SiX IDaaS & IAM

English

简体中文

English

简体中文

Appearance

Authorization

Upon the entities(Console user, Integration key or IoT device) accessing the IDaaS & IAM APIs, the authentication/authorization process is enforced. These entities need first to authenticate themselves with the authorization server. After successfully authenticated, the authorization will be granted to them in a JWT access token. Entities then use the token to access the APIs.

Authorization Claims in JWT token

json
{
  "sub": "iotuser",
  "aud": "six-iam-xzy",
  "nbf": 1728618455,
  "role": [
    {
      "ROLE_iam-iot-product-key": [
        "iam_config_read",
        "iam_key_create",
        "iam_keys_read",
        "iam_key_update"
      ]
    },
    {
      "ROLE_iam-iot-app-edit": [
        "iam_app_update",
        "iam_app_create",
        "iam_app__client__link_remove"
      ]
    },
    {
      "ROLE_iam-iot-product-edit": [
        "iam_iot__product_update",
        "iam_iot__product__props_create",
        "iam_iot__product__topic_delete",
        "iam_iot__product__topic_create",
        "iam_iot__product_create",
        "iam_iot__product_delete"
      ]
    },
    {
      "ROLE_iam-iot-device": [
        "iam_iot__analysis_deviceMsg",
        "iam_iot__device__mqttmsgs_read",
        "iam_iot__device__statuses_read",
        "iam_iot__device__info_acls",
        "iam_iot__device__info_bindings",
        "iam_iot__device_bind",
        "iam_iot__analysis_activeDevice"
      ]
    },
    {
      "ROLE_iam-iot-app-read": [
        "iam_app__clients_read",
        "iam_app_read",
        "iam_app__users_read",
        "iam_apps_read"
      ]
    },
    {
      "ROLE_iam-iot-product-read": [
        "iam_iot__product_read",
        "iam_iot__products_read"
      ]
    },
    {
      "ROLE_iam-device": [
        "iam_device_read",
        "iam_devices_read",
        "iam_device_registration",
        "iam_device__guid_read",
        "iam_device_provision"
      ]
    },
    {
      "ROLE_iam-iot-config-read": [
        "iam_iot__config_read"
      ]
    },
    {
      "ROLE_iam-iot-client-read": [
        "iam_clients_read"
      ]
    },
    {
      "ROLE_iam-iot-client-edit": [
        "iam_client__app_create",
        "iam_client_create",
        "iam_client_update"
      ]
    }
  ],
  "org": {
    "level": 0,
    "orgId": "0a2a0093-8bf6-1dda-818b-f64e02080000"
  },
  "openId": "0a2a0091-8bf6-1cf7-818b-f65f90820000",
  "scope": [
    "openid",
    "profile"
  ],
  "iss": "https://iam.shuhenglianchang.com",
  "exp": 1728618755,
  "iat": 1728618455,
  "jti": "38a615ab-d748-4de4-838e-38f031a657cd"
}

Authorization enforcement

For all the APIs that are supposed to be accessed only by authenticated entities, an authorization check process will be enforced, except the verification of the authenticity of the access token via the JWK, Resource server will add additional "permission" check or attribute check or both on the resources(APIs) to see if the accessing entity has gained relevant permissions or has been assigned the specific attributes.

TIP

Check the below sections for the permissions(Authorization enforced on permissions) or attributes(Authorization enforced on attributes) related authorization check!

There is also a resource hierarchy concept for the APIs/resources. For the SiX IDaaS & IAM related APIs/resources, typically they will associate with one "Organization", normally only the accessing entity in the same or the superior organization can access these sources(one use case is the "admin user" in a superior organization can manage the resources in its sub-orgs).

TIP

Check the below sections for (Resource hierarchy concept).

Resource hierarchy concept

SiX IDaaS & IAM platform resources e.g. Identity Application(directory) are put under the specific organization/workspace, only entities(Console user, Integration Key or IoT device) allocated in the same organization or the superior orgs can access such resources.

When you develop your own APIs based on SiX IDaaS & IAM multi-tenancy, you can utilize the same concept. For more information please refer to Develop your own APIs based on IAM.

Authorization enforced on permissions

Resource server will enforce the authorization check for some of their APIs based on permissions, the authorization syntactically will be as below sample:

md
The invoker need have the authorities 
hasPermission(#clientPrimaryId, 'client-app', 'create') or hasPermission(#clientPrimaryId, 'TargetClient', 'ALL') 
to call the API.

TIP

You can see the authorization information on API Doc as below.

Authorization enforced on attributes

Resource server will enforce the authorization check for some of their APIs based on attributes, the authorization syntactically will be as below sample:

md
The invoker need have the authorities 
@attributeMethodSecurity.matchAttributeValue(authentication, #productId, 'six_iot_product') and @attributeMethodSecuritymatchAttributeValue(authentication, 'device_reg', 'purpose') 
to call the API.

TIP

You can see the authorization information on API Doc as below.

Platform API Access

SiX IDaaS & IAM platform bundle the APIs into categories below, you can access the links to have more information and have a try to invoke the APIs.

IDaaS & IAM APIs

IDaaS & IAM Mgt APIs

Device APIs

A leading software solution provider

Copyright © ShuHengLianChang