Authentication

A hawkBit update server can be accessed in four different ways:

  • Direct Device Integration (DDI) API by targets.
  • Management API by 3rd party applications.
  • Device Management Federation (DMF) API by 3rd party applications through AMQP.
  • Management UI by users.

DDI API Authentication Modes

Security Token

hawkBit supports multiple ways to authenticate a target against the server. The different authentication modes can be individual enabled and disabled within hawkBit. Both on system level (with Spring Boot properties) as per individual tenant.

Target Security Token Authentication

There is a 32 alphanumeric character security-token for each created target within IoT hawkBit. This token can be used to authenticate the target at hawkBit through the HTTP-Authorization header with the custom scheme TargetToken.

GET /SPDEMO/controller/v1/0e945f95-9117-4500-9b0a-9c6d72fa6c07 HTTP/1.1
Host: your.hawkBit.server
Authorization: TargetToken bH7XXAprK1ChnLfKSdtlsp7NOlPnZAYY

The target security token is provided in DMF API as part of the update message in order to allow DMF clients to leverage the feature or can it be manually retrieved per target by Management API or in the Management UI in the target details.

Note: needs to be enabled in your hawkBit installation and in the tenant configuration. That allows both the operator as well as the individual customer (if run in a multi-tenant setup) to enable this access method. See DdiSecurityProperties for system wide enablement.

The additional activation for the individual tenant:

Enable Target Token

Gateway Security Token Authentication

Often the targets are connected through a gateway which manages the targets directly and as a result are indirectly connected to the hawkBit update server.

To authenticate this gateway and allow it to manage all target instances under its tenant there is a GatewayToken to authenticate this gateway through the HTTP-Authorization header with a custom scheme GatewayToken. This is of course also handy during development or for testing purposes. However, we generally recommend to use this token with care as it allows to act in the name of any device.

GET /SPDEMO/controller/v1/0e945f95-9117-4500-9b0a-9c6d72fa6c07 HTTP/1.1
Host: your.hawkBit.server
Authorization: GatewayToken 3nkswAZhX81oDtktq0FF9Pn0Tc0UGXPW

Note: needs to be enabled in your hawkBit installation and in the tenant configuration. That allows both the operator as well as the individual customer (if run in a multi-tenant setup) to enable this access method. See DdiSecurityProperties for system wide enablement.

The additional activation for the individual tenant:

Enable Gateway Token

Anonymous access

Here we offer general anonymous access for all targets (see DdiSecurityProperties) which we consider not really sufficient for a production system but it might come in handy to get a project started in the beginning.

However, anonymous download on the other side might be interesting even in production for scenarios where the artifact itself is already encrypted.

The activation for the individual tenant:

Enable Anonymous Download

DMF API

Authentication is provided by RabbitMQ vhost and user credentials that is used for the integration.

Management API

  • Basic Auth

Management UI

  • Login Dialog
  • OpenID Connect