Auth

This module implements the authentication handling for the EVerest. It is responsible for providing authorization to the connected evse managers. In addition to that, it handles the reservation management.

Handwritten Documentation

This module handles incoming authorization and reservation requests.

The task of the module is to receive tokens from token providers, validate them and assign them to EvseManagers. It is responsible for providing authorization to EvseManagers and for stopping transactions at the EvseManagers if a token or parent id token is presented to stop a transaction. In addition, the module is responsible for managing all reservations and matching them with incoming tokens.

The module contains the logic to select a connector for incoming tokens (e.g. by waiting for a car plug in, user interface, random selection, etc.). The algorithm is configurable via the selection_algorithm config key, which accepts four values; three of them (FindFirst, PlugEvents and PlugEventsLIFO) are implemented. The available algorithms are described in Selection Algorithm.

The following flow diagram gives a simplified overview of how an incoming token is handled by the module.

        flowchart TD
    A[Token received] --> B[Validate the token]
    B --> C{Token valid?}
    C -- no --> RJ[["Rejected"]]
    C -- yes --> D{"Should the token stop<br/>an ongoing transaction?"}
    D -- yes --> E[Stop the transaction]
    E --> RS[["Transaction stopped"]]
    D -- no --> F["Select an available connector<br/>using the configured algorithm"]
    F -- "none available or timeout" --> RJ
    F -- selected --> G[Authorize the connector]
    G --> RA[["Authorized"]]
    

Note

The diagram above is simplified to show the essential flow. It omits some details, such as whether the token was already validated by the provider, reservation matching, the distinction between master-pass-group and parent-id-token stops, and authorization being withdrawn while waiting for a plug in.

Note

The processing of each authorization request and the respective validation runs in an individual thread. This allows the parallel processing of authorization requests.

Integration in EVerest

This module provides implementations for the reservation and the auth interfaces.

It requires connections to module(s) implementing the token_provider, token_validator and evse_manager interfaces.

The following diagram shows how it integrates with other EVerest modules. A token provider supplies a token, a token validator checks it, and the Auth module then authorizes the selected connector at the corresponding EVSE manager.

Integration

The module connections of the evse_manager requirement must be connected in the correct order in the EVerest config file, i.e. the module representing the EVSE with evse id 1 must listed first, EVSE with evse id 2 second and so on.

Selection Algorithm

The selection algorithm contains the logic to select one connector for an incoming token. The algorithm can be specified within the module config using the key selection_algorithm. When only a single EVSE/connector is referenced by the request, that connector is selected immediately regardless of the configured algorithm (single-EVSE fast path). The selection algorithm only becomes relevant when the Auth module manages authorization requests for multiple connectors.

Four values are accepted for selection_algorithm:

  • FindFirst (default)

  • PlugEvents

  • PlugEventsLIFO

  • UserInput (not yet implemented)

FindFirst

FindFirst is the default selection algorithm. It is non-blocking. If a referenced EVSE already has a pending plug-in (the earliest one, if several referenced EVSEs are plugged in) and that EVSE has no active transaction, it is selected. Otherwise the first referenced EVSE that is available, in the order the connectors are referenced, is selected. If no referenced EVSE qualifies, the request is not satisfied; the algorithm returns without waiting or blocking.

PlugEvents

The following flow chart describes how a connector is selected using the PlugEvents algorithm.

        flowchart TD
    A[Token referencing one or more connectors] --> B{Only one referenced connector?}
    B -- yes --> C["Select it immediately<br/>single-EVSE fast path"]
    B -- no --> D{"A referenced connector already has an EV plugged in?"}
    D -- yes --> E["Select the connector waiting longest<br/>among referenced connectors (first-in, first-out)"]
    D -- no --> F["Wait up to connection_timeout for<br/>an EV to be plugged in"]
    F -- "plug-in occurred" --> G{Authorization withdrawn during the wait?}
    G -- no --> E
    G -- yes --> I[["Interrupted"]]
    F -- "timeout elapsed" --> H[["Reject (TimeOut)"]]
    

If a referenced EVSE already has an EV plugged in, it is selected. Otherwise PlugEvents blocks for up to connection_timeout seconds waiting for an EV to be plugged in, and then selects a referenced EVSE where that happened. If the wait times out, the request is rejected. If authorization is withdrawn during the wait, the wait is interrupted.

When more than one referenced EVSE has plugged in, selection is first-in, first-out (FIFO): the EVSE whose plug-in has been pending longest is chosen, not the one that plugged in most recently. For example, if connector 1 plugs in, then connector 2 plugs in, and an authorization request referencing both connectors arrives afterwards, connector 1 is selected because its plug-in occurred first. A plug-in stops being a candidate once it is consumed by an authorization, times out, or its session ends. If you want the opposite (most recent) behavior, use PlugEventsLIFO instead.

Note

If a user authorizes first while no EV is plugged in, the module waits for an EV to be plugged in before it selects the connector. A plug-in timeout may occur, which will require the user to start authorization again to begin a charging session.

PlugEventsLIFO

PlugEventsLIFO behaves exactly like PlugEvents — it waits for an EV to be plugged in and is subject to the same connection_timeout, timeout and withdrawal behavior — but when more than one referenced EVSE has plugged in it makes the opposite choice: it selects the EVSE that plugged in most recently (last-in, first-out) instead of the earliest. Reusing the earlier example, if connector 1 plugs in, then connector 2 plugs in, and an authorization request referencing both connectors arrives afterwards, PlugEventsLIFO selects connector 2 (the most recent plug-in), whereas PlugEvents would select connector 1.

UserInput

The UserInput algorithm is not yet implemented. Configuring it will cause the module to report an error when it needs to select a connector, so it should not be used.

Connector State Machine

The Auth module tracks the lifecycle of each connector with a small state machine. It models how a connector transitions between being available, occupied by a transaction, unavailable (disabled) and faulted, so that the module knows which connectors can be authorized at any time. The diagram below shows the six states and the events that drive the transitions.

Connector state machine

Plug&Charge Authorization

Please see the Plug&Charge configuration guide for further information about the Plug&Charge integration in EVerest.

Auto-Generated Reference

Module Configuration

selection_algorithm: string <optional>
default: “FindFirst”
The selection algorithm contains the logic to select one connector for an incoming token. In case the charging station has only one connector, the selection of a connector is pretty straight-forward because there is only one that is available. The selection algorithm becomes relevant in case the Auth module manages authorization requests for multiple connectors. The following values can be set: PlugEvents: Selection of connector is based on EV plug in events; the connector whose EV plugged in first is selected PlugEventsLIFO: Like PlugEvents, but the connector whose EV plugged in most recently is selected FindFirst: Simply selects the first available connector that has no active transaction UserInput: Placeholder, not yet implemented
connection_timeout: integer <required>
Defines how many seconds an authorization remains valid before it is discarded, and how many seconds a user has to provide authorization after a car is plugged in. It is also the maximum time the PlugEvents and PlugEventsLIFO algorithms wait for a plug in.
master_pass_group_id: string <optional>
default: “”
Tokens whose group id equals this value belong to the master pass group. Such tokens can stop any ongoing transaction, but cannot start transactions. This can, for example, be used by law enforcement personnel to stop any ongoing transaction when an EV has to be towed away. If left empty, the master pass group is not used.
prioritize_authorization_over_stopping_transaction: boolean <optional>
default: True
Boolean value to describe the handling of parent id tokens.
If true, a new token will preferably be used to authorize a new connector if a connector is available. Its parent id token will only be used to finish a transaction if no connector is available for authorization anymore.
If false, a new token will be used to finish a transaction if its parent id token matches the parent id token of a present transaction. Authorization of available connectors will only be provided if no transaction can be stopped using the given parent id token.
ignore_connector_faults: boolean <optional>
default: False
Boolean value to describe the handling of faults on connectors.
If true, faults reported on connectors are ignored, i.e. they can still be authorized. This should be disabled in most use cases, but e.g. in free charging applications it may be useful to allow a charging session in the following case: A connector e.g. has an overtemperature fault that at some point will clear once it is cooled down. A car is plugged in before the error is cleared. The user would expect that the charging starts once it is cooled down. When this option is set to false, it will not be authorized on plug in as the connector is in fault state and it will never recover until the car is replugged. If it is set to true, the authorization happens on the faulty connector and charging will start once the fault is cleared.
If false, faulty connectors are treated as not available and will not be authorized. This is a good setting for e.g. public chargers.
plug_in_timeout_enabled: boolean <optional>
default: False
This parameter is only used if the charging station has multiple EVSEs managed by this Auth module.
Controls the authorization-timeout behavior after a plug-in event. When enabled, an internal timer is started immediately after an EV is detected as plugged in. During the time defined by connection_timeout, the user must present a valid authorization token.
If no valid token is received within the specified connection_timeout, the authorization attempt is considered as timed out and a re-plug by the user is required to start a new authorization process.
This setting is particularly useful for charging stations with multiple EVSEs and a shared, non-EVSE-specific authorization interface (e.g., a single RFID reader). It prevents authorization tokens from being incorrectly associated with an EVSE where an EV is plugged in but has not been authorized, by ensuring that expired or ambiguous plug-ins are not considered for EVSE assignments for future authorization attempts.

Provides

main: auth
This implements the auth interface for EVerest
reservation: reservation
This implements the reservation interface for EVerest.

Requirements

token_provider: auth_token_provider 1..128
token_validator: auth_token_validator 1..128
evse_manager: evse_manager 1..128
kvs: kvs 0..1

Metadata

Authors

Piet Gömpel

License