Authentication

Password Storage

The Identity service provides secure password storage for applications and users. Passwords are stored in the Identity service database in hashed form using scrypt.
Password Management

The Identity service enforces password strength and complexity requirements for applications. These following requirements are enforced:

  • Minimum length 8
  • Maximum length 128
  • Must not repeat 3 characters in a row (if the password length is less than 20 characters)
  • Does not contain any of the top 20 passwords
  • Does not contain email username
  • Password strength is 16 or higher. Password strength is calculated as the length of the password times the number of character sets used. When counting the number of character sets, the first and last characters are ignored.

The Identity service provides password change and password reset features. For password reset, the platform provides a reset token which can be used within a password reset email sent to the user.

Password Verification

The Identity service validates passwords for applications. The Identity service enforces automatic lock out of user accounts after 7 incorrect passwords, with a lockout duration of 30 minutes.

Federated Signon

The Identity service provides an OpenID solution for applications. Applications can give users the option of using their usernames and passwords from other accounts outside of Xively, eliminating the need for users to remember another password for use with the application. This can also faciliate access control in enterprise environments, by allowing access for enterprise users to be managed centrally (in the identity provider), rather than requiring separate management of access in the connected-product system.

To use Xively's OpenID support, the identity provider must be set up for Xively. The Xively callback must be provided (https://<id service domain name>/oauth2/callback). The identity provider will assign a clientID and secret which must be used when the identity provider is registered with IDM (/openidc/providers).

After the identity provider is configured, applications can login a user with the /openidc/login endpoint. When this endpoint is called, IDM will redirect the user's browser to the identity provider for authentication. After the identity provider authenticates the user, the identity provider will redirect the user's browser to the /oauth2/callback endpoint, which will return a JWT for the user.

Authentication