Advice on Keycloak endpoint for JWT token validation using client credential flow

Getting advice
#1

Hi All

I am trying to implement a MQTT based prototype wherein, I am using a raspberry device as client and Keycloak as the authentication server.

In order to publish/subscribe a message, the client request for access token (via a function in python script directly from Keycloak) and this token is then passed to another function so as to connect to the broker. Note that the access token is passed as as a “username” parameter and password parameter is left blank as suggested here.

In addition to this, I have also configured go-auth plugin to enable Oauth2 and openid in broker.

go-auth_conf
go-auth_conf1637×843 123 KB

Consequently, when I run the python script, the log file simple returns the following message:

2022-07-13T13:46:58: New connection from 95.154.23.16:34227 on port 1883.
2022-07-13T13:46:58: Client Publisher disconnected, not authorised.

I would like to know if i am referencing to the wrong endpoint for token validation as the “userinfo” endpoint simply does nothing to authenticate the client!

I am happy to provide more info if needed. Eager to hear some pointers/suggestions from the community.

#2

Not familiar with mosquito or go-auth at all, but judging from the docs here (GitHub - iegomez/mosquitto-go-auth: Auth plugin for mosquitto.) I believe go-auth is more suitable for a JWT with a backend API for validation.

It doesn’t seem to be an oatuh2 client.

I suppose you could try this other plugin which seem more aware of oath2 protocol: GitHub - N5GEH/n5geh.tutorials.mosquitto_with_oauth2-

If you need to stick with go-auth (JWT only), maybe you can write a simple backend service to adapt the JWT check against Keycloak.

#3

Thanks for the suggestion for simple backend service. I was also wondering if i was using the right token validation endpoint. i am currently using the one which ends with …/userinfo. However, i see that it is not validating the token as i am not able to access the broker.

i have also tried the …/introspect endpoint but that claims that my authentication failed despite using the token derived from ////token endpoint!

FYI, I am using keycloak v.15