mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

[Bug] Extended authentication callbacks not called

Open jncfa opened this issue 4 years ago • 4 comments

Hi there, For context, I want to extend the TLS authentication to perform an additional check on the MQTT clients. The certificates for each MQTT client have a CN with the format "{device_type}-{device_uuid}.local" and I want to make sure that the device_uuid matches the client id that is sent to the MQTT broker (or alternatively, generate a client id for that MQTT client based on the device_uuid on the CN).

However, after some testing, the only callbacks that are invoked are the MOSQ_EVT_ACL_CHECK and MOSQ_EVT_MESSAGE, the other callbacks are never called. Am I missing some step to enable the extended authentication or is it a bug?

jncfa avatar Apr 18 '21 02:04 jncfa

MOSQ_EVT_EXTENDED_AUTH is called when a MQTT v5 client tries to authenticate using the MQTT v5 extended authentication process only. It is not a general "do more authentication checks" callback.

You should do your checks in MOSQ_EVT_BASIC_AUTH. You'll be able to access the client certificate by using mosquitto_client_certificate() - see the details in https://mosquitto.org/api/files/mosquitto_broker-h.html#mosquitto_client_certificate.

What version of Mosquitto are you using?

ralight avatar Apr 18 '21 08:04 ralight

Hi @ralight, thanks for the reply.

In the meantime I've already solved my problem, it had to do with a misconfiguration on my mosquitto.conf. I'm not sure if this is the intended behavior, as it isn't mentioned in the documentation, but if use_identity_as_username is set to true, then the MOSQ_EVT_BASIC_AUTH is not raised when a client attempts to connect to the broker. Tested on Mosquitto v2.0.10,

jncfa avatar Apr 18 '21 13:04 jncfa

This behavior seems to be intentional, but I would suggest leaving a comment about this on the plugin API page to facilitate troubleshooting.

https://github.com/eclipse/mosquitto/blob/d5ecd9f5aa98d42e7549eea09a71a23eef241f31/src/handle_connect.c#L882

jncfa avatar Apr 18 '21 20:04 jncfa

Looks like I have similar issue. but for me, MOSQ_EVT_MESSAGE not triggered. I have registered MOSQ_EVT_BASIC_AUTH, MOSQ_EVT_TICK and MOSQ_EVT_DISCONNECT, All was called as expect, except MOSQ_EVT_MESSAGE. No callback called, when I mosquitto_pub any event. Did I miss any flag in mosquitto.conf too? I'm with mosquitto v2.0.15. I'm try to klick out some client by mosquitto_kick_client_by_clientid() when special event is received @jncfa Did I understood this MOSQ_EVT_MESSAGE right?

sinfitz avatar May 23 '23 18:05 sinfitz