About Machine-to-Machine (M2M) Auth
Machine-to-machine (M2M) authentication allows for the verification of identity between machines (e.g., servers, applications, devices) to ensure secure communication and data exchange.
M2M auth is commonly used in scenarios where automated systems or devices need to interact, such as in IoT ecosystems, cloud services, or API integrations.
Userfront has a flexible approach that allows single- or bi-directional machine-to-machine authentication and authorization between multiple machines in a network using JSON Web Tokens (JWTs) or API keys.
Machine-to-Machine (M2M) Auth Requirements
Userfront offers a variety of configurations for machine-to-machine authentication and authorization.
Attribute
Status
- Global RBAC
- Machine-as-user
- Multi-tenant RBAC
- Password
- Oauth / social SSO / OIDC
- API key
- Passwordless link
- 6-digit verification code OTP
- TOTP authenticator
- SAML
- Custom authentication
JWT access token or API key
Userfront allows for machine-to-machine authentication via JWT access token or API key (see M2M Auth Handling).
Once authenticated, machines can request a JWT access token or API key from Userfront, which they can send to other machines for authentication. Communication between machines should always take place on a secure channels, such as HTTPS, or within a secured internal network.
Machine-to-machine initial authentication
Machines can authenticate against Userfront using any authentication method, such as password, Oauth, passwordless link, 6-digit verification code, or TOTP authenticator, or using any combination of authentication factors with MFA.
Userfront requires SSL for live mode connections between a machine and Userfront’s servers.
Scoping M2M auth: Global RBAC, machine-as-user, Multi-tenant RBAC
There are 3 ways to scope machine-to-machine auth on Userfront.
Approach
Description
admin, iot-remote, or any custom role you choose.This approach offers the most flexibility for future changes and allows for nested, fine-grained access management for your fleet of machines while still maintaining ease of use.
Migrating machine-to-machine auth
If needed, Userfront can migrate most machine-to-machine auth systems in a backwards-compatible manner.
The specifics for migration will depend on your system, but most JWT-based approaches and many API key- based approaches can be migrated seamlessly.
Contact us to discuss migrating your machine-to-machine auth.
Machine-to-Machine (M2M) Auth Handling
Userfront allows machine-to-machine authentication and authorization via JSON Web Tokens (JWTs) or API keys.
The best option for your specific use case will depend on several factors, including your security requirements, API architecture, and levels of authorization.
If your API only needs to grant basic read access to non-sensitive information and doesn’t require granular permissions and access control, API keys can be easier to implement than JWTs.
However, if your API serves multiple clients, such as an external-facing API or in a microservices architecture, JWTs are a more secure and scalable alternative to API keys. JWTs are signed, self-contained tokens that can provide granular levels of permissions for each tenant without the need for multiple API calls.
M2M with JWT access tokens
Userfront allows M2M auth using JWTs as described by the diagram below:
1. Token generation
Your application or device makes an authentication request to Userfront using any of the authentication methods you choose.
Userfront receives the request, generates a JWT access token with your desired payload and expiration, and returns the JWT access token to the requesting device.
In addition to standard claims, the JWT access token can also contain custom claims in its payload.
The JWT access token can also be scoped to any parent or nested tenant within your application, ensuring that access is granted at the appropriate level(s) for the requesting device.
2. Token distribution
Userfront returns the JWT access token to the requesting device. The device then uses this token for subsequent authenticated requests to other devices in your system.
3. Token usage
When a device wants to communicate with another device or a server in your system, it includes the JWT in the HTTP header. The receiving device verifies the JWT access token by checking the token's signature using a public key to ensure it was generated securely.
The receiving device then validates the JWT claims (e.g., ensuring the token is not expired and is intended for the correct audience) as well as any authorization levels contained within the JWT payload.
API keys
Userfront allows M2M auth using API keys as described by the diagram below:
1. API key retrieval
Your application or device makes an authentication request to Userfront using any of the authentication methods you choose. Userfront receives the request and returns an API key to the requesting device.
The API key can be scoped to any parent or nested tenant within your application, ensuring that access is granted at the appropriate level(s) for the requesting device.
2. API key distribution
Userfront returns the API key to the requesting device. The device then uses this API key for subsequent authenticated requests to other devices in your system.
3. API key usage
When a device wants to communicate with another device or a server in your system, it includes the API key in the HTTP header. The receiving device can either already contain the API key and check for a match, or it can send the API key to Userfront for verification.
4. API key verification request (optional)
If the receiving device does not have the API key stored, it can make a request to Userfront’s verify API key endpoint with the API key in the HTTP header.
5. API key verification response (optional)
Userfront returns a response indicating whether the API key is valid, and if so, for which tenant.
