Skip to content

Token Management Service

Idea

Use the Token Management Service to grant your application access to data of tenants, who use the application. This is relevant if your application frequently performs data processing on multiple tenants without user interaction, e.g. pre-calculating KPIs for a dashboard. If an application has access to the Token Management Service, it can request tokens to access IoT data of other tenants. The access to the Token Management Service must be explicitly granted for each version of an application.

Info

The Token Management Service is currently only available in region Europe 1.

Access

For accessing the Token Management Service, your application must explicitly be granted access using the Developer Cockpit during development and the Operator Cockpit for productive use.

Basics

Whenever IoT data is accessed in MindSphere, a valid token is required to get access permission. If an application requires to access IoT data without human interaction, it needs a technical token. The Token Management Service generates these tokens. In order to issue a token, the application sends a request to the Token Management Service, which contains its own credentials and specifies which data it needs to access. If the application has permission to access this data, the Token Management Service returns a valid token, which grants the requested access permission.

Architecture

The figure below shows the basic interactions between Token Management Service and the Developer Cockpit, the Operator Cockpit, and an application.

Background data access workflow

When application developers upload their applications for testing to the Developer Cockpit, it is not possible to access data on other tenants. However, the communication between the application and the Token Management Service can be tested. [1]

An application requests a token from the Token Management API, if it needs to access IoT data. In its request, it provides its service credentials as well as the location it wants to access. If the application has permission to access this data, the Token Management Service returns a valid token for this action. [2]

The application uses the token in order to access the requested data. [3]

When an application is registered in the Operator Cockpit, it can be assigned read/write or limited access. Read/Write access grants full access to all available MindSphere APIs. Limited access allows the application to manage assets and files and create events, but not to write time series data. If a customer purchases an application, they must confirm that the application may access their data. [4]

Service Credentials

Applications must send their service credentials to the Token Management Service in order to request a token. Service credentials consist of a client ID and a client secret. They are created after uploading an application to the Developer Cockpit or Operator Cockpit and must be provided as environment variables of the application.
Access for an application must be issued manually in the Authorization Management in order to create service credentials. For Cloud Foundry applications, the Operator Cockpit automatically provides the service credentials as environment variables of the application.

Info

The Developer Cockpit and Operator Cockpit only display service credentials once when the access for an application are issued. It is not possible to review them.

Service credentials of applications are version specific and must be updated, if a new version of an application is uploaded. This also means, that the service credentials issued in the Developer Cockpit are not valid anymore, once the application has been transferred to the operator tenant.

In order to revoke the credentials, de-register the application.

Features

Token Management Service exposes its API for the following task:

  • Issuing a token in the name of a tenant for a specific application version.

Example Scenario

An operator wants to offer an application on the MindSphere Store, which automatically pre-calculates KPIs and schedules data processing for tenants who buy the application. They register their application to use the Token Management Service in order to get access to the tenants' data without requiring user action.

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.