Using IoT Hub authentication for custom web app

[rgrace-puck]

Hello, I'm not sure if this is the correct place to ask but I was wondering if the SDK team would have any recommendations/insight for our use-case.

We're using the IoT Hub for C2D commands but would like to have our own web app for other functionality related to our devices.
Adding a separate authentication mechanism introduces more complexity and overhead so using the existing IoT Hub tokens would be ideal.

Is there a way to verify SAS tokens or another authentication method that could be used in the current IoT Hub SDK for this scenario?

[timtay-microsoft]

Hi @rgrace-puck, you are in the right place!

It sounds like you want to use the same SAS tokens to authenticate with IoT hub and with your own web app as well. To be clear, though, is your question: "Given a symmetric key (like IoT hub has), how can I check if a provided SAS token was derived by it? (Like IoT hub does during authentication)"?

[timtay-microsoft]

As for advice aside from that, we generally recommend using x509 authentication rather than symmetric key authentication as it is generally more secure.

If you do go for x509 authentication, most Http/Mqtt transport libraries should make it fairly easy on both the client side and the server side to re-use the same certificates that this SDK would use since these certificates are industry standard. By comparison, the SAS tokens generated by this SDK are a "Microsoft-specific" implementation (meaning you'll need to implement the SAS token validation yourself on the custom server you are making)

[rgrace-puck]

That's exactly what I was looking for, thanks! I will look into each of the options mentioned above.