If you haven´t already, please have a look at the tutorial for an example of a full Border Gateway setup.
Set up OpenID Connect provider
Set up an OpenID Connect authentication provider (e.g. Keycloak as a local deployment or Auth0 a a cloud service). See subpages on how to setup the OpenID Connect provider of your choice for use with the Border Gateway:
Create a TLS certificate for your deployment
Simplest option is to use Let´s encrypt. You will need the two
.pem files containing the certificate itself (including chain) and the private key. See below on how to provide the necessary information in a config file.
Create config file
Create a file
config.toml with the following entries (the example assumes using Keycloak as OpenID Connect provider):
Note that anonymous access is limited to read-only for HTTP to start with. Full anonymous access to MQTT is granted. Find out more about authentication and authorization in the dedicated section.
Start Docker container
Run the Border Gateway with
docker-compose. Make sure the
.pem files and the
config.toml are available, e.g. in mounted volumes:
Start it up in the background with
Redis as an access token cache
Key-value database Redis is needed to cache access tokens for connections using username / password. The BGW auth service will store keys and values in Redis like this:
- Key: SHA256 hash of string
token_endpoint + username + password
- Value: Access token encrypted using AES-256 with the user password as symmetric key
- Key and value automatically expire after the number of seconds defined in
The access tokens will be cached for the duration of their lifespan according to the expiration timestamp sent inside the token.