Set up OpenID Connect provider
Set up an OpenID Connect authentication provider (e.g. Keycloak as a local deployment or Auth0 a a cloud service). See subpages on how to setup the OpenID Connect provider of your choice for use with the Border Gateway:
Create a TLS certificate for your deployment
Simplest option is to use Let´s encrypt. You will need the two
.pem files containing the certificate itself (including chain) and the private key. See below on how to provide the necessary information in a config file.
Create config file
Create a file
config.toml with the following entries (the example assumes using Keycloak as OpenID Connect provider):
Note that anonymous access is limited to read-only for HTTP to start with. Full anonymous access to MQTT is granted. Find out more about authentication and authorization in the dedicated section.
Start Docker container
Run the Border Gateway with
docker-compose with Docker in swarm mode (this allows using the convenient functionality for secrets and configs). Make sure the
.pem files and the
config.toml are available, e.g.:
Set up Redis as an access token cache
You need to set up key-value database Redis to cache access tokens for connections using username / password. The BGW auth service will store keys and values in Redis like this:
- Key: SHA256 hash of string
token_endpoint + username + password
- Value: Access token encrypted using AES-256 with the user password as symmetric key
- Key and value automatically expire after the number of seconds defined in
The access tokens will be cached for the duration of their lifespan according to the expiration timestamp sent inside the token.