Install the Required Software

Download the following software before you evaluate ForgeRock IoT, and test the examples:

  • Go, version 1.13 or later.

  • Git (to download the source code and run the examples).

Get the Examples

To download the examples, clone the iot-edge Git repository:

git clone

This command creates a directory named iot-edge. Change to that directory:

cd /path/to/iot-edge

The examples assume that this is your current working directory.

Install and Configure AM

  1. Read the ForgeRock® Access Management (AM) Evaluation Guide to set up an AM instance, with a default configuration.

    The examples in this guide assume the following:

    • AM is installed with the fully qualified domain name, in a Tomcat container, listening on port 8080.

      To configure AM, navigate to

    • AM is configured with the Default Configuration, with user amAdmin and password changeit.

  2. Log in to AM as user amAdmin with password changeit.

  3. Add an IoT service.

    The IoT service configures the identity store, adding the required Thing attributes to AM users (for all LDAPv3ForOpenDS and LDAPv3ForForgeRockIAM stores in the realm). For more information about this service, see IoT Service in the AM Reference:

    1. In the Top Level Realm, select Services.

    2. Click Add a Service, select IoT Service, and click Create.

    3. Enable Create OAuth 2.0 Client.

      The IoT service creates an OAuth 2.0 Client with the given name and default configuration required to serve as the client for this service. The client is created without any scope(s), and is used by default for all Things that request access tokens.

      If a Thing (or group of Things) needs a client with different configuration to the default, you can create a custom client here, and add its name to the Thing’s thingOAuth2ClientName profile attribute.

    4. Enable Create OAuth 2.0 JWT Issuer.

      The service creates a Trusted JWT Issuer with the given name and default configuration required for the IoT Service to act as the Issuer when handling requests for access tokens.

      If you configure the client manually, the JWT issuer must have the following settings:

      • JWT Issuer: forgerock-iot-service

      • Consented Scopes Claim: scope

      • Resource Owner Identity Claim: sub

      The signing/verification key used by this issuer is configured in the secrets store under It must use the HS256 algorithm.

    5. Click Save Changes.

  4. Add an OAuth2 Provider service:

    1. Select Services.

    2. Click Add a Service, select OAuth2 Provider, and click Create.

    If your service will use the introspection feature of the SDK, change the following settings:

    • On the Core tab, enable Use Client-Based Access & Refresh Tokens.

    • On the Advanced tab, select an asymmetric key for the OAuth2 Token Signing Algorithm.

  5. Configure the IoT OAuth 2.0 client:

    1. Select Applications > OAuth 2.0 > Clients.

    2. Click on forgerock-iot-oauth2-client.

    3. In the Scope(s) field, type publish.

    4. Click Save Changes.

    If you create your own OAUth2 client here, make sure that the client contains the JWT Bearer grant type and has a strong generated password.

  6. Create two authentication trees:

      • Select Authentication > Trees > Create Tree.

      • Type auth-tree in the Name field, and click Create.

      • Add an Authenticate Thing node and click Save.

      • Select Authentication > Trees > Create Tree.

      • Type reg-tree in the Name field, and click Create.

      • Add an Authenticate Thing node and a Register Thing node.

      • On the Register Thing node, enable Create Identity, then click Save.

  7. Add a secret ID mapping.

    1. Select Configure > Secret Stores and click on the default-keystore.

    2. On the Mappings tab, click + Add Mapping.

    3. In the Secret ID list, select, and in the Alias field, type es256test then click Add.

      This mapping indicates which key the Register Thing node should use when verifying the registration certificate. The CA certificate in this example (es256test) is one of the test certificates included by default in AM.

    4. Click Create to add the mapping.

    For more information about mapping secret IDs, see Mapping and Rotating Secrets in the AM Security Guide.

Read a different version of :