Hi,
While integrating HiveMQ + Enterprise security extension, I could effectively Authenticate a client using ory hydra locally.
Now, the next steps is to validate claims based on different clients (clientId) for a specific resource (one as a publisher and another one as subscriber).
Could you please guys provide a documentation how to configure scopes by different clients without using sql database? It is not clear even in the examples how to manage jwt authorization client credentials and I was wondering if there is a way for doing this.
From the example as follow, a jwt token was given to a client with scope = subscribe but in the configuration file was defined as “subscribe publish”. It doesn’t match, but I am not sure how to configure this per client or for accepting 3 types of scope:
- subscribe
- publish
- subscribe publish
2023-11-22 10:04:55,124 DEBUG - An invalid JWT with jti 78415e1f-65c4-412b-a73a-0c03f52cf742 was sent. The "scp":"[subscribe]" does not match "[subscribe, publish]" ("[subscribe, publish]" before substitution).
2023-11-22 10:04:55,124 DEBUG - Client failed authentication: ID 0518693c-45f3-481b-83cd-a9ad6eb74551, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-11-22 10:05:00,119 DEBUG - Client '0518693c-45f3-481b-83cd-a9ad6eb74551' with ip 127.0.0.1 could not be authenticated
<pipelines>
<listener-pipeline listener="ALL">
<jwt-authentication-manager>
<realm>jwt-provider</realm>
<jwt-validation>
<reserved-claims>
<sub>${mqtt-clientid}</sub>
<scope alt="scp">subscribe publish</scope>
</reserved-claims>
</jwt-validation>
</jwt-authentication-manager>
<allow-all-authorization-manager/>
</listener-pipeline>
</pipelines>
Can you may be help on this @Daria_H matters?
Thanks.