Pass Code Suggestion , and Dropping NATS clients

[macphersonjamie]

Hi

We’re planning on using Auth Callout with nKeys as part of a system to authenticate hardware devices.

These devices would create their own nKey pair at first boot, and use that connect to the NATS bus.
Such devices would be Quarantined (allowed access to a very limited set of NATS topics).

Quarantined device could then be Approved (by a privileged user) - allowing them access to a wider range of topics.

We have two problems implementing this at present.

1/
We need a way to embed a "PassCode" (a random nonce displayed on the screen of the hardware device) for use during the Approval process.

The PassCode would allow the Operator to confirm the identity of the device requesting Approval.

This is very similar to how Bluetooth pairing is implemented for devices with displays.

NB: It is important that this PassCode is combined with nKey of the device requesting Approval - they cannot be sent in separate messages.

2/
If an Approved device is found to have been compromised we would like to be able to revoke its access to the system, returning it to a Quarantined state.

We can delete the device's nKey from the server which will prevent future connections, but there seems to be no way to ask the NATS server to drop an existing client connection.

It has been discussed before that forcing a NATS client to drop a connection will have no effect as the client will just reconnect, however in this scenario it is important
as when the Approved client reconnects it will become Quarantined (i.e. its nKey is not on the approved list).

So, my questions

Has anyone peformed NATS authentication in a similar way and have any comments?

Can anyone suggest how we send the Nonce from the client device to the Auth Callout?
we considered overloading the "Client name" field for this (e.g. "name=xyz, passcode=1234") but this feels rather clunky.

Is there really no way to force clients to reconnect - other than requesting a server "reload" which will force all clients using Auth Callout to reconnect and disrupt the entire network?

thanks