Access Token Based Authentication is the default device authentication type. The unique access token is generated once the device is created in ThingsBoard. It can be changed afterwards. The client must specify the access token as part of CoAP request URL.
Plain CoAP (without TLS)
Let’s review a simple command to upload temperature readings using Access Token YOUR_ACCESS_TOKEN to ThingsBoard Cloud EU. See CoAP API for more details. The command is using plain CoAP without TLS:
1
coap-client -v 6 -m POST coap://coap.eu.thingsboard.cloud/api/v1/YOUR_ACCESS_TOKEN/telemetry -t json -e "{temperature:25}"
The above command requires coap-client library that you can install using the following commands:
- Ubuntu 20.04: sudo apt install libcoap2-bin
- Ubuntu 18.04: sudo apt install libcoap1-bin
Don’t forget to replace YOUR_ACCESS_TOKEN with the access token of your device.
DTLS support (One-way TLS)
CoAP access token-based authentication over DTLS is a standard authentication mode where the client device verifies the server’s identity using a server certificate.
Note: “One-way TLS” means the client verifies the server, but the server does not verify the client.
When a CoAP client connects to a server, it ensures the server’s authenticity by verifying that the certificate is not expired and is trusted by the client. A certificate is considered trusted if:
- It is issued by a well-known Certificate Authority (CA), such as Let’s Encrypt.
- It is present in the client’s trust store.
To establish trust, the CoAP client must always provide the CA certificate used to sign the server’s certificate. Unlike some HTTPS implementations that rely on a system trust store, CoAP clients using DTLS require explicit CA certificate configuration.
Before we explore usage examples, we need to install a CoAP client that supports DTLS.
Install the CoAP client with DTLS support
Install the CoAP client with DTLS support on Linux by following the next steps:
- step 1: clone libcoap git repo:
1
git clone https://github.com/obgm/libcoap --recursive --depth 1
- step 2: navigate into libcoap directory:
1
cd libcoap
- step 3: execute next commands and then run ./autogen.sh script:
1
sudo apt-get update
1
sudo apt-get install autoconf libtool libssl-dev
1
./autogen.sh
- step 4: run ./configure script with next options:
1
./configure --with-openssl --disable-doxygen --disable-manpages --disable-shared
- step 5: execute next command:
1
make
- step 6: execute next command:
1
sudo make install
Example:
Since the CoAP client must always provide the CA certificate for verification,
use the -R flag followed by the path to a PEM file containing the trusted root CA certificates.
ThingsBoard Team has already provisioned a valid certificate for ThingsBoard Cloud EU.
Please download the CA root certificate using this link and save it to your working directory as “ca-root.pem”.
1
wget https://thingsboard.io/docs/paas/eu/user-guide/resources/coap-over-dtls/ca-root.pem
Now you may use the ca-root.pem to setup secure connection to ThingsBoard Cloud EU and Access Token YOUR_ACCESS_TOKEN to authenticate the device to upload telemetry:
1
coap-client-openssl -v 6 -m POST -R ca-root.pem -t "application/json" -e '{"temperature":42}' coaps://coap.eu.thingsboard.cloud/api/v1/YOUR_ACCESS_TOKEN/telemetry
Don’t forget to replace YOUR_ACCESS_TOKEN with the access token of your device.