We have equipment that we want to enable temporary, remote access to. We tried switching from access credential authentication on the Starter Plan to JWTs with a JWKS URL pointing to Auth0, and hosting a streamlit web app on Hugging Face Spaces for the interface.
We ran into a few issues:
JWTs through Auth0 are limited to 30 days, and doing automatic token refreshes seemed complicated. In particular, the equipment needs to stay connected to the broker at all times
We couldn’t get the callback URL working properly, pointing back to Hugging Face Spaces (i.e., I don’t think we ever got to the point of generating a JWT that would be accepted by HiveMQ)
The overall goal was simple: allow a user to click a “login/verification” button (to prevent bot/spam attacks), and be provided with temporary access to a particular topic on the broker to access the hardware.
After going down this rabbit hole, and as a workaround, we are planning to instead use the HiveMQ API to create random credentials and remove the old one when a new one is generated (assuming it’s past the expiration time).
Thank you for sharing the details about your setup and the challenges you’ve faced.
It seems the main issue is with the token refresh process from the provider. Could you provide more insight into why your equipment is having difficulty retrieving the new token in time? The Auth0 instructions generally appear straightforward:
Regarding the “callback URL,” it doesn’t seem to relate directly to the HiveMQ Cloud Starter settings. If you could clarify its role or how it fits into your configuration, it might help us address any related issues more effectively.
If JWT authentication proves challenging, using simple authentication (username and password) might be a viable alternative for your setup.
Please let us know if there’s anything else you need or if you have further questions. We’re here to help!