Skip to content

MindSphere SDK for Python - Token Handling

Token Handling in MindSphere SDK for Python provides access token fetching using service credentials, caching them and re-fetching them on expiry. This provides an easy authorization handling mechanism for developers. Developers can configure user authorization tokens or service credentials. Service credentials can be set up programmatically or using environment variables.

Features

Token handling in the MindSphere SDK provides the following features:

  • Handling of user tokens
  • Fetching and handling of technical tokens
    • Fetching using app specific service credentials
    • Fetching using tenant specific service credentials
    • Fetching using tenant specific service credentials with subtenant impersonation
  • Token validation using issuer, issuing time, expiry time, token algorithm and token type before making API calls.
  • Reuse of technical tokens until they expire and automatic refresh when the expiry time is less than 5 minutes to reduce traffic.

Technical Token Handling Mechanisms

Token Fetching

The MindSphere SDK for Python uses the client ID, client secret and other configured parameters when fetching technical tokens to make MindSphere API calls. Refer to Environment Variables required to fetch Technical Tokens for more information on parameters to be configured.

The MindSphere SDK for Python uses app specific service credentials if available and otherwise looks for tenant specific service credentials.

Token Validation

API calls are only executed by the MindSphere SDK for Python if the technical token is valid. The validation uses the issuer, valid issuer, issued at, expiry, token algorithm, and token type in the check.

Token Caching and Re-Fetching

After fetching a valid token, the token is cached in a credentials object. Every technical token is valid for 30 minutes. A new token is automatically fetched 5 minutes before the expiry.

Required Environment Variables for Fetching Technical Tokens

The MindSphere SDK for Python only uses environment variables for fetching tokens if neither user token nor service credentials are available.

Environment Variables for App Specific Technical Tokens

Environment Variable Description
MDSP_KEY_STORE_CLIENT_ID Client ID displayed as service credentials in Developer Cockpit or Operator Cockpit
MDSP_KEY_STORE_CLIENT_SECRET Client secret displayed as service credentials in Developer Cockpit or Operator Cockpit
MDSP_OS_VM_APP_NAME The application name as stored by the version management of the Operator Services
MDSP_OS_VM_APP_VERSION The application version as stored by the version management of the Operator Services
MDSP_HOST_TENANT Host Tenant
MDSP_USER_TENANT User Tenant

Environment Variables for Tenant Specific Technical Tokens

Environment Variable Description
MINDSPHERE_CLIENT_ID Client ID of the service credentials
MINDSPHERE_CLIENT_SECRET Client secret of the service credentials
MINDSPHERE_TENANT Tenant name

Environment Variables for Tenant Specific Technical Tokens with Subtenant Impersonation

Environmental Variable Name Description
MINDSPHERE_CLIENT_ID Client ID of the service credentials
MINDSPHERE_CLIENT_SECRET Client secret of the service credentials
MINDSPHERE_TENANT Tenant name
MINDSPHERE_SUB_TENANT Subtenant name

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.