JWT Authentication flow - Client credentials grant

daniel.dg.gutierrez · November 15, 2023, 9:10am

Hi all,

While reading the documentation, it is actually not clear how the jwt-realm should be configured in terms of minimum requirements to get the security extension available for Client Credentials grant and without using a SQL Server data storage.

To give you a context, I do have a Federation Server (Ory Hydra) and a Client configured already (Access token generated). Now, it is clear that the extension needs to be a jwt-realm and also specification about jwks and introspection endpoints. The issue for this scenario is that the systems prompts the next:

2023-11-14 15:22:53,753 INFO  - Started HiveMQ Enterprise Security Extension successfully in 202ms.
2023-11-14 15:22:53,753 INFO  - Extension "HiveMQ Enterprise Security Extension" version 4.22.0 started successfully.
2023-11-14 15:22:53,755 WARN  - No security extension present, MQTT clients can not connect to this broker.

I hope i am not too lazy on this, but to be honest i could not found any clear example how can this be configured correctly without using any sql database but only a federation server.

Also, every time I include a pipeline option, it always ask for sql, authentication preprocesor and more you probably know. This happens when using only jwt-authentication-manager.

It is possible you guys can help to get a clear configuration in order to succeed on this for testing purpose before purchasing a Enterprise license?

Thanks in advance.

Daria_H · November 15, 2023, 10:40am

Hi @daniel.dg.gutierrez ,

For testing purposes, you can get rid of the SQL realm and allow to authorize all authenticated clients:

<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="config.xsd"
        version="1">
    <realms>
        <!-- a oauth provider-->
        <jwt-realm>
            <name>jwt-provider</name>
            <enabled>true</enabled>
            <configuration>
                <jwks-endpoint>https://jwt-host/keys</jwks-endpoint>
                <introspection-endpoint>https://jwt-host/introspection</introspection-endpoint>
                <simple-auth>
                    <username>hivemq</username>
                    <password>password</password>
                </simple-auth>
            </configuration>
        </jwt-realm>
    </realms>
    <pipelines>
        <!-- secure access to the mqtt broker -->
        <listener-pipeline listener="ALL">
            <!-- authenticate with provided jwts -->
            <jwt-authentication-manager>
                <realm>jwt-provider</realm>
                <jwt-validation>
                    <exp-grace disconnect-after-expiry="true">300</exp-grace>
                </jwt-validation>
            </jwt-authentication-manager>
            <allow-all-authorization-manager />
        </listener-pipeline>
    </pipelines>
</enterprise-security-extension>

I hope it helps.
Kind regards,
Dasha from HiveMQ Team

Topic		Replies	Views
JWT Authorization	4	507	December 7, 2023
HiveMQ Security Course / Tutorials?	8	468	November 19, 2023
Scope validations in jwt token - client credentials grant	1	352	November 23, 2023
OAuth authentication + SQL authorization HiveMQ Extensions	6	1464	March 29, 2021
Using JWT authentication on Hive cloud cluster HiveMQ Cloud	13	30	September 16, 2024

JWT Authentication flow - Client credentials grant

Related topics