This documentation is for WSO2 IoT Server 3.1.0. View the documentation for the latest release.
Configuring WSO2 IoT Server with a Third Party MQTT Broker - IoT Server 3.1.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

WSO2 IoT Server is prepackaged with a default broker profile to handle message brokering. This section presents how you can use a third party MQTT broker instead of the default WSO2 IoT Server broker profile. This is useful when running the WSO2 IoT Server device management profile in a production environment that already uses a third party MQTT broker.

Implementation

The broker profile enables devices to communicate with WSO2 IoT Server device management profile in a secure fashion. MQTT implementation by default uses basic auth to authenticate a client and it requires hard coding Device Owner credentials to the device. This is not a safe device authentication mechanism. Therefore, WSO2 IoT Server recommends OAuth for device authentication and authorization. 

To implement authorization, WSO2 IoT Server maintains a topic structure, where each device is associated with a unique topic pattern as shown below. You can trace a device using this approach.

<TENANT_DOMAIN>/<DEVICE_TYPE_NAME>/<DEVICE_ID>/...

When a client tries to publish/subscribe to a topic, the device management core profile verifies whether the client is authorized to access the device as shown in the Device Communication Sequence diagram. 

  • Connect to a broker: When a client (e.g. device, analytics profile) attempts to connect to the Device Management profile via the Broker profile, the Key Manager will authenticate the client via the TokenValidationService service.
  • Subscribe/Publish to a topic:  Once authenticated, the client attempts to subscribe/publish to a topic by communicating to the Device Management profile. The Device Management profile authorizes the device user via the DeviceAccessAuthorizationService service. Once authorized, the device is granted publishing/subscribing to the topic. 


Configurations

Follow the steps below to configure WSO2 IoT Server with a third-party MQTT broker.

  1. Copy the following code snippet to the TokenValidationService SOAP service of the respective MQTT broker.

    <dependency>
       <groupId>org.wso2.carbon.identity</groupId>
       <artifactId>org.wso2.carbon.identity.oauth.stub</artifactId>
       <version>${carbon.identity.oauth.stub.version}</version>
    </dependency>

    This will enable a client stub to access the TokenValidationService. To check out the existing code implementation, see OAuth2BasedMQTTAuthenticator.java.

  2. Call the DeviceAccessAuthorizationService API, to authorize the client.

    Example:

    curl -X POST https://localhost:8243/api/device-mgt/v1.0/admin/authorization -H 'authorization: Bearer 7e5cad0f-cf78-3981-b50e-db9d674fb741' -H 'content-type: application/json' -d '{"tenantDomain":"carbon.super","username": "ayyoob","deviceIdentifiers":[{"id":123, "type":"firealarm"}]}'

    To check out the existing code implementation, see DeviceAccessBasedMQTTAuthorizer.java.

  • No labels