Go mosquitto auth plugin

@brocaar, I noticed that the docs didn’t mention some recently added topics:


I just committed this change to a previous PR that removed a faulty line from the plugin conf.

Also, I just wanted to give everyone a heads up about mosquitto 1.5.X, which introduces a new acc:

 *  MOSQ_ACL_SUBSCRIBE when a client is asking to subscribe to a topic string.
 *                     This differs from MOSQ_ACL_READ in that it allows you to
 *                     deny access to topic strings rather than by pattern. For
 *                     example, you may use MOSQ_ACL_SUBSCRIBE to deny
 *                     subscriptions to '#', but allow all topics in
 *                     MOSQ_ACL_READ. This allows clients to subscribe to any
 *                     topic they want, but not discover what topics are in use
 *                     on the server.

I just added support for this at the plugin, as subscriptions from loraserver went in with the new acc and failed to connect. Also, I’m not sure if the usual plugin has support for it yet as per this issue, as it’s old but without response. So I’d advice to stick to mosquitto 1.4.X when using that plugin.

Hello @iegomez,
thank you for that awesome project. We use the docker version and it works like a charm.
Now we like to connect the jwt plugin with our idm system keycloak.

Keycloak can answer on https://{jwt_host}:{jwt_port}/auth/realms/{realm}/protocol/openid-connect/userinfo with all information we need. Important is, that the request has to have a authentication header with a valid jwt.

Is this with the jwt plug in possible? On which way sends the plugin the token to the jwt host? Is there a way to read the acls from the answer of the jwt host?

Ok, i’m one step further. I can check a user with a token. I set /auth/realms/{realm}/protocol/openid-connect/userinfo as getuser_uri. The trick was, that i cant send the pure token. I have to add a "bearer " in front of the token, because you put that directly in the authentification header.

Next step is the interpration of the acl requests. No plan if keycloak can handle that.

Hi! We are on national holiday in Chile right now so I can’t help much till next week, but if you think there’s a problem with the jwt backend, please file an issue at the repo so I can check it as soon as I get back.

Hello @iegomez,

Thanks for the great project. I’m trying to add my custom plugin to this project and integrate the go-auth.so into a docker image. I generated the plugin file and created the auth.conf and located them at:
The directory Conf.d contains the following:
However, not sure how to use it. Do you have any sample code that I can check for custom plugin. The plugin is used by a bridge App that is controlling all the communication to a LDAP server. Any help would be greatly appreciated.