Hello.
We are using single loraserver for multiple companies.
Every company has a separate custom server that communicates with loraserver via MQTT.
Every company server is bound to one application of loraserver.
For security we use MQTT ACL to restrict access per application.
For some operations we need REST API. I understand that REST API uses global JWT token for authorization.
Is it possible to configure per application access for REST API?
This is not (yet) possible, but something I would like to see is to improve the way how API tokens are being generated and validated. Currently the only way is either generate your own JWT token or use the /internal/login endpoint to generate a JWT token. Either way, the scope is the user-account.
This will require some refactoring, but would make it easier to provide API tokens (using just the web-interface) with a limited scope (e.g. per application).
Giving each company their own user seems like a reasonable workaround.
Giving each company their own user seems like a reasonable workaround.
I can give each company their own user but user has no connection to application and to devices
Because the only way to group devices is application, it would be great to be able to restrict access to application by connecting it to user.
Interesting, your setup in the original post wasn’t clear to me. Is there a reason you didn’t assign each company an organization and use organization-specific users?