Wouldn't it be better to have a specific username for Oauth? e.g. Bearer. If the username matches this then the password is the token?
Paul On 20 January 2016 at 14:20, Ayyoob Hamza <[email protected]> wrote: > Hi All, > > MQTT specification only supports basic authentication. However in IoT use > cases embedding the credential in the device is not a feasible approach. > Further in specification it has been mentioned[1] : > > "The CONNECT Packet contains Username and Password fields. > Implementations can choose how to make use of the content of these fields. > They may provide their own authentication mechanism, use an external > authentication system such as LDAP [RFC4511] > <http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#RFC4511> > or > OAuth [RFC6749] > <http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#RFC6749> > tokens, > or leverage operating system authentication mechanisms." > > There are existing studies on how to support token based authentication by > extending the current authentication model. Such as the model explained in > the paper[2] and the hivemq example in [3]. > > Therefore we thought about supporting this capability through the Message > Broker by creating an extension to the current authentication model. > > This is the current model that follows the same principle as the above > mentioned articles. Below is the implementation on how we achieved it in > the WSO2 message broker. > > In the current authentication model in message broker can load only one > authenticator, which is by default uses the CarbonBasedMQTTAuthenticator, > that supports basic authentication. We have created another authenticator > to support both the basic authentication and token based authentication. > Below 'Current' and 'Proposed' indicates how the current configuration is > extended in broker.xml. > > In the proposed model the logic would be > if(password is not empty and a basic authenticator is configured) : > execute the basic authenticator. > if(password is empty) : OAuth based authentication (username contains the > token) > > > *Current* > <authenticator> > org.wso2.carbon.andes.authentication.andes.CarbonBasedMQTTAuthenticator > </authenticator> > > > *Proposed* > <authenticator> > org.wso2.carbon.andes.extensions.authentication.mqtt.MqttAuthenticator > </authenticator> > <authenticatorConfig> > <!-- Token authentication Endpoint --> > <property name="hostURL"> > https://localhost:9443/services/OAuth2TokenValidationService</property> > > <!-- Credential to be used for the above admin > service --> > <property name="username">admin</property> > <property name="password">admin</property> > > <!-- authenticate the user only if below scopes are > related to the token. > This value can be empty if we wanted skip. Multiple > scopes can mentioned by having a space delimiter. > --> > <property name="scopes">device_scope</property> > <!-- if username and password exist then execute > the basic Authenticator. If below is empty then it will be skipped and use > only the token > based authentication --> > <property name="basicAuthenticator"> > org.wso2.carbon.andes.authentication.andes.CarbonBasedMQTTAuthenticator > </property> > <!-- below is optional by default it uses > OAuth2TokenValidationService to validate the token. if any other endpoints > needs to be use for validation then > have to implement the TokenAuthenticator interface. > <Parameter > name="tokenAuthenticator">org.wso2.carbon.andes.extensions.authentication.mqtt.oauth.impl.DefaultOAuth2TokenAuthenticator</Parameter> > --> > </authenticatorConfig> > > The source code for this extension is available in [4]. Current default > token authenticator uses OAuth2TokenValidationService as the authentication > endpoint. However this can be extended with any other. > > > [1] http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/mqtt-v3.1.1.html > [2] http://eprints.port.ac.uk/15538/1/oauth_mqtt3.pdf > [3] http://www.hivemq.com/blog/mqtt-security-fundamentals-oauth-2-0-mqtt > [4] > https://github.com/ayyoob/extensions/tree/master/messagebroker-extensions > *Ayyoob Hamza* > *Software Engineer* > WSO2 Inc.; http://wso2.com > email: [email protected] cell: +94 77 1681010 <%2B94%2077%207779495> > -- Paul Fremantle Co-Founder, WSO2 blog: http://pzf.fremantle.org twitter.com/pzfreo
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
