How to differenciate devices/users on mosquitto?

[NervenCid]

Hello:

I'm developing a web app with mqtt protocol using mosquitto, by my limited undestood the pub/sub logic is in the form.

mosquitto_pub -h <host> -p <port> -t <topic> -m "message"

and

mosquitto_sub -h <host> -p <port> -t <topic>

.

I read that is possible to put a username and password but if i understand is for the entire broker server, but i need to differentiate each device/user (in the app the user can create/delete multiple unique devices with their own different measures but the topics could be the same between users or devices), and make difficult to a third party to access data via console(only knowing the topic assuming that the topic name could be the same between users/devices), i wonder if it is possible to use tokens, oauth, or something similar on mosquitto.

Thank you and sorry for the english.

[karlp]

This is not really a mosquitto issue, but a mqtt design issue, and would be a more appropriate question on the generic mqtt mailing list. That said, one of the common approaches is to require a "user id" of some form in the beginning of the topic, and use ACLs to restrict access based on that. Another approach is to "mounting" each user to their own subtree. This is effectively the same, just appears different to the users.

[ptjm]

There's really two questions here, one of which is a mosquitto question.
Natively, mosquitto supports authentication in two forms: through a simple username/password passed through the connect message and validated against a flat file, and through x509 certificates with the user name embedded in the common name. It also supports a plugin mechanism, and there are third-party plugins available, including at least one for oauth. I have no idea how well any of these third-party plugins work. Mosquitto also supports ACLs natively, and has a plugin mechanism for access control.

About topics, it's not clear to me what you're trying to achieve, but I suggest you design your topics based on the message recipients. If you need to send a message to a device, build a device id into the topic. If you need to send messages to some application, have all the devices publish to the application's topic and build the device id into the payload. Access control works against topics, so you need to have distinct topics for distinct users, although as Karl says there are ways to hide that at the broker level. My opinion is you're better off keeping the broker configuration simple and building the user name into the topic.

[NervenCid]

Thank you for your anwer and sorry for the english:

My idea is to differentiate the user and the device from other in order to be unique and cannot be reached easily from outside:

However i see that is only possible a single user and single password in the configuration, so i tried these aproach designing the topic:

user:id/device:id/topic_1/topic_2/.../topic_n

Where user:id and device:id can be taken from the database or backend.

But i don't know if this aproach is good

Thank you