How authentication works

[smoms]

How does the authentication works? A device (leaf) is pushed the AppKey from IoT Hub device twin. Is IoT Edge afterwards quering IoT Hub to retrieve th AppKey for that device and authenticate the communication with it? My understanding is that IoT Edge running the LoRaWAN Server should in fact be responsible about authentication with devices...

[Ellerbach]

Hi, I guess this part of the documentation (to be merged further) should help you understand the full mechanism: https://github.com/Azure/iotedge-lorawan-starterkit/blob/dev-0.2-LoRent/LoRaEngine/README.md Let me know if you still have questions

[ronniesa]

The above doc is outdated, The attached sequence diagram is the correct one. We have re-architected the use of twins for the authentication / decryption part in the dev-02 (will be soon published as next preview). Edge NtwSrv queries the IoT Hub registry to get the identity after that everything is done in the NtwSrv itself, gets the twins (AppKey, AppEUI, etcc), generate the LoRa keys (NtwSKey, AppSKey) and saves it back to the twins and send the join accept. So yes it the Edge module is responsible to auth, decrypt etc.. at uses the twin as DB. Currently we still need an Azure function for multi gateway support and for getting the IoT device "impersonation" identity. We are looking to improve this part too in the future.

[smoms]

@ronniesa @Ellerbach many thanks, much better now. Couple of questions: I am bit confused on step 4: where does instead azure function store the app key (aka device key) if it is not demo version? why in the diagram you say that only network server is downloaded from the ACR, what about packet forwarder?

[ronniesa]

Both modules are retrived from a container registry can be ACR or Docker Hub or other containers registry. The schema in the not yet published doc is not complete.

You provision the device with DevEUI as deviceId and AppKey in the twins as descibed in the lora device provisionig chapter: https://github.com/Azure/iotedge-lorawan-starterkit/blob/dev-0.2/README.md

We will have a cli tool for provisionig device with autogenerate key in the future. Currently you need to generate the key yourself.

[smoms]

@ronniesa thanks, then i presume you do need to adjust the numbered diagram.. And what about the first question?

[ronniesa]

AppKey, NtwSKey, AppSKey are stored as twin through the normal IoT Hub device twin support. They are stored by IoT Hub itself. We don't store it somewhere else. So no DBs are involved.

[Mandur]

I will close the issue for now, please feel free to reopen in case you need additional information