I want to setup a custom authentication mechanism for my REST API. This will be for IOT device authentication with JWT tokens, so i cannot use existing user based authentication of JHipster. Is there an example or guide for this?Is there anything specific to JHipster other than underlying mechanism of Spring Boot?
Architecture: Typical JHipster architecture with separate gateway and microservices applications. microservices application serves rest services that needs authentication with jwt tokens. tokens are generated for web users by the gateway application and credentials are based on username and password.
I want to extend this setup and open the same rest services to our iot devices also. These devices are not web users, so they don't have username+password credentials and hence no jwt tokens generated. We will register these devices on a secure network and embed jwt tokens into firmware. These jwt tokens will be based on device id, mac id and a secret key.
I did not try any method yet, i'm looking for an example code where i can extend the authentication code on microservices application so that it also authenticates requests coming from devices. Adding a custom authentication provider with spring boot seems to be the way to go, but i'm not sure.
I've done similar things with some specific android devices, our approach was to deploy a gateway for devices only and not try to mix with human users on same gateway. So this means one gateway per specific usage.
The JWT tokens issued by the 2 gateways should share same secret so that services can verify their signature. Then either you keep JHipster tokens as they are and you just assign different roles to humans and devices and/or you add also the gateway issuer in the token header.
Depending on your security requirements, you could easily build this device gateway by mapping "device id + mac address" to gateway user id and your secret as user password.