Skip to content

Scoped Public Access Configuration for Application Developers

Configure the Industrial Edge application to support the Scoped Public Access feature. Ensure the application exposes the /andon/* route and all sub-routes for integration with IE devices.

Route requirements

Applications that want to make use of the Scoped Public Access functionality must serve content (UI, API endpoints) under the /andon/* path and must be ensured to listen for requests on /andon/* paths and sub-paths and respond appropriately.

Example: Nginx configuration

When the device has the Scoped Public Access feature enabled, the following block is added to the Nginx of the application, making sure that any route under /andon/* will not require authentication. Below is an example Nginx configuration to route all /andon/* requests to the application (e.g., /app) without authentication:

location ~* ^/app/andon.* {
        auth_request /authandon;

        auth_request_set $xsrf_token $upstream_http_xsrf_token;
        auth_request_set $auth_token $upstream_http_authtoken;
        auth_request_set $access_token $upstream_http_access_token;

        add_header Set-Cookie "XSRF-TOKEN=$xsrf_token; Path=/; HttpOnly; Secure" always;
        add_header Set-Cookie "authToken=$auth_token; Path=/; HttpOnly; Secure" always;
        add_header Set-Cookie "access_token=$access_token; Path=/; HttpOnly; Secure" always;

        proxy_set_header X-ANDON-BOARD "true";

        rewrite /app(.*) $1 break;
        rewrite /app / break;
        rewrite (^/app)$ $1/ permanent;
        proxy_pass http://<device-ip>:<port>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Protocol $scheme;
}

In these routes, a default user with the Viewer role is used by the application. As part of the user's authentication process, this "user" token is generated and stored as a cookie in the user's browser, under the key authToken. This token is a crucial component in ensuring authorization capabilities to the application. Thus, the application reads it and validate the effective user/role via the related device API (see IE Device App Role API).

NOTICE

How /authandon works
/authandon is an internal Nginx location provided by the IE Device and cannot be called directly by external clients. When an unauthenticated request arrives at an /andon/* route, Nginx performs an internal subrequest to /authandon, which forwards it to the IE Device authentication service with an X-ANDON-BOARD: true header. The authentication service will recognise this header and generate a default Viewer token on the fly, returning it as authToken, XSRF-TOKEN, and access_token (if HYDRA service is enabled on the device, see next section) cookies to the browser. The original request is then forwarded to the application with that token already injected. This means /andon/* routes are not unauthenticated; they are automatically authenticated with a default Viewer identity.

Authentication and auth token

When the Scoped Public Access feature is disabled, requests to /andon/* require authentication. The device will forward a token in the Authorization header and, if needed, the application should validate the token and check for a Viewer role.

When the Scoped Public Access feature is enabled, the reverse proxy on the device injects the same Authorization header for /andon/* routes and sub-routes. To confirm the user and role, call the device endpoint using that header:

curl -s \
        -H "Authorization: <authToken>" \
        http://<device-ip>/device/edge/a.service/api/v3/users/self

Verify that the response indicates a user with at least the Viewer role. Enforce all additional authorization requirements defined by the application’s UI/API under /andon/*.

In case the HYDRA service is enabled on the IE Device, below is an example of the default user in a JWT token being used under /andon/* route:

{
  "aud": [],
  "client_id": "62225f62-5067-4f25-95e8-c45c647c873b",
  "exp": 1759404119,
  "ext": {
    "roles": [
      "Viewer"
    ]
  },
  "iat": 1759403518,
  "iss": "urn:industrial.edge.device",
  "jti": "c612123a-a666-45eb-bed3-b025eeeedee6",
  "nbf": 1759403518,
  "roles": [
    "Viewer"
  ],
  "scp": [
    "openid"
  ],
  "sub": "default@default.com"
}

Security considerations

  • From an application's point of view, validate token and verify user roles when required.
  • Avoid exposing sensitive data on /andon/* routes; restrict UI/API to read-only operations suitable for Viewer role unless stronger authentication is enforced.