Go mosquitto auth plugin


#21

Great,

Thanks to this piece of code I connected my client paho.mqtt and all work as usually however and as I’m always beginner I didn’t understand why I must connected it with the loraserver username and MQTT password attached to this username instead your example this.getToken() and “any”.

Here my javascript function to connect the client:

function MQTTconnect() {
    console.log("connecting to "+ host +" "+ port);
    mqtt = new Paho.MQTT.Client(host,port,"clientjs");
    //document.write("connecting to "+ host);
    
    var that = this;
    
    var sslOption = true;
    if(host == "192.168.0.27") {
      sslOption = false;
    }
    
	var options = {
        timeout: 3,
        //userName: this.getToken(),
        userName: "loraserver",
        //password: "any",
        password: "loraserver_MQTT_password_plain_text",
        useSSL: sslOption,
        keepAliveInterval: 3600,
        onSuccess: onConnect,
        onFailure: onFailure, 
    }; 

This behavior is litlle bit boring because if you are connected on localhost you can read my MQTT loraserver password from the webconsole of your browser :frowning:


#22

For me it works correctly when using the token. Could you start mosquitto manually (sudo mosquitto -c /etc/mosquitto/mosquitto.conf) and try to connect using the token to see what’s the output from the plugin?


#23

Here it’s screenshot of my web console when the client trying to connect:

this.getToken() is not function…

I’m using locally paho-mqtt.js provided by eclipse and this function is not available. Maybe I have to load a script with this function ?


#24

Ah, that’s it. The function getToken() is from the lora-app-server’s UI, not a general JS function. My example is an old version of how I modified the default UI to be able to check live data by subscribing to the data topics from mosquitto.

So if you want to test using a JWT token from a generic JS script, you need to provide a valid JWT token for the lora-app-server’s user you intend to authenticate with.

For example, you could open your-host:8080/api (assuming you are using the 8080 defualt) and use the login method to obtain a JWT token given a lora-app-server’s username and password. Then, at your test script, replace userName with that token and password with any string and try to connect. If everything is right, the Postgres backend should authenticate the user correctly and also authorize the correct topics.


#25

Hello @iegomez,

I’m struggling to recover a valid JWT token or other , I think follow the good instruction but despite this when I write the JWT token in the api here:

I have “fetching resource list: undefined; Please wait.” as reply:

I created the token from https://jwt.io/, hereinafter you can find a snapshot:

Verifiy signature field corresponds to my jwt_secret from lora-app-server.toml.

I don’t understand what is wrong?

So previously ( there are few weeks) I managed to make the API work but I can’t remember what JWT token I used, I only remember to have follow the same way…


#26

It seems like your lora-app-server or some dependency isn’t working right. Try to make sure that they work and you can load the API frontend before going any further, there could be something wrong that’ll come to bite you later.

That said, the token youe are creating at jwt.io has expiration date of last year, so it won’t work. Try changing exp to something like this 1999653358 (that’s May 14 2033, but anything in the furture is enough).


#27

Thank you for your reply,

I started only the service used for loraserver (without influxdb & grafana):

Then I modified “nbf” and “exp” as you advise:

and there same behavior it doesn’t works:

“fetching resource list: undefined; Please wait.”

Next investigation I would try a version of loraserver without TLS certificat enabled.


#28

I think that’s not a problem with the token but with the API frontend itself. As I said, you should make sure that it is rendered correctly, in which case you could just use the login method from it and wouldn’t need jwt.io to generate a token.

Anyway, if the token is correct, it should work when testing the script to connect to mosquitto.


#29

Hello @iegomez thank your for the reply,

Probably you right, however I’m really frustated because I already managed to make the API work…

When I’m connecting without JWT token to api I can read ==> “fetching resource list:https://192.168.0.27:8080/swagger/api.swagger.json;Please wait.” and there the list appears.

Then when I type the JWT token in field I 'm retrieving ==> “fetching resource list: undefined; Please wait.”

@brocaar plz, do you have an idea?

You mean like this;

function MQTTconnect() {
    console.log("connecting to "+ host +" "+ port);
    mqtt = new Paho.MQTT.Client(host,port,"clientjs");
    //document.write("connecting to "+ host);
    
    var that = this;
    
    var sslOption = true;
    if(host == "192.168.0.27") {
      sslOption = false;
    }
    
	var options = {
        timeout: 3,
        //userName: this.getToken(),
        userName:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJsb3JhLWFwcC1zZXJ2ZXIiLCJhdWQiOiJsb3JhLWFwcC1zZXJ2ZXIiLCJuYmYiOjE5OTk2NTMzNTgsImV4cCI6MTk5OTY1MzM1OCwic3ViIjoidXNlciIsInVzZXJuYW1lIjoiYWRtaW4ifQ.Fb9wu9oPp0zUxsWRnklveSIIfIErdcPldBqYBRVJxqc",
        password: "any",
        useSSL: sslOption,
        keepAliveInterval: 3600,
        onSuccess: onConnect,
        onFailure: onFailure, 
    };
		 
    mqtt.onMessageArrived = onMessageArrived;
    mqtt.connect(options); //connect
    
}

I’m trying to understand with debugger what’s happening it’s tricky for me as I’m not javascript developper and I don’t have any experience with object-oriented programming :wink: it’s my luck :wink:

but I keep going…

Anyway thank you for your helps and your replies!


#30

Yes, that’s correct and should work if everything is right at mosquitto’s side.

I haven’t seen that happen, so I don’t know what’s going on, but If I get any idea I’ll let you know.


#31

Hi @iegomez

[quote=“iegomez, post:30, topic:448”]
Yes, that’s correct and should work if everything is right at mosquitto’s side.

It doesn’t work, I have certainly a problem with the JWT generation or other, I have to investigate…


#32

Hi, guys, I wanted to warn you about a change I did to the plugin. If you are using the JWT backend, I did a minor but breaking change yesterday: the backend used to expect the username to be the Username field of what was a custom Claims struct. Now it expects the Subject field from the StandardClaims (see github.com/dgrijalva/jwt-go) to contain the username. I’ll probably leave that as default and offer a conf option to change it so it’s compatible with lorasever, which uses Username, but it won’t be until monday or some day next week.


#33

Hello,

ok I am waiting for your instructions.


#34

Hi, @julien. I’ve just tested and then pushed the changes. All you need for the plugin to work as usual is to add this option to your conf:

auth_opt_jwt_userfield Username

That will tell the plugin to look for the Username field in the JWT claims instead of the default Subject one.

As I mentioned, the logs that shouldn’t have been there were removed. You only need to rebuild the plugin with make, replace the old .so with the new one (if you are building it on another location, it will be replaced if you build in the same location where mosquitto expects it to be), and then restart mosquitto. Let me know if you have any issue.

Cheers!


#35

@iegomez would you like to contribute to https://www.loraserver.io/guides/mqtt-authentication/ by documenting the steps needed to use your plugin for authentication / authorization? I think that would be a great addition :slight_smile: (you’ll find this page in https://github.com/brocaar/docs.loraserver.io/tree/master/content/guides).


#36

Hi, @brocaar. Yeah, no problem, let me give it a look these days and I’ll submit a PR when it’s ready.


#37

Hi,

thank you for your help, I will do it this week and I will come back to you if I have any issue.

.


#38

@brocaar, I just submitted the PR. I kept it pretty simple and followed the same structure you used to describe mosquitto-auth-plug installation. Just let me know if you need any more detail or modification.

Cheers!


#39

Thanks! Merged and updated :slight_smile: https://www.loraserver.io/guides/mqtt-authentication/


#40

Hi! I just added support for mosquitto 1.5.x and included some little details at the docs with a new PR. I’m sorry I didn’t do it earlier in the original PR, I had to struggle a bit with cgo to get the plugin to compile with the newer version.