Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for authorizing publishing of a message and/or a subscription from an Internet of Things (IoT) device. In an example system, a message broker receives a list of attributes from a claims provider. The message broker determines whether publishing of the message is authorized based at least on the list of attributes, and publishes the message if it is determined that the publishing is authorized. The message broker may also receive a subscription specifying a topic filter. The message broker determines whether the subscription is authorized for the IoT device based at least on the list of attributes, and transmits a subscription message to the IoT device if it is determined that the subscription is authorized.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for handing retained messages among brokers of Internet of Things (IoT) messages. In an example system, a retained message coordinator of a first message broker receives an indication of a subscription specifying a topic filter from an IoT device. The retained message coordinator identifies, from a data structure shared by a second message broker, a retained message set for a topic within a scope of the topic filter. The retained message coordinator retrieves the retained message set from a shared data store, and provides the retained message set to the IoT device.

Abstract: Methods, systems, apparatuses, and computer-readable storage mediums are described for bridging brokers of messages from Internet of Things (IoT) devices. In an example system, a first message broker receives a message and an associated topic from an IoT device. A bridging coordinator accesses a topic-to-broker map that indicates, for a second broker, a list of topic filters for which the second message broker has at least one subscriber. The bridging coordinator determines whether the list of topics includes the associated topic. In response to a determination that the list of topic filters in the topic-to-broker map includes the associated topic, the bridging coordinator forward the message to the second message broker. In response to a determination that the list of topic filters does not include the associated topic, the bridging coordinator prevents forwarding of the message to the second message broker.

Abstract: Systems and methods for controlling an edge computing device. The method includes, receiving a user input requesting access to a resource of the edge computing device, determining whether the user has privileges to access the resource by: formulating a claims request which requests claims based on the determined identity of the user, sending the claims request to a local claims provider agent executed by a processor of the edge computing device, determining, based on claim request handling factors, whether the local claims provider agent can generate a token including the requested claims, and if so, generating the token with the requested claims; if not, a request may be sent to a cloud service-side claims provider to receive the token. The method includes authorizing access to the resource based on a predetermined policy that specifies the presence of a predefined resource parameter in the requested claims is sufficient.

Abstract: Systems and methods for controlling an edge computing device. The method includes, receiving a user input requesting access to a resource of the edge computing device, determining whether the user has privileges to access the resource by: formulating a claims request which requests claims based on the determined identity of the user, sending the claims request to a local claims provider agent executed by a processor of the edge computing device, determining, based on claim request handling factors, whether the local claims provider agent can generate a token including the requested claims, and if so, generating the token with the requested claims; if not, a request may be sent to a cloud service-side claims provider to receive the token. The method includes authorizing access to the resource based on a predetermined policy that specifies the presence of a predefined resource parameter in the requested claims is sufficient.

Abstract: Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.

Abstract: Today, data networks are ever increasing in size and complexity. For example, a datacenter may comprise hundreds of thousands of service endpoints configured to perform work. To reduce network wide degradation, a load balancer may send work requests to healthy service endpoints, as opposed to unhealthy and/or inoperative service endpoints. Accordingly, among other things, one or more systems and/or techniques for monitoring service endpoints, which may be scalable for large scale networks, are provided. In particular, a consistent hash function may be performed to generate a monitoring scheme comprising assignments of service endpoints to monitoring groups. In this way, multiple monitoring components may monitor a subset of endpoints to ascertain health status. Additionally, the monitoring components may communicate between one another so that a monitoring component may know heath statuses of service endpoints both assigned and not assigned to the monitoring component.

Abstract: Today, data networks are ever increasing in size and complexity. For example, a datacenter may comprise hundreds of thousands of service endpoints configured to perform work. To reduce network wide degradation, a load balancer may send work requests to healthy service endpoints, as opposed to unhealthy and/or inoperative service endpoints. Accordingly, among other things, one or more systems and/or techniques for monitoring service endpoints, which may be scalable for large scale networks, are provided. In particular, a consistent hash function may be performed to generate a monitoring scheme comprising assignments of service endpoints to monitoring groups. In this way, multiple monitoring components may monitor a subset of endpoints to ascertain health status. Additionally, the monitoring components may communicate between one another so that a monitoring component may know heath statuses of service endpoints both assigned and not assigned to the monitoring component.

Abstract: Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.