You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This creates a server listening for MQTT messages on port 9999. __mosca__ allows you to override the 3 functions used to authenticate and authorize operations.
58
62
59
-
In this sample, we are using a very simple module `Auth0Mosca` to perform these functions. Auth0 is wired up to __mosca__in the `Setup` function.
63
+
In this sample, we are using a very simple module `Auth0Mosca` to perform these functions. Auth0 is wired up to __mosca__immediately,
60
64
61
65
###The Auth0Mosca module
62
66
63
-
This little module provides the 3 functions used by __mosca__:
67
+
This little module provides the 3 functions used by __mosca__, `authenticate`, `authorizePublish` and `authorizeSubscribe`:
Here we are using the [OAuth2 Resource Owner Password Credential Grant](https://docs.auth0.com/protocols#9) to authenticate the broker and all connections to it. Each time a `publisher` or a `subscriber` send a CONNECT message to the broker the `authenticate` function is called. In it we call the Auth0 endpoint and forward the device `username`/`password`. Auth0 validates this against it's account store (that is the first `request.post` in the code). If successful, it parses the Json Web Token for the device profile and adds it to the `client` object that represents either the `subscriber` or the `publisher`. Thats's done in the `jwt.verify` call.
135
+
Here we are using the [OAuth2 Resource Owner Password Credential Grant](https://docs.auth0.com/protocols#9) to authenticate the broker and all connections to it. Each time a `publisher` or a `subscriber` send a __CONNECT__message to the broker the `authenticate` function is called. In it we call the Auth0 endpoint and forward the device's`username`/`password`. Auth0 validates this against it's account store (that is the first `request.post` in the code). If successful, it validates and parses the Json Web Token to obtain the device profile and adds it to the `client` object that represents either the `subscriber` or the `publisher`. Thats's done in the `jwt.verify` call.
132
136
133
137
By convention, all devices connected to the broker have an account in Auth0:
134
138
135
139
136
140
137
-
Notice that the Device profile has also a property `topics`. This is an array with all topics this particular device is allowed to. In the screenshot above, `thermostat-1a` will be allowed publishing to topics `temperature` and `config`.
141
+
Notice that the Device Profile also has a property `topics`. This is an array with all topics this particular device is allowed to. In the screenshot above, `thermostat-1a` will be allowed publishing (or subscribing) to topics `temperature` and `config`.
138
142
139
-
The `authorizePublish` and `authorizeSubscribe` functions simply check that a particular topic is present in this list.
143
+
The `authorizePublish` and `authorizeSubscribe` functions simply check that a particular requested topic is present in this list.
140
144
141
145
###The Publisher
142
146
143
-
For this sample, the publisher is a simple nodejs program that uses the `mqtt` module. And adds the right credentials:
147
+
For this sample, the publisher is a simple nodejs program that uses the `mqtt` module, and adds the right credentials:
144
148
145
149
```
146
150
var mqtt = require('mqtt')
@@ -171,7 +175,7 @@ function sendTemperature(client){
171
175
}
172
176
```
173
177
174
-
Of course `username` & `password` here will have to match whatever it is stored in Auth0.
178
+
Of course `username` & `password` here will have to match whatever is stored in Auth0.
This shows how easy it is to use Auth0 in various sceanrios. Auth0's user store is being used to manage devices. Of course much more sophisticated authorization rules could be written based on other conditions: time, location, deviceId, etc. All these would be very simple to implement, either through additional profile attributes or through [Auth0 Rules](rules). This also shows how the flexible Auth0 Profile can be extended to support arbitrary artifacts (e.g. `topics` in the example).
213
+
This shows how easy it is to use Auth0 in various scenarios. Auth0's user store is being used to manage devices. Of course much more sophisticated authorization rules could be written based on other conditions: time, location, device_id, etc. All these would be very simple to implement, either through additional profile attributes or through [Auth0 Rules](rules). This also shows how the flexible Auth0 Profile can be extended to support arbitrary artifacts (e.g. `topics` in the example).
209
214
210
-
> Caveats: it is never a good idea to send credentials (`username`/`password`) over unsecured networks. There are other implementations that provide transport level security that would prevent message contents to be revelead. __mosca__ supports TLS as an example. Likely a production deployment would prefer this, unless all traffic happens in a closed network.
215
+
> Caveats: it is never a good idea to send credentials (`username`/`password`) over unsecured networks. There are other implementations that provide transport level security that would prevent message contents to be revelead. __mosca__ supports TLS as an example. Likely a production deployment would favor this, unless all traffic happens in a closed network.
0 commit comments