MQTT and dynamic credentials

516 views
Skip to first unread message

Simon H

unread,
Jan 6, 2017, 3:58:02 AM1/6/17
to Node-RED
Hi all,

does anyone have experience of using MQTT with dynamic credentials in node-red?

The use case is around thoughts of using a JWT as credentials, but the JWT will need to be refreshed, possibly once every 10 minutes....
Theory goes a single connection will not need new credentials, but if there is a disconnect.... then the JWT would be out of date at reconnect; and it would need to be set at startup to a valid non-expired JWT.

s

Julian Knight

unread,
Jan 6, 2017, 7:08:35 AM1/6/17
to Node-RED
Are you sure you need to do that with the MQTT broker itself? Normally you'd do that in a REST API.

Simon H

unread,
Jun 6, 2017, 9:19:19 AM6/6/17
to Node-RED
I've been looking into this, and have created a function in the mqtt broker node 'changecredentials(user, pass)'.

The in the publish node, if msg.username or msg.password is set, it calls this function and returns.

The function calls end on the connection if a connection is present, sets username and password on the options for the node, and then calls connect.

I can't see any way to make the credentials get saved to the credentials file (and i'm not even sure this is desirable....), so flows would always start up with their configured credentials.

Any appetite for this as an update to the mqtt node set?

Simon

Alexandro Torregrossa

unread,
Jun 9, 2017, 4:40:57 AM6/9/17
to Node-RED
Hi,

can you post the json ?

Thanks

Simon H

unread,
Aug 4, 2017, 11:25:02 AM8/4/17
to Node-RED
Hi Alexandro,

Sorry for replying so late....

I can point you at the update (just rebased onto latest 17):

I use this by sending a message { username:'user', password:'pass' } to an mqtt publish node before I start using MQTT in the flow.  The message is does nothing else but change the credentials...
(in my case, I have a user 'jwt', and send a password which is a JWT defining the user access to mosca, then decode the JWT in mosca to enable login and publish./subscribe rights; it gives me huge flexibility in granular authorisation).

A pull request is of course available; but I think the team would consider that if we did this for MQTT, it should be a general thing for all credential-based coms, and they are not ready for that yet....
(but do let me know - I will issue it in a flash!  and it's now pretty well tested).

best regards,

Simon


Reply all
Reply to author
Forward
0 new messages