Application level

User identity

The MQTT specification only defines a user name/password authentication at the application layer, which can be done when establishing a connection. Other mechanisms are not specified and can be handled applicatively. Some message brokers also allow the CommonName attribute from the client certificate to be used as a user identity, which then allows access rights to be defined at topic level, for example.

JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard (based on RFC 7519) that defines a compact and self-describing format for securely transmitting information between communication devices in the form of a JSON object. The authenticity of the transmitted information can be verified and ensured, since a JWT is provided with a digital signature. The signature can involve a shared secret (via an HMAC algorithm) or a public/private key (via RSA).

The most common application example for JWT is the authorization of a device or user for a service. Once a user has logged into the service, all further requests to the service include the JWT. Based on the JWT, the service can then decide which additional services or resources the user may access. This means, for example, that single sign-on solutions can be implemented in cloud services.

The PLC library Tc3_JsonXml provides an option to create and sign a JSON Web Token via the method FB_JwtEncode. The token can then be sent, for example, in the payload of the message or also in a User Property to enable validation of the message at the receiving application.