This client supports the mqtt-tls profile for ACE (Authentication and Authorization for Constrained Environments) described here.
The client needs to be registered with an ACE AS server and requires an MQTT broker that supports ACE authentication. There are existing implementations:
- A modified version of the HiveMQ CE because currently the official broker doesn't expose the extended authentication features to extensions. There is an implementation here
- A fully v5 compliant MQTT client that supports ACE, which can be found here
- An ACE authorization server running OAuth2, which can be found here
This library mainly provides the three different implementations of Mqtt5EnhancedAuthMechanism, the basic interface for providing extended authentication support for a HiveMQ MQTT client:
- EnhancedNoAuthDataMechanism: Includes no data in the in the payload of the CONNECTv5 packet, in order to discover the ACE AS server IP address from the broker and disconnect.
- EnhancedAuthDataMechanism: Includes both the token and the POP key in the payload of the CONNECTv5 packet, in order to authenticate with the broker without a challenge response.
- EnhancedAuthDataMechanismWithAuth: Includes only the token in the payload of the CONNECTv5 packet, in order to authenticate with the broker using a challenge AUTH.
Each of the above has a use case implemented in the examples directory.
- DiscoverAS: Uses EnhancedNoAuthDataMechanism to discover the AS Server IP address and then authenticates using EnhancedAuthDataMechanism to the broker.
- ExtendedAuthentication: Uses EnhancedAuthDataMechanism or EnhancedAuthDataMechanismWithAuth according to the value of ExtendendAuthWithChallenge in the config.properties file.
You need to configure the client and then just run the examples
- Register a client with the ACE AS server. Take a note of the client id and secret
- Record the client id and secret in the config.properties file under examples/src/main/resources, along with the details for the AS and RS server.
- Give appropriate policies to the client to subscribe or publish into a specific topic, using the ACE AS server API
- Create a client certificate and register it with the broker's trust store
- Run any of the use cases provided