Geek Answers Handbook

How to handle JWT revocation using MQTT

Following the instructions in this Auth0 article , I successfully authenticated MQTT clients using "JWT" โ€‹โ€‹as the username and JWT token as the password.

In my use case, however, JWT tokens are short-lived. Clients must receive a new token before the expiration date of the current token, and then provide it on the MQTT server. Otherwise, the connection will be terminated by the server.

My question is: how to implement token update? Is this a posting message from a client? What topic? Does the client disconnect and allow the client to re-authenticate with the new token? Or is there another way?

+13
oauth mqtt jwt auth0 json-web-token
source share
3 answers

Updating JWT tokens matters because tokens have expiration dates. If a device is connected via MQTT and its token expires, the MQTT broker should automatically disconnect the device from the broker. You can prevent the device from turning off by automatically updating its token.

The following examples show how to check if a token has expired, and if there is one, how to reconnect to a new token without disconnecting the device.

long secsSinceRefresh = ((new DateTime()).getMillis() - iat.getMillis()) / 1000; if (secsSinceRefresh > (options.tokenExpMins * 60)) { System.out.format("\tRefreshing token after: %d seconds\n", secsSinceRefresh); iat = new DateTime(); if (options.algorithm.equals("RS256")) { connectOptions.setPassword( createJwtRsa(options.projectId, options.privateKeyFile).toCharArray()); } else if (options.algorithm.equals("ES256")) { connectOptions.setPassword( createJwtEs(options.projectId, options.privateKeyFile).toCharArray()); } else { throw new IllegalArgumentException( "Invalid algorithm " + options.algorithm + ". Should be one of 'RS256' or 'ES256'."); } client.disconnect(); client.connect(); attachCallback(client, options.deviceId); }
+1
source share

The easiest way is to implement an asynchronous service that periodically checks connected clients and reads the timestamp. If the timestamp is out of date, force disconnect the client and reconnect.

Depending on the system you are using, you can add this function to your message broker that you are using.

For example, in HiveMQ, you can easily attach an asynchronous callback that schedules this kind of background job and runs it periodically.

The HiveMQ extension system is well-documented, and you can find some examples here: https://www.hivemq.com/docs/4/extensions/services.html#managed-extension-executor

+4
source share

I think you are interested in the behavior of refresh_token ( https://auth0.com/docs/tokens/refresh-token/current ). I'm not sure if Auth0Mosca library supports.

-one
source share

More articles:


All Articles