WSO2 IoT Server is prepackaged with a default broker profile to handle message brokering. This section presents how you can use a third party MQTT broker instead of the default WSO2 IoT Server broker profile. This is useful when running the WSO2 IoT Server device management profile in a production environment that already uses a third party MQTT broker.
The broker profile enables devices to communicate with WSO2 IoT Server device management profile in a secure fashion. MQTT implementation by default uses basic auth to authenticate a client and it requires hard coding Device Owner credentials to the device. This is not a safe device authentication mechanism. Therefore, WSO2 IoT Server recommends OAuth for device authentication and authorization.
To implement authorization, WSO2 IoT Server maintains a topic structure, where each device is associated with a unique topic pattern as shown below. You can trace a device using this approach.
When a client tries to publish/subscribe to a topic, the device management core profile verifies whether the client is authorized to access the device as shown in the Device Communication Sequence diagram.
- Connect to a broker: When a client (e.g., device, analytics profile) attempts to connect to the Device Management profile via the Broker profile, the Key Manager authenticates the client via the TokenValidationService service.
- Subscribe/Publish to a topic: Once authenticated, the client attempts to subscribe/publish to a topic by communicating to the Device Management profile. The Device Management profile authorizes the device user via the DeviceAccessAuthorizationService service. Once authorized, the device is granted publishing/subscribing to the topic.
Follow the steps below to configure WSO2 IoT Server with a third-party MQTT broker.
Copy the following code snippet to the TokenValidationService SOAP service of the respective MQTT broker.
This enables a client stub to access the TokenValidationService. To check out the existing code implementation, see OAuth2BasedMQTTAuthenticator.java.
Call the DeviceAccessAuthorizationService API, to authorize the client.
To check out the existing code implementation, see DeviceAccessBasedMQTTAuthorizer.java.