Skip to content
/ mosquitto-identity-plugin Public

Mosquitto plugin to validate JWT and manage the ACL for each topic

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tointernet/mosquitto-identity-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
.example
.example
 
 
.github/workflows
.github/workflows
 
 
docs
docs
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Mosquitto Identity Plugin

ci codecov

In a IoT platform one of the most important thing is to ensure that each device can access only the resources that the device is allowed to access. It's important because on the IoT platform we don't know where our devices are and who has them. So the basic security principle to reduce as much as we can the access to our platform is extremely importante for IoT. With this in mind this plugin allow us to overwrite the Basic Connection Authentication and create an ACL for the Mosquitto Broker using an identity server to ensure the security. Each user will have a group of Permissions called Roles and these permissions will granted or deny the access for each topic, with that we can managed the publish and the subscription for each topic.

OBS: The plugin was built using the Auth0, but we thing it will work perfectly with other identity provider, for example: keycloak

Table of content

Mosquitto Plugin

The Mosquitto broker give us a external API to build a custom plugin. This API is exposed in the mosquitto_plugin.h.

Broker Startup

When the broker start to running, the broker will check if there is some plugin configured and if was the broker will check for the methods implemented by the plugin.

In the broker startup, the broker will call tree methods: mosquitto_auth_plugin_version, mosquitto_auth_plugin_init and mosquitto_auth_security_init

Mosquitto Basic Auth Workflow

The basic authentication API can be used only by implementing the method mosquitto_auth_unpwd_check.

If the mosquitto_auth_unpwd_check was implemented, each connection that come to the broker, the broker will call the method mosquitto_auth_unpwd_check.

If the method returns MOSQ_ERR_SUCCESS = 0 the broker will allow the client to connect. If returns anything > 0 the broker will deny the connection;

Mosquitto ACL Workflow

For the Access Controller Layer, different for the basic auth, we will need to implement some methods and the broker will call each method following the diagram bellow:

Requirements:

  • Docker CE
  • Rust LTS
asdf plugin-add rust https://github.com/code-lever/asdf-rust.git \
&& asdf install rust latest \
&& asdf global rust latest
  • LLVM, CLang
sudo apt install llvm-dev libclang-dev clang
  • Mosquitto, Mosquitto SDK
sudo apt install mosquitto-dev libmosquitto-dev

Run the example

  • If all of the requirements was accomplish use the Makefile docker command to run the example
make docker

Referencies:

About

Mosquitto plugin to validate JWT and manage the ACL for each topic

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Release refs/heads/main Latest
Oct 3, 2022

Packages

No packages published

Languages