Device Token Authentication

Can OpenBalena’s API be used for authenticating devices by outside services? Looking through the docs, all mention of authentication is in reference to users, not devices. I realize that devices have a provisioning key which is exchanged for a device API key, but I couldn’t see anything about a device authentication endpoint.

Say I have a third party database that I want devices to be able to upload to, but I want to authenticate/authorize their requests so that only provisioned devices are allowed to upload. Is there a way that I could use OpenBalena to verify the device API Key?

And if that’s not possible, is there a recommended way to automatically generate extra authentication credentials during device provisioning? I’m wondering how other people have handled this?

(Balena being able to serve as an OIDC provider would be ideal, but I kind of doubt that’s implemented atm.)

If you wanted to check a device API key is valid, then you can make an API request with that key as a Bearer token:

curl https://api.openbalena.domain/v6/device -H "Authorization: Bearer {Device API Key}"

If that returns a JSON blob containing the device then it’s valid, and the UUID could be used to compare.

Do you think that might help with your requirement?

Yeah that works in a bit of a manual way, and is fine for a custom-rolled API which we happen to have due to legacy reasons.

I still think that being able to use balena as an oidc identity provider for Keycloak would be great because then you could have nodes talk directly to services like Elasticsearch or s3 who accept oidc without having to build a middle layer to authenticate balena devices.

Hi there,

I’m not sure full OIDC support is on our roadmap, but I’ve opened the following issue to track your request nevertheless: Feel free to subscribe for updates!

Yeah I understand that! And thanks for adding the issue.

Just because this seems like a general issue that anyone using an IoT device to push or pull data would have to deal with, I was curious how others have dealt with authenticating their provisioned devices with their own services.

One option would be to roll your own provisioning key / API key exchange which is what I’m guessing what people do, but idk.