Using JWT authentication on Hive cloud cluster

Hi,

I recently started using cloud cluster and I am trying to use the JWT authentication using React Websocket. I used my NestJS backend to create an endpoint to generate the JWKs. I can’t seem to understand how to configure it right. I am unable to connect to the cluster. I would appreciate a guide to achieve this.

Thanks in advance.

Hello @sai.dasari

Welcome to the HiveMQ Community! Could you please confirm if your JWKS Endpoint (NestJS backend) is publicly available and reachable over the Internet? Additionally, have you had an opportunity to review this article Step Up Your MQTT Security with JWT Authentication on HiveMQ Cloud Starter?

Kind regards,
Diego from HiveMQ Team

Hi @Diego , thank you for replying to my question, The URL that provides JWK endpoint is

https://video-stream-server-d5tydko3na-uc.a.run.app/hivemq-jwk

and I am not able to connect using the token.

trying to connect from the client using below code

client = paho.mqtt.client.Client()

# Enable TLS for the connection
client.tls_set(tls_version=mqtt.client.ssl.PROTOCOL_TLS)  
client.username_pw_set(username=jwt_token)
# client.username_pw_set(username=jwt_token)
client.on_connect = on_connect
client.on_message = on_message
# Connect to the broker
client.connect(broker_url, broker_port)

Correct me if I am doing something wrong. Thanks

Hello @sai.dasari

You’re welcome, the key factor here is ensuring the correct password along with the proper Access Token. I recommend testing your custom NestJS JWKS Endpoint setup with an MQTT client tool first, such as the HiveMQ MQTT CLI. You can use the sample command provided below.

mqtt pub -h TYPE_YOUR_CLUSTER_URL -p 8883 -s -pw "TYPE_YOUR_TOKEN" -t 'my/test/topic' -m 'Testing JWT Auth' -v

Kind regards,
Diego from HiveMQ Team

Hi @Diego ,

Is the provided end point generating a valid response in the required format for the cluster?

I tried the sample command provided and it gives me not authorized.
Response: Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.

This is my cluster setup where I pass strings for the claim aud and sub and integer for exp

@sai.dasari

For troubleshooting purposes, could you please provide a valid JWT token? Additionally, could you confirm the URL of your HiveMQ Cloud Cluster?

Kind regards,
Diego from HiveMQ Team

@Diego
URL for cloud cluster: optoscale-o61103.a03.euc1.aws.hivemq.cloud

JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJpb3RfZGV2aWNlIiwiYXVkIjoib3B0b3NjYWxlIiwiZXhwIjoxNzI1NTQ2MzYwfQ.UHBW0Y2z5gNQUdlt3j-lK_Inpmr48c7aPtoCJ4gfNF59xCpOBvc1Hrbqx06_AYcg74QBfSLBFsWobAzhny29xydX1Cz1ZSx-mx0absvlfnnNLkRbD5YCXK595M4SXrgiAt5Gp2RzTCU1-asCErAZ9Mx6HHYLI_ScHzU9Q2QSKRyv9acU4FzaiviAgzrhe3XGhywZ9G_Pq5Q4fciOCMmkCJ2Rihz8GTQyQ2JkGGSyfYZwLj2Pd6nhM8VJMN7TRcr9l-bgcq3gmm-h3D8c52e2zfmtVuejevoAFuujBXUIhNuEi1bc0pxqWVVJHUQ9FkZ4otY8IjW4gxSvyhi-IU_phg

Not sure, if I am generating valid tokens. Is this safe tom post here?

@sai.dasari

The token has a limited access lifetime, and you can expire all tokens by restarting your NestJS JWKS Endpoint application. It appears that the token that your application is generating is not valid. You can view an example of a valid token using this JWT Debugger tool link.

Kind regards,
Diego from HiveMQ Team

Thank you @Diego . If you can provide a best practice guide for HiveMQ-JWT integration using any technology, I would highly appreciate it. Any resource that you think is relevant would be appreciated, thank you.

Hello @sai.dasari

I can provide you with documents that offer further insights into HiveMQ and JWT. Additionally, you can create a free developer account on Auth0 to run tests using their platform. I frequently use it in my labs, it very useful.

Kind regards,
Diego from HiveMQ Team

Thank you @Diego . I appreciate the guidance. I will reach out in case I face any further issues.

@Diego Do I need to use Enterprise security extention to implement JWT based authentication for cloud starter or Can I follow the path that I was following before?

Hi @Diego , I am generating valid token but still I am getting NOT_AUTHORIZED.

URL for endpoint: https://video-stream-server-d5tydko3na-lz.a.run.app/hivemq-jwk

Token

I have removed all the claims in the JWT config of broker

Tried the command

mqtt pub -h optoscale-o61103.a03.euc1.aws.hivemq.cloud -p 8883 -s -pw “TOKEN” -t ‘my/test/topic’ -m ‘Testing JWT Auth’ -v

Is there a way to check the logs of the broker?

@sai.dasari

Closing this thread since the issue scope has now been fully addressed through a support ticket.

Kind regards,
Diego from HiveMQ Team