LWT not sent when a client loses connection or JWT token expires

[Smiche]

Using an mqttjs 4.2.8 client with a will:

  will: {
    topic: 'offline',
    payload: 'username',
    qos: 2,
    retain: true
  }

Mosquitto broker version: 2.0.12
mosquitto-go-auth plugin version: latest from master branch

Relevant configuration:

per_listener_settings true
allow_anonymous false

listener 9001
protocol websockets

# AUTH PLUGIN
auth_plugin /usr/lib/go-auth.so
auth_opt_backends jwt
auth_opt_jwt_mode remote
auth_opt_jwt_host keycloak
auth_opt_jwt_with_tls false
auth_opt_jwt_port 8080
auth_opt_jwt_getuser_uri /auth/realms/minsn/protocol/openid-connect/userinfo
auth_opt_jwt_aclcheck_uri /auth/realms/minsn/protocol/openid-connect/userinfo

# Listener for debugging
listener 1883
protocol mqtt

password_file /mosquitto/config/auth.pass

When a user disconnects ungracefully, e.g. app terminated the LWT is not sent on the authed listener.

When a token expires the connection remains open and the client doesn't receive any errors (unless a new sub or pub is attempted). In this case LWT is not sent either.

Possibly this issue is related to #106 and resolving it might fix this too.

[iegomez]

Thanks for bringing this up, @Smiche .
I see there's interest in supporting this now and will try to come back to it when I get some time.

[Smiche]

Actually this might be an issue with mosquitto itself.

I will upgrade to 2.0.13 and try again.

[iegomez]

For the first issue, that makes sense, but I haven't implemented client disconnection on JWT token expiration, so that's on me. 😄

[Smiche]

Upgrading to 2.0.14 has resolved the LWT issue.

For no disconnect issue, if using an ACL endpoint that stops permission once token expires the client can constantly send a PING and if an error is sent back (as Not Authorized) the client can disconnect itself. If using a file ACL with jwt user auth then client will be able to send all the time and never disconnect, which is actually fine for our use case.

However it might be more convenient to support a timeout (configurable on/off + field name?) from the token with the standard exp field:

I looked at the library a bit and I suppose the disconnect can be done by getting the exp field from the token (even in remote mode?) and starting a new goroutine that will sleep until token expires and then disconnects user, if before that happens the same username (from jwt field) logs in then the routine is restarted with updated time. Maybe something I can also try.

Or the other implementation method suggested in the other issue.

I think this issue should be ok to close as it does not relate to the plugin.

[iegomez]

@Smiche I'm glad upgrading solved the LWT issue!

I'm gonna leave the issue open for a few days as a reminder to myself, I think I might get some time later this week.

[iegomez]

@Smiche I never got the time to go back to disconnecting users on expired tokens, but I may do so some time in the next few weeks. Do you think this is still relevant (I'd need to go over Mosquitto changes and options to do so again, I really haven't checked this in a long time) or is there a reasonable workaround for it from your experience?

[Smiche]

The way I went around it was to use acl from a file which gives full access to all topics and still use jwt for user auth. Now when a token expires nothing happens. This works for our use case at the moment, but disconnecting clients after a token expires would be definitely better.

[iegomez]

Gotcha, I'll keep it open then. Thanks!

[iegomez]

I'm gonna close this issue in favor of #106.