The following scenario was discovered while switching a device between two tenants:
1. Mender server tenant token is configured in mender.conf
2. Mender client is started
3. Device gets authorized on the server and gets a valid device token (cached in DB on device)
4. Mender client is stopped
5. Mender server tenant token is changed in mender.conf
6. Mender client is started
7. Mender client detects a valid device token in DB and will use that, and hence not respect the changes done to the tenant token in mender.conf
Mender client will only renew the device token if it expires (7 days) or if the device is decommissioned on the server (gets a reject from the server).
- Device stores tenant token and server URL together with JWT token in database.
- When using the JWT, client must check that both of the currently configured tenant token and server URL values match what is stored for the JWT.
- If either value is different, client must discard the JWT and request a new one.