Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
BaSyx / Documentation / Components / AAS Server / Features / Authorization
Authorization
User Story & Use Case
As AAS Components user
I want to authorize data access on AAS & Submodels contained in the AAS Server
so that I can store sensitive data and prevent its unauthorized access.
This feature enables AAS components user to secure the AAS & Submodels stored on the AAS Server component.
Feature Overview
The authorization is a basic implementation to enable only authorized requests for WRITE and READ operations for both the AAS and the submodels.
This implementation uses OAuth2 tokens and scopes, with the scopes being defined [for submodels] and [for the AAS].
As long as the token includes the respective scopes, an operation can be performed if the authorization is enabled.
An example for the authorization can be found in the scenario with Keycloak.
Feature Configuration
Authorization is disabled by default. Basic authorization can be configured in the aas.properties:
aas.authorization=Enabled aas.authorization=Disabled
The JWT connectivity can be configured in the context.properties, e.g. by
jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs jwtBearerTokenAuthenticationRequiredAud=basyx-demo