HiveMQ Security Course / Tutorials?

HiveMQ has a ton of useful tutorials / mini courses that I’ve appreciated.
One that I haven’t found, is if there is a course available detailing handling of security in HiveMQ?

I’d like to learn how to apply JWT based authentication, and to understand which HiveMQ pricing levels include this.

A security series is mentioned here, but there is no link to the series?
HiveMQ - MQTT Security Fundamentals

In the “What’s New” section of HiveMQ Cloud, it mentions, “Getting started is straightforward”—simply designate a JWKS (JSON Web Key Set) Endpoint for your JWT server." Clicking on the “try out JWT” button doesn’t seem to give anywhere to input the mentioned JWT server endpoint, only usernames and passwords? There is space to enter credentials, but nothing for JWT endpoints. Do I need to upgrade to starter or higher?

Hello @davemays ,

Thank you for the outreach - we are happy to hear that the content has been useful!

Security for HiveMQ can be handled in a variety of different ways, depending on the needs of the environment, and if using a self-hosted HiveMQ deployment, the licensing that is in use. With that in mind, there are a few different options, and each comes with its own benefits.

To start with, the Security Fundamentals Series can be found here - it looks like the link is embedded within the page you had mentioned, but a bit hidden within the text - this is a direct link to the course trailhead.

For some supplementary material, two of our most common authorization/authentication extensions are the File-based RBAC extension, offering file-realm role-based access control, and the Enterprise Security Extension, which offers very robust and customizable security options for a huge range of unique environments. In this case, the file-based RBAC extension is provided for usage freely with an Apache-2.0 license, whereas the Enterprise Security Extension requires a purchased license.

If there are specific security requirements that you are looking for some clarification on, or are looking to scope out a HiveMQ deployment, we would be happy to chat to discuss your environment further - feel free to reach out via our contact form here!

Aaron from the HiveMQ Team

Thanks so much!

For the JWT based authentication, which trial versions would support this for testing if any?
It looks like the “HiveMQ Cloud Starter plan” supports this. Do any of the self hosted plans?
And which level of plan is the trial Docker container running?

Hello @davemays ,

Happy to assist!

For JWT-based authentication, specifically, this would be included with the Professional and Enterprise Cloud-based solutions. As for self-hosted, this would be included with the Enterprise Security Extension, and this is available for Starter, Professional, and Enterprise tiers. For a full list of features and comparisons, our pricing page here gives a great breakdown.

As for the trial Docker container, it may depend on the specific version that was obtained, as self-hosted options include Community, Starter, Professional, and Enterprise edition versions. Typically, our trial version is a limited Enterprise version - the exact limitations and versioning of the broker will be visible within the broker logs at start up.

Aaron from the HiveMQ Team

Hi @AaronTLFranz

Thank you for the information provided about the JWT Authentication flow. While reading the documentation, it is actually not clear in terms of which configuration exactly needs to be made beforehand.

To give you a context, I do have a Federation Server (Ory Hydra) and a Client configured already (Access token generated). Now, it is clear that the extension needs to be a jwt-realm and also specification about jwks and introspection endpoints. The issue for me this time is that for some reason the systems prompts the next:

2023-11-14 15:22:53,753 INFO  - Started HiveMQ Enterprise Security Extension successfully in 202ms.
2023-11-14 15:22:53,753 INFO  - Extension "HiveMQ Enterprise Security Extension" version 4.22.0 started successfully.
2023-11-14 15:22:53,755 WARN  - No security extension present, MQTT clients can not connect to this broker.

I hope i am not too lazy on this, but to be honest i could not found any clear example how can this be configured correctly without using any sql database but only a federation server.

Also, every time I include a pipeline option, it always ask for sql, authentication preprocesor and more you probably know. This happens when using only jwt-authentication-manager.

It is possible you can provide a help in order to succeed on this for testing purpose before purchasing a Enterprise license?

I would like also to Include @pglombardo here since some issues found in C# library.

Thanks in advance.

Could you elaborate on what the issues found in the C# library are?
We are looking into using the C# library but could use a different one if these are serious existing issues.



The issues found in the c# library were fixed already and added in a new release. Is it possible to continue the discussion on this post?


Thanks for all the information. Re: C#, if there are any issues, please open a new thread and feel free to @ mention me. I’d be more than happy to help out.

Thanks! The config now works.