Overview

The BoB Authentication API is the BoB identity provider and provides BoB clients with JSON Web Tokens (RFC 7519) used for authentication with Bob APIs.

getAuthenticationToken

getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. A PKI is not required for authentication, a self-signed certificate works as well.

The client to server TLS connection is usually terminated at a HTTP proxy (e.g., a load balancer) and the SHA1 fingerprint (as hex) of the TLS client certificate is transferred to the authentication server via the X-SSL-Client-SHA1 header.

Result is provided both as a JWT in compact format as well as a serialized JWT header/payload to ease parsing. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:

bobHok – holder of key claim, a SHA1 fingerprint (as hex) of the entity's TLS client certificate
bobAuthZ – authorization group

Example request

curl --verbose \
     --cert xyzzy.crt \
     --key xyzzy.key \
     https://authentication.bob.example.com/api/v1/auth/xyzzy

Example response

{
    "header": {
        "alg": "ES256",
        "kid": "auth20170320"
    },
    "jwtCompact": "REDACTED_JWT",
    "payload": {
        "bobAuthZ": "val",
        "bobHok": "0a9a063eb8d540cbf7dfba7697c674d14a174f7d",
        "exp": 1490001801,
        "iat": 1489998201,
        "iss": "1",
        "nbf": 1489998201,
        "sub": "xyzzy"
    }
}

BoB Authorization Groups

The following BoB Authorization groups has been defined:

val – Validator
ins – Inspector
tvm – Ticket Vending Machine
pos – Point Of Sale

Other groups may be defined in the future.