-
-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] JWT Token Validation #2084
Comments
A quick Github search shows the following JWT plugins for VerneMQ:
We have also done very customized JWT/token plugins for customers. (closed source; but can contribute the experience gained) I'm not against adding an official JWT plugin. Since it was said that "Enterprise ready brokers" should have the feature, to be honest, though, I'd expect some funding/financial support from enterprise users too ;) (this is a very benevolent and general remark, not directed at @mths1, and spoken with no entitlement; I really welcome feature proposals) 👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq |
Describe your issue or feature request
JWT (Java Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. It is often used for authentication and authorization purposes as the encoded JWT can be securely passed between client and server, or between different servers.
In an MQTT context, JWT can be used to provide authentication and authorization for clients connecting to an MQTT broker. The client can present a JWT token to the broker as part of the connect message, which the broker can then validate to ensure the client has the necessary permissions to access the broker's resources.
To validate a JWT token, the recipient (e.g. the MQTT broker) needs to verify its signature using the secret key that was used to sign the token. This ensures that the token was not tampered with during transit and that it was indeed issued by a trusted source. The recipient also checks the claims contained in the token to ensure they are still valid and that the token has not expired. If the signature and claims are valid, the recipient can then use the information contained in the token to enforce access control rules and allow or deny access to specific topics based on the client's authorization level.
Describe the solution you'd like
MVP:
Describe alternatives you've considered
Write something with webhooks and/or via the integrated scripting language. In my opinion, JWT is an enterprise feature every enterprise ready MQTT broker should have so I'd like to see this "build in".
There is already a JWT extension to VerneMQ which looks promising and could be the starting point for an integrated solution:
https://blog.gojek.io/customising-vernemq-the-message-broker-for-our-information-superhighway/
(btw: they have some other nice things as well which might be worthwile to consider for VerneMQ, instead of keeping it in a fork)
Environment
Add any other context, code samples or screenshots about the issue report here.
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: