|
| 1 | +--- |
| 2 | +title: Microsoft Custom JWT authentication |
| 3 | +description: Describes custom JWT authentication and authorization to publish or subscribe to MQTT messages |
| 4 | +ms.topic: conceptual |
| 5 | +ms.custom: build-2024 |
| 6 | +ms.date: 01/27/2025 |
| 7 | +author: george-guirguis, seth-shanmugam |
| 8 | +ms.author: geguirgu, seshanmugam |
| 9 | +ms.subservice: mqtt |
| 10 | +--- |
| 11 | + |
| 12 | +# Microsoft Custom JWT authentication and authorization to publish or subscribe to MQTT messages |
| 13 | + |
| 14 | +You can authenticate MQTT clients with Custom JWT to connect to the Event Grid namespace. You can embed and validate custom claims in the JWT token to authorize publish or subscribe permissions to your Event Grid topic spaces. |
| 15 | + |
| 16 | +> [!IMPORTANT] |
| 17 | +> - This feature is supported only when using the MQTT v5 protocol version |
| 18 | +
|
| 19 | +## Prerequisites |
| 20 | +- You need an Event Grid namespace with MQTT enabled. Learn about [creating Event Grid namespace](/azure/event-grid/create-view-manage-namespaces#create-a-namespace) |
| 21 | + |
| 22 | +<a name='authentication-using-azure-ad-jwt'></a> |
| 23 | + |
| 24 | +## Authentication using Custom JWT |
| 25 | +You can use the MQTT v5 CONNECT packet to provide the Custom JWT token to authenticate your client and the MQTT v5 AUTH packet to refresh the token. |
| 26 | + |
| 27 | +> [!IMPORTANT] |
| 28 | +> - If you don't set the CONNECT packet's authentication method to CUSTOM-JWT, you'll receive an “invalid issuer” error—even if all other configurations are correct. |
| 29 | +
|
| 30 | +In the CONNECT packet, you can provide the required values in the following fields: |
| 31 | + |
| 32 | +|Field | Value | |
| 33 | +|---------|---------| |
| 34 | +|Authentication Method | CUSTOM-JWT | |
| 35 | +|Authentication Data | JWT token | |
| 36 | + |
| 37 | +In the AUTH packet, you can provide the required values in the following fields: |
| 38 | + |
| 39 | +|Field | Value | |
| 40 | +|---------|---------| |
| 41 | +| Authentication Method | CUSTOM-JWT | |
| 42 | +| Authentication Data | JWT token | |
| 43 | +| Authentication Reason Code | 25 | |
| 44 | + |
| 45 | +Authenticate Reason Code with value 25 signifies reauthentication. |
| 46 | + |
| 47 | +> [!NOTE] |
| 48 | +> - Audience: “aud” claim must be set to "https://eventgrid.azure.net/". |
| 49 | +
|
| 50 | +## Access permissions |
| 51 | +A client using Custom JWT authentication can use client attributes and permissions to limit access to specific topics. |
| 52 | + |
| 53 | +## Next steps |
| 54 | +- See [Publish and subscribe to MQTT message using Event Grid](mqtt-publish-and-subscribe-portal.md) |
| 55 | +- How to [Authenticate with namespaces using JSON Web Tokens](authenticate-with-namespaces-using-json-web-tokens.md) |
0 commit comments