Enhancement : use client IP address for authentication

[malakaisbest]

I have an idea about using the Client IP address with the user password for MQTT authentication.

currently I'm using ,MySQL backend for the authentication. to use the MQTT WebSocket feature I create a dynamic username password (with Topic) from the PHP side and send it to the frontend.
when I enter that username and password to the DB I'm adding an extra parameter for expiry time. then another cron job runs periodically and removes expired credentials from the DB.
but frontend users can view (inspect element or HTML source code) and use the credentials before they expiry.

I think if we can add the IP address to the database when creating credentials, the MQTT broker backend can check client credentials with the IP of the client.

and I know, that front-end users can use the same IP as the original web socket computer. but I think using this we can add extra security for the MQTT.

Thank you all.

[mvandenabeele]

This would be great. I'd like to use this to allow anonymous access from internal IPs but require login for connections coming from the internet.

[iegomez]

Sorry, I missed this request entirely. I remember having this exact same use case long ago and it was the reason for creating the plugin. That's how the JWT backend was born, using short lived tokens that the client would use to authenticate through Mosquitto websockets, backed by (in my case, any of the existing DB backends is supported) a Postgres DB.

Have you given that alternative a try?

[iegomez]

Also, following #240, I might consider adding anonymous users support with some user given username/password for replacements, but it wouldn't be quick: I'd really need to go over everything to ensure there are no security concerns.

[malakaisbest]

I'm not an expert in this kind of development.
but I think some people can use the JWT token with their external application before it expires.
I go through the source code and cannot find a mechanism to get the client's IP address information on the MQTT authentication process.

if the MQTT broker can pass the source IP address to the backend we can improve the authentication mechanism.

[iegomez]

To get the client's address you'd need to somehow pass it along the client's id.
I also found out that the plugin could get it from Mosquitto: eclipse-mosquitto/mosquitto#1252
But implementing that and passing it along through the backends is no easy task, it's a major enhancement.

That's why I was suggesting an alternative route where you don't care about client's addresses but instead have the backend of your application hand a JWT token on login, and then leverage the JWT backend of the plugin to auth the user on your broker. That way you're not directly passing credentials from the FE when establishing the MQTT websocket connection.

[mvandenabeele]

I'm not using websockets for this projects, and I can't change the clients. Some can have login credentials and others can't. Those that can't should only work in our own network, event when the broker is also facing the internet. Because I can't change the broker address, I thought the IP-address would be the easiest way to do this, but I don't know much about the mosquitto implementation. It would be great if this were possible, but I understand this is not a feature many people would need. I'm willing to help where I can.

[malakaisbest]

found this article for IP auth
mosquitto_auth_by_ip

[iegomez]

I thought you were using websockets from this:

currently I'm using ,MySQL backend for the authentication. to use the MQTT WebSocket feature I create a dynamic username password (with Topic) from the PHP side and send it to the frontend.

Anyway, I could enable both anonymous users and passing along the client's address with the help of mosquitto_client_address, but as said it's not a trivial task and would take me some time.

[iegomez]

I'm closing this issue based on lack of response for a long time. Feel free to reopen it if it's still a concern.

[nlsrchtr]

Hi @iegomez,

thanks for putting so much effort in this fantastic plugin. I was happy finding it and it works very nice.

I'm running MQTT in the usual IoT space and would like to be able to limit the authentication by IP addresses (like ranges or on a per client base) and on the other side get to know the local IP addresses from the clients to track those for debugging reasons. We are running in the local network, but are not aware of the IP addresses of the MQTT clients in the network. They might come and go and change also from time to time.

Since your project looked like the Swiss Army Knife for MQTT, I found this feature request and was wondering if you would reconsider implementing this. I would be very happy to run some real-life tests with a dedicated branch etc.

From my perspective it would be very nice to have it as additional information like the client_id in the request details for the authentication provider. Since I'm not a Go developer, I could suggest to extend the documentation accordingly.

What are your thoughts?

[iegomez]

Sorry, @nlsrchtr, but probably not ion the near future. End of year is quite messy and I have a lot going on, I don't have the time to implement anything big at the moment.

[nlsrchtr]

@iegomez, fully understood! I wasn't expecting anything soon - especially not in this year. If was hoping more for the re-opening of this feature request and maybe I find some time and could prepare a PR in the meantime to ease the way for you a bit.