You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we maintain our own implementation of authentication and authorization which is unsafe and comes with other problems (e.g., remotes that are logged in have to perform a request every time they receive a data update, causing a lot of traffic). A solution to this would be to use Authentication and Authorization over MQTT. However, MQTT based authentication is not part of the standard, but always based on the broker you are using. To setup authentication and authorization over MQTT, you have to implement or use a plugin for the broker.
Currently, we use mosquitto. Thus, we could use the mosquitto-go-auth plugin. This plugin allows to configure a different endpoint (e.g., an HTTP server) which performs the authentication and authorization checks. This means that the plugin calls the endpoint to know if a user and password pair is correct (authentication) and if a user has permissions to subscribe or publish on a topic (authorization). Since we implement the endpoint, I think this could be a future-proof way to go forward, which could potentially be used with other brokers as well.
However, there is one big hurdle with this approach and this has to do with controllers that have to send different data depending on the logged-in user. Today, these are only the UnitRegistry and the MessageRegistry (units either send their entire data object or nothing). For these, we could either continue with our current approach (they send data available for other and everything else is request-based) or we could implement a different approach were a user's remote logs in at the controller which opens up a new topic for this user. Then, only this user can subscribe to this topic and receive according updates.
This issue should be used to track and discuss the implementation of MQTT-based authentication and authorization.
The text was updated successfully, but these errors were encountered:
Currently, we maintain our own implementation of authentication and authorization which is unsafe and comes with other problems (e.g., remotes that are logged in have to perform a request every time they receive a data update, causing a lot of traffic). A solution to this would be to use Authentication and Authorization over MQTT. However, MQTT based authentication is not part of the standard, but always based on the broker you are using. To setup authentication and authorization over MQTT, you have to implement or use a plugin for the broker.
Currently, we use mosquitto. Thus, we could use the mosquitto-go-auth plugin. This plugin allows to configure a different endpoint (e.g., an HTTP server) which performs the authentication and authorization checks. This means that the plugin calls the endpoint to know if a user and password pair is correct (authentication) and if a user has permissions to subscribe or publish on a topic (authorization). Since we implement the endpoint, I think this could be a future-proof way to go forward, which could potentially be used with other brokers as well.
However, there is one big hurdle with this approach and this has to do with controllers that have to send different data depending on the logged-in user. Today, these are only the UnitRegistry and the MessageRegistry (units either send their entire data object or nothing). For these, we could either continue with our current approach (they send data available for other and everything else is request-based) or we could implement a different approach were a user's remote logs in at the controller which opens up a new topic for this user. Then, only this user can subscribe to this topic and receive according updates.
This issue should be used to track and discuss the implementation of MQTT-based authentication and authorization.
The text was updated successfully, but these errors were encountered: