Hi All, MQTT specification only supports basic authentication. However in IoT use cases embedding the credential in the device is not a feasible approach. Further in specification it has been mentioned[1] :
"The CONNECT Packet contains Username and Password fields. Implementations can choose how to make use of the content of these fields. They may provide their own authentication mechanism, use an external authentication system such as LDAP [RFC4511] <http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#RFC4511> or OAuth [RFC6749] <http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#RFC6749> tokens, or leverage operating system authentication mechanisms." There are existing studies on how to support token based authentication by extending the current authentication model. Such as the model explained in the paper[2] and the hivemq example in [3]. Therefore we thought about supporting this capability through the Message Broker by creating an extension to the current authentication model. This is the current model that follows the same principle as the above mentioned articles. Below is the implementation on how we achieved it in the WSO2 message broker. In the current authentication model in message broker can load only one authenticator, which is by default uses the CarbonBasedMQTTAuthenticator, that supports basic authentication. We have created another authenticator to support both the basic authentication and token based authentication. Below 'Current' and 'Proposed' indicates how the current configuration is extended in broker.xml. In the proposed model the logic would be if(password is not empty and a basic authenticator is configured) : execute the basic authenticator. if(password is empty) : OAuth based authentication (username contains the token) *Current* <authenticator> org.wso2.carbon.andes.authentication.andes.CarbonBasedMQTTAuthenticator </authenticator> *Proposed* <authenticator> org.wso2.carbon.andes.extensions.authentication.mqtt.MqttAuthenticator </authenticator> <authenticatorConfig> <!-- Token authentication Endpoint --> <property name="hostURL"> https://localhost:9443/services/OAuth2TokenValidationService</property> <!-- Credential to be used for the above admin service --> <property name="username">admin</property> <property name="password">admin</property> <!-- authenticate the user only if below scopes are related to the token. This value can be empty if we wanted skip. Multiple scopes can mentioned by having a space delimiter. --> <property name="scopes">device_scope</property> <!-- if username and password exist then execute the basic Authenticator. If below is empty then it will be skipped and use only the token based authentication --> <property name="basicAuthenticator"> org.wso2.carbon.andes.authentication.andes.CarbonBasedMQTTAuthenticator </property> <!-- below is optional by default it uses OAuth2TokenValidationService to validate the token. if any other endpoints needs to be use for validation then have to implement the TokenAuthenticator interface. <Parameter name="tokenAuthenticator">org.wso2.carbon.andes.extensions.authentication.mqtt.oauth.impl.DefaultOAuth2TokenAuthenticator</Parameter> --> </authenticatorConfig> The source code for this extension is available in [4]. Current default token authenticator uses OAuth2TokenValidationService as the authentication endpoint. However this can be extended with any other. [1] http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/mqtt-v3.1.1.html [2] http://eprints.port.ac.uk/15538/1/oauth_mqtt3.pdf [3] http://www.hivemq.com/blog/mqtt-security-fundamentals-oauth-2-0-mqtt [4] https://github.com/ayyoob/extensions/tree/master/messagebroker-extensions *Ayyoob Hamza* *Software Engineer* WSO2 Inc.; http://wso2.com email: ayy...@wso2.com cell: +94 77 1681010 <%2B94%2077%207779495>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
