?

Secondly I wonder if you have any ideas on distribution of association configuration files etc… to devices.
We could host these files in S3 etc, however this means we either need some other lookup service or could potentially use device tags, to store at least links to the required resources, however this seems a bit under done, as there is no direct means to track and then update these resources if they change.

I would be interested in you thoughts and roadmap on boostrapping the provisioning of devices and distributing associated resources.

I look forward to any comments.

Cheers

Tim


#2

Device provisioning is a feature that’s coming up a lot. We’ve seen users solve the problem in a few different ways and we want to make sure our solution solves each use-case. This feedback is super helpful for us.

This is implemented internally (e.g. the Losant API workflow node uses app-level auth), however it’s not exposed in the interface yet. It’s pretty high on our priority list to expose token-generation directly in the UX and provide different levels of access.

This is a cool feature idea. We’ll brainstorm on this and see if there’s a way to bring this functionality into the platform. Seems like device configuration files would be a fairly common use-case. For now, S3 would be a good solution.

The most interesting approach to provisioning has been built on top of our Webhook Reply functionality. This essentially allows you to build a custom API entirely within Losant. You can append any path you’d like to the webhook and with conditional nodes perform specific actions. For example, you could request http://your-trigger/provision, which would use the Losant API node to create a new device. You could then request http://your-trigger/config, which could use the HTTP node to make a request to S3 and return the contents of the configuration file. In order to authenticate access to these routes, you could pass your own auth token through the headers and validate it using a conditional node. Triggers use TLS, so all data sent between your device/environment and Losant is full encrypted.


#3

Just wanted to drop an update on this thread - we released application level api tokens in February (https://www.losant.com/blog/platform-update-20170215). You can read more about them here.