Skip to content

Commit 0643bcd

Browse files
PatAltimorePatAltimore
committed
Add disconnect on expiration
1 parent 23b131b commit 0643bcd

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ ms.subservice: azure-mqtt-broker
77
ms.topic: how-to
88
ms.custom:
99
- ignite-2023
10-
ms.date: 07/16/2024
10+
ms.date: 07/26/2024
1111

1212
#CustomerIntent: As an operator, I want to configure authentication so that I have secure MQTT broker communications.
1313
---
@@ -377,6 +377,25 @@ spec:
377377
header_key: header_value
378378
```
379379

380+
## Client disconnect after credentials expire
381+
382+
MQTT broker disconnects clients when their credentials expire. Disconnect after credential expiration applies to all clients that connect to the MQTT broker frontends including:
383+
384+
- Clients authenticated with SATs disconnect when their SAT expires
385+
- Clients authenticated with X.509 disconnect when their client certificate expires
386+
- Clients authenticated with custom authentication disconnect based on the expiry time returned from the custom authentication server.
387+
388+
On disconnect, the client's network connection is closed. The client won't receive an MQTT DISCONNECT packet, but the broker logs a message that it disconnected the client.
389+
390+
MQTT v5 clients authenticated with SATs and custom authentication can reauthenticate with a new credential before their initial credential expires. X.509 clients cannot reauthenticate and must re-establish the connection since authentication is done at the TLS layer.
391+
392+
Clients can reauthenticate by sending an MQTT v5 AUTH packet.
393+
394+
SAT clients send an AUTH client with the fields `method: $sat`, `data: <token>`.
395+
Custom authentication clients set the method and data field as required by the custom authentication server.
396+
397+
Successful reauthentication updates the client's credential expiry with the expiry time of its new credential, and the broker responds with a *Success AUTH* packet. Failed authentication due to transient issues cause the broker to respond with a *ContinueAuthentication AUTH* packet. For example, the custom authentication server being unavailable. The client can try again later. Other authentication failures cause the broker to send a DISCONNECT packet and close the client's network connection.
398+
380399
## Related content
381400

382401
- About [BrokerListener resource](howto-configure-brokerlistener.md)

0 commit comments

Comments
 (0)