Lately i was playing with Keycloak (KC), evaluating it for an IoT project
and i have a question regarding the authorization services.
One of my use case is : devices that connect to an MQTT Broker using X.509
Note : when i talk about device, you must understand KC user (device =
For several reasons/constraints that i won't explain here, i can't have my
devices connect first to Keycloak to obtain a token (using their X.509
certificates as KC supports it) and then connect to the MQTT Broker passing
this token. They connect directly to the MQTT Broker, each device
presenting its X.509 certificate to the Broker. After connection, the
Broker doesn't know client private key.
My need is to have my MQTT Broker (ideally through KC) authorize/reject
MQTT client to publish/subscribe to specific topic.
MQTT Topic being some kind of uri/path, i already have an idea of how to
configure KC (client, resource, policy, permission ...) to authorize/reject
However, as i understand it, the starting point for all the « authorization
services » (Authorization API, Entitlement API ... ) is a « user Access
In my case, i don't have a user access token ... so i'm kind of stuck to
use any of the K.C API (unless i missed something).
Hence, My question is how can i make my MQTT Broker (.ie : resource server)
interact with KC to enforce/evaluate policy ? Is it possible without the
user access token ?
Hope i made myself clear and thanks in advance for any help ...