[Feature Request] JWT Token Validation

[mths1]

Describe your issue or feature request

JWT (Java Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. It is often used for authentication and authorization purposes as the encoded JWT can be securely passed between client and server, or between different servers.

In an MQTT context, JWT can be used to provide authentication and authorization for clients connecting to an MQTT broker. The client can present a JWT token to the broker as part of the connect message, which the broker can then validate to ensure the client has the necessary permissions to access the broker's resources.

To validate a JWT token, the recipient (e.g. the MQTT broker) needs to verify its signature using the secret key that was used to sign the token. This ensures that the token was not tampered with during transit and that it was indeed issued by a trusted source. The recipient also checks the claims contained in the token to ensure they are still valid and that the token has not expired. If the signature and claims are valid, the recipient can then use the information contained in the token to enforce access control rules and allow or deny access to specific topics based on the client's authorization level.

Describe the solution you'd like

MVP:

• JWT token is provided as password (without a username, or a pre-selected username)
• JWT token is validated based on local secrets and/or public keys
• Must work with common token issuers (e.g. Azure AD)

Describe alternatives you've considered

• Write something with webhooks and/or via the integrated scripting language. In my opinion, JWT is an enterprise feature every enterprise ready MQTT broker should have so I'd like to see this "build in".

• There is already a JWT extension to VerneMQ which looks promising and could be the starting point for an integrated solution:
  https://blog.gojek.io/customising-vernemq-the-message-broker-for-our-information-superhighway/

(btw: they have some other nice things as well which might be worthwile to consider for VerneMQ, instead of keeping it in a fork)

Environment

• VerneMQ Version:
• OS:
• Erlang/OTP version (if building from source):
• Cluster size/standalone:

Add any other context, code samples or screenshots about the issue report here.

No response

Code of Conduct

• I agree to follow the VerneMQ's Code of Conduct

[ioolkos]

A quick Github search shows the following JWT plugins for VerneMQ:

• https://github.com/manifest/vmq_joseauth (status unknown)
• https://github.com/foxford/mqtt-gateway
• https://github.com/ico77/vernemq_auth_plugin
• The one from Gojek mentioned above.

We have also done very customized JWT/token plugins for customers. (closed source; but can contribute the experience gained)

I'm not against adding an official JWT plugin. Since it was said that "Enterprise ready brokers" should have the feature, to be honest, though, I'd expect some funding/financial support from enterprise users too ;) (this is a very benevolent and general remark, not directed at @mths1, and spoken with no entitlement; I really welcome feature proposals)

---

👉 Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq
👉 Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.