Authentication

  • This Document applies to Qb2 produced with the Firmware version v2.0 and later.

  • Qb2 produced and shipped with an earlier Firmware version have to be updated to minimum Firmware version v2.0 or later.

Overview

The data produced by Qb2 might contain sensitive or even private information. This data is protected from unauthorized access by default. Any client has to authenticate to the device in order to gain authorized access, such as viewing the point cloud or changing device configuration.

Login

For the initial access to the Qb2 web interface, credentials in the form of username and password are required.

Every Qb2 has an initial account with a unique password. Refer to the guide on how to perform the initial login to learn how to access the factory-configured account.

If the Qb2 is in factory configuration (only one account with the default name admin exists) it will only prompt for the password.

authentication login factory
Figure 1. Login screen with Qb2 in factory configuration

The login screen will also prompt for the username if more than one account exists or the default account name has been changed.

authentication login username password
Figure 2. Login screen prompting for username and password

After successful login, the web interface shows the dashboard and an account indicator on the left sidebar. The account indicator provides the logout action and can be used access the account page.

authentication account indicator
Figure 3. Account indicator on the left sidebar

All details of the currently authenticated account are displayed on the account page of the Qb2 web interface.

authentication account page
Figure 4. Account page on the Qb2 web interface

Account

An account contains the following attributes:

Username and password

The credentials needed for using the Qb2 web interface are a username and password

The username can be changed when clicking on the value displayed on the account page. Note that no whitespace characters such as Space or Tab are allowed in the username field.

authentication edit name
Figure 5. Changing the account name

The password can be updated by filling out the fields in the Update password section of the account page.

authentication edit password
Figure 6. Changing the account password

If the password for an account is lost and the account can not be recovered (e.g. by doing an account reset), please contact Blickfeld customer service.

Application key

Application keys are the credentials required for accessing the Qb2 API programmatically.

Application keys can be generated on the account page. An application key can have a optional attribute describing its purpose. Each application key grants access for a certain access level. The access level set to AUTHORIZED by default. Once created, the generated secret can be used for direct API access.

Refer to the authentication example to learn how to use an application key in your application

authentication create appkey
Figure 7. Creating application keys

When an application key is deleted, clients can no longer authenticate using the key.

Admin accounts can create application keys with ADMIN access level. To do this, select the corresponding access level during application key generation:

authentication create admin application key
Figure 8. Creating ADMIN application key

The result will be an application key with ADMIN privileges:

authentication admin application key
Figure 9. Resulting ADMIN application key

Access level

The access level can only be modified in the user management section.

Each account contains an access level (AUTHORIZED or ADMIN). The functionality of Qb2 is divided into three access levels:

PUBLIC

Clients with this access level are allowed to read basic device information (firmware version, serial number) and are able to login.

AUTHORIZED

Clients with this access level are allowed to modify their own account (e.g. change the account password, create application keys), use all other device functionalities (zone configuration, scan pattern, flow etc.) and can do everything allowed with PUBLIC access level.

ADMIN

Clients with this access level are allowed to modify or create other user accounts (user management) and can do everything allowed with AUTHORIZED access level.

authentication access level
Figure 10. Access levels and available Qb2 functionality

Read only mode

The read only mode can only be modified in the user management section.

In addition to the access level there is a READ_ONLY flag. When this flag is set, only functionality that does not change any configuration can be accessed. This can be used, for example, to only visualize the current data being produced by Qb2 and ensure that no changes are accidentally made to the general measurement setup.

State

The state can only be manually modified in the user management section.

The state attribute reflects the lifecycle of an account. The default value for a usable account is ACTIVE.

authentication state flow
Figure 11. State flow diagram for account

The state is set to one of the following values:

ACTIVE

The account is enabled and can be used for authentication.

WAITING_FOR_ACTIVATION

The account has just been created or was reset. A new password has to be set during login for account activation.

BLOCKED

The account has been manually blocked and can not be used for authentication. A manual state change to ACTIVE by an admin account is required to unblock this account.

The Qb2 web interface prompts the user to set a new password during the initial login in case the account needs to be activated after it has been created or reset.

authentication activation
Figure 12. Account activation procedure for newly created or reset accounts

User Management

User Management is accessible for clients with access level ADMIN. Clients authorized with this access level can create, reset, modify or delete accounts on Qb2.

Currently not all features are available on the web interface. Refer to API access guide and the API documentation to learn how to access Qb2 user management programmatically for all features.

Create

To create a new account, basic attributes have to be specified:

Table 1. Attributes for creating a new account
Attribute Required Comment

Name

Value has to be unique

Access level

default: AUTHORIZED

Read only mode

default: false

All other attributes of the account are set by the device. The state of newly created accounts is set to WAITING_FOR_ACTIVATION. When the account was created successfully, the activation password is returned.

Reset

This action sets the account state to WAITING_FOR_ACTIVATION and returns an activation password. During login with this activation password the web interface prompts the user to update its password to activate the account.

While the account is reset and temporarily unavailable for regular use, all other properties of the account (e.g. access level, application keys) are kept intact.

Modify

All attributes of an account can be modified. This includes the access level, the state, application keys and the number of failed login attempts.

Delete

This action removes the account and all associated application keys and can not be undone.