Guidance on what authorization means for MQTT in NMOS Systems

[garethsb]

IS-05 defines Sender/Receiver transport parameters for MQTT, including broker_authorization, but the definition of that parameter is fairly minimal:

Indication of whether authorization is used for communication with the broker. If the parameter is set to auto the Sender or Receiver should establish for itself whether authorization should be used, based on a discovery mechanism or its own internal configuration.

On the other hand, the MQTT spec, Authentication of Clients by the Server, is also very noncommittal, mentioning multiple possible authorization mechanisms (OAuth 2.0 tokens, client TLS certificates, etc.) as well as the basic username/password option in the CONNECT Packet.

Broker implementations support for these different techniques is variable.

Some guidance in BCP-003-02 would be good... or failing that, at least a statement that it's out of scope, must be configured out-of-band, perhaps with the link to the spec above?

[peterbrightwell]

We're not sure what the guidance should be at this time. Revisit for v1.1.

[garethsb]

@peterbrightwell Really close this issue? Not better to move to a v1.1 milestone? Or are the things that are out of scope for v1.0 tracked somewhere else visible?

[peterbrightwell]

Agreed yes and now marked v1.1

[peterbrightwell]

Discussed on call. We don't know at the moment about feasibility -- this could be looked at post v1.0 publication. It's potentially quite a big piece of work? We know we can secure IS-07 through WebSockets so it's not such a blocker to adoption if not in v1.0.