locked
iothub-explorer sas-token duration & updating it on devices RRS feed

  • Question

  • I have multiple Arduino devices sending data to Azure IoT Hub. I've defined (hard coded) the SAS Token for each device in the code that is uploaded to the boards. Two questions:

    1. What is the maximum device SAS token duration?

    2. Does this mean I need to go through all devices once per "expiration time" to update the SAS Token?





    Wednesday, November 29, 2017 12:57 PM

Answers

  • You can check out this sample that shows how to use the AzureIoTHub and AzureIoTProtocol_MQTT libraries (which is a port of our C SDK) that implement the generation and renewal of the SAS Token based on the device ID/key pair provisioned through a Connection String.
    • Marked as answer by Jussi Palo Saturday, December 2, 2017 11:17 AM
    Wednesday, November 29, 2017 6:56 PM

All replies

  • Hi @Jussi

    In theory the SAS token duration can be whatever you decide, so you can certainly put it to expire few years from now if not more. That said, this is really not a good security practice and definitively not recommended as a man in the middle attack could be used more easily with a token that doesn't expire.

    If you are using the Azure IoT SDK, you can leverage the auto-generation and renewal of the SAS Token (from device ID/Key pair).

    If you decide you want to generate SAS Token yourself then you will indeed need to renew the tokens on every device yourself before expiration time

    Wednesday, November 29, 2017 4:41 PM
  • Thank you, would you have any pointers where to find more info on the "auto-generation and renewal of the SAS Token (from device ID/Key pair)"? Is that at all possible on Arduino devices at the moment?
    • Edited by Jussi Palo Wednesday, November 29, 2017 4:56 PM
    Wednesday, November 29, 2017 4:49 PM
  • You can check out this sample that shows how to use the AzureIoTHub and AzureIoTProtocol_MQTT libraries (which is a port of our C SDK) that implement the generation and renewal of the SAS Token based on the device ID/key pair provisioned through a Connection String.
    • Marked as answer by Jussi Palo Saturday, December 2, 2017 11:17 AM
    Wednesday, November 29, 2017 6:56 PM