SubscribeAuthorizer on FailAuthorization with mqtt5 allows client to subscribe

Hi All,

We are working on SubscribeAuthorizer and using FailAuthorization logic to prevent clients from subscribing to unauthorized topic.

However, for mqtt5 clients we see the subscription is successful for unauthorized topic even after using subscriptionAuthorizerOutput.FailAuthorization() although it is interesting to know that broker does not send the messages to hivemq 5 client on unauthorized subscribe topic.

Is this an expected behaviour?

Regards,
Neha

Hi @neha.khan ,

Thank you for reaching out. If you are a paying customer, please welcome to use https://support.hivemq.com.

In general, “that broker does not send the messages to hivemq 5 client on unauthorized subscribe topic” is according to MQTT specification, both v.5 and v.3.x

Regarding the " for mqtt5 clients we see the subscription is successful for unauthorized topic " – it is unclear what exactly you are observing.

  • For example, when you check the client in the Client View in the Control Center, do you see the “unauthorized topic” among the “Subscriptions” of the client?
  • Next, does the client receive the SUBACK message with the appropriate error code, like 128 or 135 (“Not authorized”)? Please be more specific about what you observe.

You would also like to check which other custom extensions you are using and if those add any subscriptions for the client.

To get an insight into what is happening on the broker side you might use the Trace Recording (Enterprise feature) or install the MQTT Message Log Extension (open source).

I hope it helps.
Kind regards,
Dasha from HiveMQ Team