TDMQ for MQTT supports client authentication and simple authorization by integrating with third-party HTTP services. When a client initiates a connection (sending a CONNECT packet), MQTT constructs an HTTP request with the client's credentials (such as username and password). When the request reaches the designated HTTP authentication service, MQTT determines authentication success based on the HTTP response. If authentication succeeds, the client is allowed to connect to the server; if authentication fails, the connection is refused.
Authentication Principle
When an MQTT client connects to MQTT, MQTT, as the request client, must construct and send a request to the HTTP service in the required API format. The HTTP service must return results in the required format. The HTTP response status code is used to determine whether the authentication request succeeds. The HTTP authentication service must meet the following conditions:
The HTTP response Content-Type must be application / json.
The authentication result is indicated by result in the body. Valid values: allow, deny, or ignore.
Whether the client is a superuser is indicated by is_superuser in the body. Valid values: true or false.
The response must return HTTP Status Code200 or 204.
Other response codes, such as 4xxand 5xx, are treated as HTTP authentication request failures. In this case, the authentication result uses the default value ignore, and execution continues along the authentication chain. If the current HTTP authenticator is the last one in the chain, authentication fails, and the client connection is refused.
Response Example:
HTTP/1.1200 OK
Headers: Content-Type: application/json
...
Body:
{
"result":"allow",// "allow" | "deny" | "ignore"
"client_attrs":{
"role":"admin",
"sn":"10c61f1a1f47"
}
"expire_at":1654254601,// Optional. Indicates the expiration time of the current authentication policy
"acl":// Optional. Used for the existing HTTP authentication service to support simple authorization. The authorization policy is cached on the MQTT server and updated when triggered again
2. In the left sidebar, choose Resource Management > Cluster Management. Select a region, click the target cluster ID, and enter the Cluster Basic Information page.
3. On the Cluster Basic Information page, select the Authentication Management tab, choose External HTTP Authentication as the secondary tab, and click Create Authentication.
Request Method: Select the HTTP request method. Options: POST, GET.
Service Address: Enter the HTTP(S) service URL.
Headers: HTTP request header configuration. You can add multiple headers. When entering the value, you can use constants and template variables. The format is "${variable name}". Typing "${" triggers suggestions.
Body: Request template. When entering the value, you can use constants and template variables. The format is "${variable name}". Typing "${" triggers suggestions.
Maximum Request Concurrency: Sets the maximum number of concurrent requests. Value range: 1-10.
Connection Timeout: Sets the connection timeout duration. Value range: 1-30 seconds.
Request Timeout: Sets the request timeout duration. Value range: 1-30 seconds.
Description: Optional. Enter as needed. The description cannot exceed 128 characters.
4. Click Confirm to complete the creation. After creation, click
in the upper right to test the authentication configuration.
