BoB Authentication API
Overview
The BoB Authentication API is the BoB identity provider and provides BoB clients with JSON Web Tokens (RFC 7519) used for authentication with Bob APIs.
getAuthenticationToken
getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate.
The client to server TLS connection is usually terminated at a HTTP proxy (e.g. a load balancer) and the SHA1 fingerprint (as hex) of the TLS client certificate is transferred to the authentication server via a header, e.g., "X-SSL-Client-SHA1".
Result is provided both as a JWT in compact format as well as a serialized JWT header/payload to ease parsing. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:
- bobHok – holder of key claim, a SHA1 fingerprint (as hex) of the entity's TLS client certificate
- bobAuthZ – authorization group
BoB Authorization Groups
The following BoB Authorization groups has been defined:
- val – Validator
- ins – Inspector
- tvm – Ticket Vending Machine
pos – Point Of Sale
Other groups may be defined in the future.