MQTT authentification for Gateways

Hello !

We are a student group who used @iegomez’s Mosquitto-go-auth plugin in order to allow MQTT authentication for gateways. Our work is too specific to be merged in the ChirpStack project but it could be a good implementation example for this plugin. You can find everything in this closed pull-request (we can’t directly post all the links here, due to beginner limitation about the number of links per post)
We have also opened an issue concerning the gateway MQTT authentication, to search for ideas to generalize the basic concept.

Feel free to give us some feedbacks !


Thanks again for your work @Diss31 and sorry for not merging your pull-request. The reason for this is that I would like to avoid merging features in that are really specific.

I did have some thinking about this and one way I could see this working in a more generic way is by generating a client certificate instead of a MQTT token. How this would look like:

  • In the chirpstack-network-server.toml you configure a CA certificate & key file which is used for signing (optional). I believe this config belongs here and not in the AS configuration because there could be different network servers with different MQTT brokers and thus different CA certificates.
  • The gateway client certificate contains the gateway EUI as common-name.
  • In the web-interface, there is an option to download the gateway client certificate. I think this should be independent of creating a gateway. E.g. when the CA certificate changes, you want to download a new certificate. Or when you are upgrading to the new version, you want to be able to get the certificate without upgrading again.

I believe this could also work together with the GCP and Azure integrations, as it is possible to configure a CA certificate in Cloud IoT Core and Azure IoT Hub to validate the client certificates. It should also be possible to use this client certificate when using the BasicStation.

In case of Mosquitto, it is possible to use the client certificate CN as username, so this could work nicely with @iegomez his plugin too.

I could even see an option for a simplified plugin which could work independently of a database. When it knows the gateway ID (from the certificate CN), it can use a template to authorize on which topics the client can publish and subscribe.

What do you think about this?


You are welcome, we get your point about our pull request.

Your idea seems really complete, with more respect to the ChirpStack architecture and several synergies with other components ! I think it could be a great evolution for our contribution.

But, as I said, we’re just a group student, working on Chirpstack during a class project. So, now with our coming internships, we will not have time to push further this feature by ourselves :confused: but I will share this post with our project supervisor, so he will probably find another group of students to carry this work !

Hope this new feature idea could be merged in a near future :wink: