The BoB Authentication API is the BoB identity provider and provides BoB clients with JSON Web Tokens (RFC 7519) used for authentication with Bob APIs.

getAuthenticationToken

getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. The TLS client certificate is normally transferred from a load balancer or HTTP proxy to the API endpoint as a SHA1 fingerprint (as hex) using the X-SSL-Client-SHA1 header. A PKI is not required for authentication, a self-signed certificate works as well.

The result is provided both as a JWT in compact format as well as a serialized JWT header/payload. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:

bobHok – holder of key claim, a SHA1 fingerprint (as hex) of the entity's TLS client certificate
bobAuthZ – authorization group

Example request

curl --verbose \
     --cert xyzzy.crt \
     --key xyzzy.key \
     https://authentication.bob.example.com/api/v1/auth/xyzzy

Example response

{
    "header": {
        "alg": "ES256",
        "kid": "auth20170320"
    },
    "jwtCompact": "REDACTED_JWT",
    "payload": {
        "bobAuthZ": "val",
        "bobHok": "0a9a063eb8d540cbf7dfba7697c674d14a174f7d",
        "exp": 1490001801,
        "iat": 1489998201,
        "iss": "1",
        "nbf": 1489998201,
        "sub": "xyzzy"
    }
}

BoB Authorization Groups

The following BoB Authorization groups has been defined:

val – Validator
ins – Inspector
tvm – Ticket Vending Machine
pos – Point Of Sale

Other groups may be defined in the future.