OIDC tokens
Last UpdatedOct 3, 20256 minute read
Identity and Access ManagementDeveloper guideActive
OpenID Connect (OIDC), built on top of OAuth 2.0, offers login and profile information in a device token, as well as authorization via OAuth 2.0 access tokens.
This guide describes how to exchange device tokens from a third-party identity provider for HERE device tokens. Third-party device tokens are customer-specific means for identifying a customer and device, but do not allow access to HERE services. By exchanging the third-party device token for a HERE token, a customer or device can access the HERE platform.
For more information, see OAuth 2.0 tokens.
Note
This feature is typically only employed by high volume device manufacturers.
Trusted domains aren't enforced with tokens.
Org admins can specify up to five (5) issuers for their OIDC identity provider in their organization. However, each app ID can only support one OIDC IDP.
Device accounts
Device accounts are identities established when using the Token Exchange API to exchange your third-party OIDC device tokens for a HERE device token.
These are special identities that only support project-scoped tokens, and so are always scoped to the project of the configured integrating HERE app.
By default, device accounts can't access any project resources unless authorized. This is different from users and apps, which have complete access in a project by default.
Exchange device tokens for HERE tokens
To exchange third-party device tokens for HERE tokens, the following steps are a requirement:
Step 1 - Sign into the platform
A platform organization (realm) must be available. Sign up for a HERE platform account at https://platform.here.com.
Step 2 - Register your app and get credentials
Note
Many of the HERE SDKs and tools, such as the CLI, can manage the fetching and usage of the token for the user. In most cases you can skip steps 2 and 3.
To use OAuth 2.0 tokens, you must register your app on the HERE platform.
To register your app:
In your local development environment, create a .here folder in your home directory.
For Mac/Linux users, this would be $HOME/.here
For Windows users, this would be C:\%HOMEPATH%\.here (if your home directory is on your C drive)
Sign in to the HERE platform.
Open the Access Manager from the launcher.
On the Apps tab, click Register new app and provide the requested information.
Click Register. The platform creates a new app with a unique app ID.
On the Credentials tab, select OAuth 2.0 and then click Create credentials.
In the dialog box that opens, click Download to download your app's credentials.properties file.
This file contains your user ID, app ID (which is named here.client.id), OAuth 2.0 token endpoint URL, access key ID, and access key secret.
Note that once you click Close, you can no longer access your access key ID and access key secret.
Copy the credentials.properties file to the .here folder you created in the first step.
The credentials.properties file contains your platform credentials. The platform CLI tool and libraries access this file to manage access to the platform. You can also use these OAuth 2.0 Token credentials to make authenticated calls to HERE REST APIs.
For more on using the platform CLI information, see the Command Line Interface Developer Guide.
Note
Your app and associated authentication credentials are specific to your app and don't inherit your user permissions or group memberships.
Step 3: Assign your app to a project
App managers can specify a default project for the app during its creation, or afterwards. With a default project, requests from the app are automatically scoped to the project, letting you review usage by this app on a project level.
When creating an app from a project in the Projects Manager, the system automatically sets the default project to the project you are working in.
When creating an app from the Access Manager, you can optionally select a project in the DEFAULT ACCESS TO A PROJECT field.
To set the default project for the app after its creation, access the app details page in the Access Manager, select the Edit app menu option, and select a project in the DEFAULT ACCESS TO A PROJECT field.
Note
This functionality requires that you select the Allow access only in this project checkbox.
Allow access only in this project
Allow access only in this project
You can also set the app to only request resources in the scope of the default project by selecting the Allow access in only default project checkbox during or after app creation. This setting is recommended for apps using API keys, as it provides greater security.
This option also lets you review usage by this app on a project level.
Step 4 - Register your OIDC identity provider
OIDC, based on the OAuth2.0 framework, offers an interoperable authentication protocol which allows for quicker implementation and development.
To start, register your OIDC identity provider. You can register up to five OIDC identity providers. Each identity provider muse have an issuer URL, up to a maximum of two.
To register your OIDC identity provider:
Sign in to the HERE platform.
In the top right of the Identity providers tab of the Access Manager section, select Setup identity provider.
Enter the information about the identity provider you wish to use. You may enter up to five identity providers.
For each identity provider, you can select the identity provider and enter its issuer. On the page for the identity provider, you must enter at least one URL for that issuer by selecting Add issuer. You can list up to two issuers for each identity provider.
Identity providers
Identity providers
Note
You must constrain the app to ONE project.
HERE supports the following OIDC providers with these requirements:
Jwks_uri is defined in the endpoint.
Contains public keys supporting “alg” values: RS256, RS384, RS512, ES256, ES384, and/or ES512.
Must be JWT token format.
Required standard claims in OIDC token "sub" (subject used to identify the device).
"iss" (issuer).
"iat" (issued at timestamp).
"exp" (expiration timestamp).
Required custom claim.
"client_id" (matching HERE app ID).
Step 5: Assign the OIDC identity provider to the app ID
Select the app ID you have created, choose the Identity provider option, and attach the identity provider to the app.
Note
Your app and associated authentication credentials are specific to your app. The app doesn't inherit your user permissions or group memberships.
Step 6: Update your OIDC identity provider
The owner of the identity provider must ensure that OIDC tokens have a client_id that matches the app ID of the configured app in the HERE system. This client_id is the user ID found in the Account Settings section.
Step 7: Exchange device tokens for HERE tokens
After retrieving a token for the first time, the device is automatically created in the project. The same device is the identity, if an OIDC token with the same sub claim is later used for token exchange.
You can manage devices using Device CLI commands.
You can now exchange Device tokens for HERE tokens. Device account tokens are always scoped to a single project for which the configured app is restricted.
Step 8: Use the token
You have now successfully obtained a token for making requests to HERE APIs.
Pass the token in the HTTP Authorization header of your REST requests as a bearer token:
Authorization: Bearer <token>
Sample REST Request
GET /maptile/2.1/maptile/newest/normal.day/13/4400/2686/256/png8
Host: 1.base.maps.ls.hereapi.com
Authorization: Bearer eyJhbGceOyJSAMPLEiIsImN0eSISAMPLEt7VTFIllwIM0cKNCjN2WCCTqlwEEmk-t3gx1BpqUFoeBSAMPLEvhj8nl-RBGcyoljY...
Cache-Control: no-cache
By default, devices can't access any services or resources. Even project resources which are the default have no access (this is different from the default characterization of user or app members which have a default to allow access to everything in a project).
In order to give devices access to resources, project resources must be explicitly available by attaching project level policies to the project (please refer to Assign your app to project). This feature is available as a CLI (command line interface) only feature for managing project policies attached to a project. See Project access.
最新发布
本文介绍了解决在导入工程时遇到的同名工程冲突问题的方法。只需通过windows->showview->projectexplorer找到并删除同名工程,然后再进行导入即可。
扫一扫
1401
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
