Secure communication between FIWARE orion and context-provider/IoT agent

Question

I have to think about an architecture using FIWARE orion context-broker and several IoT agents/context-provider. In the documentation is a section describing how to securue the communication from an IoT agent/context-provider to orion. But how to secure the other sider? What I understand, so far, is that a context-provider has to expose a REST endpoint (/op/query) on which it accepts incomming traffic. But how do it can make sure, that these request are valid? In case of a subscription you can use httpCustom instead of http in the provider section, when you create a subscription. With this it is possible to use a static token which will be used by orion, when making request to the given url. This isn't possible for registration. Any suggestions how a context-provider/IoT agent can decide if an incoming request is a valid one?

Answer 1

With NGSIv2 Subscription/Notification and Register/Forwarding you will receive an X-Auth-Token Header with the token used in the initial update operation. You should be able to check within the IDM (Keystone in our Stack).

As a workaround you may use the value itself to send some kind of Apikey along with the real value.

Network security may apply also, it is common to use firewalls and restrict ip/ports, or stablish APN/VPN at distributed architectures (at least with unsecured devices or external networks).

Last, if synchronous communication is not a must for your use case (registers are sync, sub/notif are async), it is not a big deal to use Subs/Notif mechanism to communicate with a Context Adapter. We do sometimes, registers are tricky and troublesome.

Best.