This documentation is for WSO2 IoT Server 3.1.0. View the documentation for the latest release.
Configuring WSO2 IoT Server with a Third Party MQTT Broker - IoT Server 3.1.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

WSO2 IoT Server is prepackaged with a default broker profile to handle message brokering. This section presents how you can use a third party MQTT broker instead of the default WSO2 IoT Server broker profile. This is useful when running the WSO2 IoT Server device management profile in a production environment that already uses a third party MQTT broker.


The broker profile enables devices to communicate with the WSO2 IoT Server device management profile in a secure fashion. MQTT implementation by default uses basic auth to authenticate a client and it requires hard coding Device Owner credentials to the device. This is not a safe device authentication mechanism. Therefore, WSO2 IoT Server recommends OAuth for device authentication and authorization. 

To implement authorization, WSO2 IoT Server maintains a topic structure, where each device is associated with a unique topic pattern as shown below. You can trace a device using this approach.


When a client tries to publish/subscribe to a topic, the device management core profile verifies whether the client is authorized to access the device as shown in the Device Communication Sequence diagram. 

  • Connect to a broker: When a client (e.g., device, analytics profile) attempts to connect to the Device Management profile via the Broker profile, the Key Manager authenticates the client via the TokenValidationService service.
  • Subscribe/Publish to a topic:  Once authenticated, the client attempts to subscribe/publish to a topic by communicating to the Device Management profile. The Device Management profile authorizes the device user via the DeviceAccessAuthorizationService service. Once authorized, the device is granted publishing/subscribing to the topic. 


Follow the steps below to configure WSO2 IoT Server with a third-party MQTT broker.

  1. Copy the following code snippet to the TokenValidationService SOAP service of the respective MQTT broker.


    This enables a client stub to access the TokenValidationService. To check out the existing code implementation, see

  2. Call the DeviceAccessAuthorizationService API, to authorize the client.


    curl -X POST https://localhost:8243/api/device-mgt/v1.0/admin/authorization -H 'authorization: Bearer 7e5cad0f-cf78-3981-b50e-db9d674fb741' -H 'content-type: application/json' -d '{"tenantDomain":"carbon.super","username": "ayyoob","deviceIdentifiers":[{"id":123, "type":"firealarm"}]}'

    To check out the existing code implementation, see

  • No labels