You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/event-grid/mqtt-client-authentication.md
+15-5Lines changed: 15 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,9 +19,10 @@ We support authentication of clients using X.509 certificates. X.509 certificat
19
19
## Supported authentication modes
20
20
21
21
- Certificates issued by a Certificate Authority (CA)
22
-
- Self-signed client certificate - thumbprint based authentication
22
+
- Self-signed client certificate - thumbprint
23
+
- Microsoft Entra ID token
23
24
24
-
**Certificate Authority (CA) signed certificates:**
25
+
### Certificate Authority (CA) signed certificates:
25
26
26
27
In this method, a root or intermediate X.509 certificate is registered with the service. Essentially, the root or intermediary certificate that is used to sign the client certificate, must be registered with the service first.
27
28
@@ -35,9 +36,9 @@ While registering clients, you need to identify the certificate field used to ho
35
36
36
37
:::image type="content" source="./media/mqtt-client-authentication/mqtt-client-certificate-chain-authentication-options.png" alt-text="Screenshot showing the client metadata with the five certificate chain based validation schemes.":::
37
38
38
-
**Self-signed client certificate - thumbprint based authentication:**
39
+
### Self-signed client certificate - thumbprint
39
40
40
-
Clients are onboarded to the service using the certificate thumbprint alongside the identity record. In this method of authentication, the client registry stores the exact thumbprint of the certificate that the client is going to use to authenticate. When client tries to connect to the service, service validates the client by comparing the thumbprint presented in the client certificate with the thumbprint stored in client metadata.
41
+
In this method of authentication, the client registry stores the exact thumbprint of the certificate that the client is going to use to authenticate. When client tries to connect to the service, service validates the client by comparing the thumbprint presented in the client certificate with the thumbprint stored in client metadata.
41
42
42
43
:::image type="content" source="./media/mqtt-client-authentication/mqtt-client-metadata-thumbprint.png" alt-text="Screenshot showing the client metadata with thumbprint authentication scheme.":::
43
44
@@ -59,7 +60,8 @@ while authenticating the client connection,
59
60
60
61
In both modes of client authentication, we expect the client authentication name to be provided either in the username field of the connect packet or in one of the client certificate fields.
61
62
62
-
### Supported client certificate fields for alternative source of client authentication name
63
+
**Supported client certificate fields for alternative source of client authentication name**
64
+
63
65
You can use one of the following fields to provide client authentication name in the client certificate.
64
66
65
67
| Authentication name source option | Certificate field | Description |
@@ -70,6 +72,13 @@ You can use one of the following fields to provide client authentication name in
70
72
| Certificate Ip | tls_client_auth_san_ip | The IPv4 or IPv6 address present in the iPAddress SAN entry in the certificate. |
71
73
| Certificate Email | tls_client_auth_san_email | The rfc822Name SAN entry in the certificate. |
72
74
75
+
76
+
77
+
### Microsoft Entra ID token
78
+
79
+
You can authenticate MQTT clients with Microsoft Entra JWT to connect to Event Grid namespace. You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Microsoft Entra identity, to publish or subscribe access to specific topic spaces.
80
+
81
+
73
82
## High level flow of how mutual transport layer security (mTLS) connection is established
74
83
75
84
To establish a secure connection with MQTT broker, you can use either MQTTS over port 8883 or MQTT over web sockets on port 443. It's important to note that only secure connections are supported. The following steps are to establish secure connection prior to the client authentication.
@@ -88,3 +97,4 @@ To establish a secure connection with MQTT broker, you can use either MQTTS over
88
97
89
98
## Next steps
90
99
- Learn how to [authenticate clients using certificate chain](mqtt-certificate-chain-client-authentication.md)
100
+
- Learn how to [authenticate client using Microsoft Entra ID token](mqtt-client-azure-ad-token-and-rbac.md)
0 commit comments