Scope validations in jwt token - client credentials grant

1

Hi,

While integrating HiveMQ + Enterprise security extension, I could effectively Authenticate a client using ory hydra locally.

Now, the next steps is to validate claims based on different clients (clientId) for a specific resource (one as a publisher and another one as subscriber).

Could you please guys provide a documentation how to configure scopes by different clients without using sql database? It is not clear even in the examples how to manage jwt authorization client credentials and I was wondering if there is a way for doing this.

From the example as follow, a jwt token was given to a client with scope = subscribe but in the configuration file was defined as “subscribe publish”. It doesn’t match, but I am not sure how to configure this per client or for accepting 3 types of scope:

subscribe
publish
subscribe publish

2023-11-22 10:04:55,124 DEBUG - An invalid JWT with jti 78415e1f-65c4-412b-a73a-0c03f52cf742 was sent. The "scp":"[subscribe]" does not match "[subscribe, publish]" ("[subscribe, publish]" before substitution).
2023-11-22 10:04:55,124 DEBUG - Client failed authentication: ID 0518693c-45f3-481b-83cd-a9ad6eb74551, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-11-22 10:05:00,119 DEBUG - Client '0518693c-45f3-481b-83cd-a9ad6eb74551' with ip 127.0.0.1 could not be authenticated

<pipelines>
        <listener-pipeline listener="ALL">
            <jwt-authentication-manager>
                <realm>jwt-provider</realm>
                <jwt-validation>
                    <reserved-claims>
                        <sub>${mqtt-clientid}</sub>
                        <scope alt="scp">subscribe publish</scope>
                    </reserved-claims>
                </jwt-validation>
            </jwt-authentication-manager>
            <allow-all-authorization-manager/>
        </listener-pipeline>
    </pipelines>

Can Anyone may be provide some useful insights on this please? @Daria_H @AaronTLFranz @pglombardo

Thanks.

2

Hello @daniel.dg.gutierrez

Thank you for your enquiry.

Regarding your question about the Enterprise security extension, presently, it is configured to match all scopes and does not possess the capability to match any specific scope from the provided list. However, we would like to suggest an alternative solution for your specific needs. You configure the introspection endpoint to validate this if Hydra supports this or you can explore the utilization of either the File-realm or sql-realm, which offer the flexibility to achieve authorization of the desired scope matching.
To achieve this, kindly follow the steps below:

  1. Remove the <scope> tag from <reserved-claims>.
  2. Utilize the <file-authorization-manager> to handle the authorization process.

These adjustments should align more closely with your desired scope-matching functionality. If you encounter any further challenges or have additional questions, please feel free to reach out. We are here to assist you.

Regards,
Sheetal from HiveMQ Team