Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MQTTv5 doesn't support oauth2 token re-authentication #12719

Closed
AntonSmolkov opened this issue Nov 14, 2024 · 3 comments
Closed

MQTTv5 doesn't support oauth2 token re-authentication #12719

AntonSmolkov opened this issue Nov 14, 2024 · 3 comments

Comments

@AntonSmolkov
Copy link

Describe the bug

The MQTT Plugin documentation states:

RabbitMQ supports most MQTT 5.0 features, including the following:
TLS, OAuth 2.0

However, it seems an important part of the standard is missing—Re-authentication.

Currently, if I send an AUTH packet with a new token on existing connection, I receive an extended_authentication_unsupported error. (source)

I believe this is an essential part of the standard that should be implemented, as it is for AMQP-0-9-1 connections.

For reference, here is the description of the same feature implemented in Azure Event Grid: Authentication using Microsoft Entra JWT.

Reproduction steps

  1. Initialize the MQTT5 connection using the CONNECT method, passing the JWT token in the password field.
  2. Send an AUTH packet with reason code 25 (re-authenticate) and the renewed JWT token.

An error occurs: extended_authentication_unsupported.

Expected behavior

JWT-token of the connection is updated

Additional context

No response
ansd added a commit to rabbitmq/rabbitmq-website that referenced this issue Nov 14, 2024
@ansd
Document MQTT re-authentication limitation
e72e712 
See rabbitmq/rabbitmq-server#12719
@ansd ansd mentioned this issue Nov 14, 2024
Merged
ansd added a commit to rabbitmq/rabbitmq-website that referenced this issue Nov 14, 2024
@ansd
Document MQTT re-authentication limitation
0da41f3 
See rabbitmq/rabbitmq-server#12719
@ansd
Copy link
Member

ansd commented Nov 14, 2024

This is not a bug.
As described in #7263 (comment) the MQTT 5.0 AUTH packet is currently unsupported.

I just updated our documentation to clearly list this limitation:
https://www.rabbitmq.com/docs/mqtt#re-authentication

While RabbitMQ supports OAuth 2.0 token renewal for AMQP 1.0, AMQP 0.9.1, and the RabbitMQ stream protocol, RabbitMQ does currently not support OAuth 2.0 token renewal for MQTT.
If a token expires, RabbitMQ will disconnect the MQTT client with reason code 160: Maximum connect time.

I implemented token renewal for AMQP 1.0 very recently in #12599. This feature will be available in RabbitMQ 4.1.

I implemented MQTT clients being disconnected upon token expiration recently in #11867. This feature got backported to RabbitMQ 4.0.x and RabbitMQ 3.13.x.

@ansd ansd closed this as completed Nov 14, 2024
@ansd ansd removed the bug label Nov 14, 2024
@AntonSmolkov
Copy link
Author

@ansd
Thanks for the clarification!
Any plans to implement this in the future?

@michaelklishin
Copy link
Member

@AntonSmolkov this is open source software you very likely pay nothing for, so you are welcome to contribute the features you need. Asking others "if they have plans" to implement something you need is not how open source software works.

@rabbitmq rabbitmq locked and limited conversation to collaborators Nov 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michaelklishin @AntonSmolkov @ansd