MQTT client login failing with bearer JWT signed by scoped signing key #7823
Description
Observed behavior
Good case: Login with a plain bearer JWT (no scoped signing key involved) works.
Bad case:
Create a scoped signing key. Create a user from the scoped signing key. Create a bearer JWT for the user. Login to MQTT passing the bearer JWT as password.
- Login fails with error message stating that no user permissions or limits are allowed for scoped signing signed users (which is technically correct).
Suspected reason:
I think the MQTT sub-system is setting additional user permission dynamically. If this is done on a user JWT signed by a scoped signing key, the subsequent permission validation will fail.
Expected behavior
Login for MQTT should also work with users signed by a scoped signing key
Server and client version
2.11.7
2.12.2
2.12.4
2.14-dev
mosquito MQTT client
Host environment
Linux
Steps to reproduce
Enable MQTT on nats server
Create group (scoped signing key)
Create a user (based on above group)
Create a bearer JWT
Connect with:
mosquitto_pub -h 127.0.0.1 -t foo -m Hello -u acme -P
- (mosquitto) Connection error: Connection Refused: not authorised.
- Server log (-D) User JWT is not valid: scoped users require no permissions or limits set