Using JWT as dynamic credentials with MQTT in Node Red with Mosca

[Simon H]

Hi All, 

Julian asked for a brief writeup of my use of Json Web Tokens with MQTT; 

although dynamic credentials are not yet supported by the MQTT nodes in Node Red, a practical description of their use is here:

USING JWT TOKENS TO AUTHORISE MQTT WITH MOSCA 

along with a link to the required MQTT node modifications, and example Mosca code.

As a very brief summary, at Yella Umbrella we use JWT tokens to authorise access to Mosca as an MQTT server running over WSS:.  This allows us to centrally issue authentication securely, without the MQTT server needing to know anything about actual users or passwords.  The last thing I wanted to have to do was enable access to a user/pwd database from every microservice I wrote....

Any comments welcome, although if you are highlighting a serious security flaw, I'd prefer a private email!

best regards,

Simon

[Julian Knight]

Hi Simon, thanks for that, good stuff.

Slight correction though - Node-RED's implementation of MQTT does do TLS and it's implementation of websockets automatically switches to wss: if you are using https: for Node-RED. Not quite clear whether you meant that the connection to MQTT should happen over wss: ?

I like your implementation, looks pretty secure to me.

[Simon H]

Hi Julian,

could you expand on the WSS: thing?  I'd assumed that TLS for MQTT was just wrapped around the TCP connection -  and only went to a stated port on a stated server.

Just to be clear, I'm serving MQTT over WSS, let's say at WSS://myserver.com/somefolder/someotherfolder - I could not see a way to put that into the MQTT config node, although the underlying MQTT client does support it if you give it a complete url.  In my server, this url is separated off and forwarded to Mosca by HAProxy (HTTPS terminated, and forwarded as http/ws; pretty transparent), and other urls (including the root of the server) are farmed out to Apache or NR as required.

s

[Julian Knight]

Hi, I've always been a bit vague on the protocols actually being used for MQTT I'm afraid. 

I know that, if you connect direct from the browser, you will be using ws/wss but I don't know if that's how Node-RED does it. Nick would be the expert. As he IS THE expert!

I do know that Node-RED's websocket connections switch to wss: if you switch the web interface to https: but the MQTT nodes set TLS use in a separate flag in the broker configuration node. So it certainly supports TLS connections.