The BoB Authentication API is the BoB identity provider and provides BoB clients with JSON Web Tokens (RFC 7519) used for authentication with Bob APIs.
getAuthenticationToken
getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. The TLS client certificate is normally transferred from a load balancer or HTTP proxy to the API endpoint as a SHA1 fingerprint (as hex) using the X-SSL-Client-SHA1
header. A PKI is not required for authentication, a self-signed certificate works as well.
The result is provided both as a JWT in compact format as well as a serialized JWT header/payload. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:
- bobHok – holder of key claim, a SHA1 fingerprint (as hex) of the entity's TLS client certificate
- bobAuthZ – authorization group
BoB Authorization Groups
The following BoB Authorization groups has been defined:
- val – Validator
- ins – Inspector
- tvm – Ticket Vending Machine
pos – Point Of Sale
Other groups may be defined in the future.