JWT Authorization

Hi,

While integrating HiveMQ + Enterprise security extension, I could effectively Authenticate a client using ory hydra locally.

Now, the next steps is to validate claims based on different clients (clientId) for a specific resource (one as a publisher and another one as subscriber).

Could you please guys provide a documentation how to configure scopes by different clients without using sql database? It is not clear even in the examples how to manage jwt authorization client credentials and I was wondering if there is a way for doing this.

From the example as follow, a jwt token was given to a client with scope = subscribe but in the configuration file was defined as “subscribe publish”. It doesn’t match, but I am not sure how to configure this per client or for accepting 3 types of scope:

  • subscribe
  • publish
  • subscribe publish
2023-11-22 10:04:55,124 DEBUG - An invalid JWT with jti 78415e1f-65c4-412b-a73a-0c03f52cf742 was sent. The "scp":"[subscribe]" does not match "[subscribe, publish]" ("[subscribe, publish]" before substitution).
2023-11-22 10:04:55,124 DEBUG - Client failed authentication: ID 0518693c-45f3-481b-83cd-a9ad6eb74551, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-11-22 10:05:00,119 DEBUG - Client '0518693c-45f3-481b-83cd-a9ad6eb74551' with ip 127.0.0.1 could not be authenticated
    <pipelines>
        <listener-pipeline listener="ALL">
            <jwt-authentication-manager>
                <realm>jwt-provider</realm>
                <jwt-validation>
                    <reserved-claims>
                        <sub>${mqtt-clientid}</sub>
                        <scope alt="scp">subscribe publish</scope>
                    </reserved-claims>
                </jwt-validation>
            </jwt-authentication-manager>
            <allow-all-authorization-manager/>
        </listener-pipeline>
    </pipelines>

Can you may be help on this @Daria_H matters?

Thanks.