Configuration

Authentication/Authorization of MQTT Users

In operator mode, all users need to provide a JWT in order to connect. In the standard authentication procedure of this mode, NATS clients are required to sign a nonce sent by the server using their private key (see JWTs and Privacy). MQTT clients cannot do that, therefore, the JWT is used for authentication, removing the need of the seed. It means that you need to pass the JWT token as the MQTT password and use any username (except empty, since MQTT protocol requires a username to be set if a password is set). The JWT has to have the Bearer boolean set to true, which can be done with nsc:

  1. nsc edit user --name U --account A --bearer

A new field when configuring users allows you to restrict which type of connections are allowed for a specific user.

If an MQTT client were to connect and use the username foo and password foopwd, it would be accepted. Now suppose that you would want an MQTT client to only be accepted if it connected using the username bar and password barpwd, then you would use the option allowed_connection_types to restrict which type of connections can bind to this user.

  1. authorization {
  2.   users [
  3.     {user: foo password: foopwd, permission: {...}}
  5. }

The option allowed_connection_types (also can be named connection_types or clients) as you can see is a list, and you can allow several types of clients. Suppose you want the user bar to accept both standard NATS clients and MQTT clients, you would configure the user like this:

The possible values are currently:

  • STANDARD
  • WEBSOCKET
  • LEAFNODE
  • MQTT

When an MQTT client creates a QoS 1 subscription, this translates to the creation of a JetStream durable subscription. To receive messages for this durable, the NATS Server creates a subscription with a subject such as $MQTT.sub. and sets it as the JetStream durable’s delivery subject.

Here is an example of a basic configuration that sets some permissions to a user named “mqtt”. As you can see, the subscribe permission is added to allow this client to create QoS 1 subscriptions.

  1.     listen: 127.0.0.1:4222
  2.     jetstream: enabled
  3.     authorization {
  4.             publish = ["baz"]
  5.             subscribe = ["foo", "bar", "$MQTT.sub.>"]
  6.         }
  7.         users = [
  8.             {user: mqtt, password: pass, permissions: $mqtt_perms, allowed_connection_types: ["MQTT"]}
  9.         ]
  10.     }
  11.     mqtt {