Skip to content
/ mosquitto-jwt-auth Public

Mosquitto Auth Plugin which enables authentication via JWTs and authorisation via ACLs stored in JWT claims

License

MIT license
40 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

wiomoc/mosquitto-jwt-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
Readme.md
Readme.md
 
 
example_mosquitto.conf
example_mosquitto.conf
 
 

Repository files navigation

mosquitto-jwt-auth

Build Coverage Status

Simple Plugin for Mosquitto which enables authentication and authorisation via JWT as MQTT password.

Requires at least Mosquitto v1.6.3. Tested on Mac OS and Linux.

Building

Prebuild version for Linux is available here

  1. If not done yet, install Rust
  2. Clone git clone [email protected]:wiomoc/mosquitto-jwt-auth.git
  3. Build cargo build --release, on success plugin should be located at target/release/libmosquitto_jwt_auth.so

Configuration

One could choose between the basic JWT validation and the more advanced JWKS validation.

Basic JWT validation

To enable this, the configuration property auth_opt_jwt_alg has to be set to the desired JWT / JWS algorithm. The key to validate the JWT could be supplied over various ways:

  • in a file: auth_opt_jwt_sec_file has to be set to the filename containing the key
  • over an environment variable: auth_opt_jwt_sec_env has to be set to name of the environment variable
  • directly in the config: auth_opt_jwt_sec_base64 has to be set to the base64 encoded key If a asymmetric algorithm is used (eg. RS256 or ES256) the key has to be given in DER format.

JWKS validation

To enable this, the configuration property auth_opt_jwt_jwks_file has to be set to the filename containing the JWK set. Note that both the JWK and the JWT have to have the keyid (kid) set.

Key rotation

If you want to implement key rotation you can update this file using a external program regularly and reload the plugin by sending a SIGHUP to the mosquitto process.

Example intergrated in crontab using curl:

*/10 * * * * curl -o mosquitto_jwks.json https://my-idp.com/jwks.json && killall -SIGHUP mosquitto

Properties

auth_plugin should point to the path of libmosquitto_jwt_auth.so

Property Valid values Usage
auth_opt_jwt_alg HS256, HS384, HS512, ES256, ES384, RS256, RS384, RS512, PS256, PS384, PS512 Sets the algorithm of the JWT signature
auth_opt_jwt_sec_file <path to file> Path to the file which contains the secret used for verification of the signature.
auth_opt_jwt_sec_env <enviroment variable name> Name of the environment variable which contains the base64 encoded key used for verification of the signature.
auth_opt_jwt_sec_base64 <base64-encoded-secret> Base64 encoded key used for verification of the signature.
auth_opt_jwt_jwks_file <path to file> Path to the file which contains a JWK set.
auth_opt_jwt_validate_exp (default) true, false true if the exp claim / the expiry date of the JWT should be validated
auth_opt_jwt_validate_sub_match_username (default) true, false true if the MQTT username has to be the same as specified in the sub claim

Custom Claims

The plugin authorizes subscriptions and publications based on the acl stated in JWT claims.

  • publ (Optional) Contains the Topics(filters) the client is allowed to publish in

  • subs (Optional) Contains the Topics(filters) the client is allowed to subscribe to

    {
  "sub": "mqttUser",
  "iat": 1516239022,
  "exp": 1616239022,
  "subs": ["/+/topic", "/abc/#"],
  "publ": ["/abc"]
}

About

Mosquitto Auth Plugin which enables authentication via JWTs and authorisation via ACLs stored in JWT claims

Topics

mqtt security jwt mosquitto

Resources

Readme

License

MIT license
Activity

Stars

40 stars

Watchers

5 watching

Forks

12 forks
Report repository

Releases 4

Release 0.4.0 Latest
Dec 14, 2021
+ 3 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages