-
Proposal:
Hide
1. Add a new Reason Code 26 0x1A Request re-authentication
2. Add the following at the end of section 4.12.1 Re-authentication
If the Client supplied an Authentication Method in the CONNACT packet the Server is allowed to request that the Client initiate re-authentication any time after it sends the CONNACK packet. It does this by sending an AUTH packet with a Reason Code of 0x1A (Request Re-authentication). The Server MUST set the Authentication Method to the same value as the Authentication Method originally used to authenticate the Network Connection. The Client MAY respond to this request by initiating a re-authentication, but it is not required to do so.
Non-normative comment:
The request for re-authentication from the server is used when the server knows that a re-authentication is required, but the client might not.
Show
1. Add a new Reason Code 26 0x1A Request re-authentication
2. Add the following at the end of section 4.12.1 Re-authentication
If the Client supplied an Authentication Method in the CONNACT packet the Server is allowed to request that the Client initiate re-authentication any time after it sends the CONNACK packet. It does this by sending an AUTH packet with a Reason Code of 0x1A (Request Re-authentication). The Server MUST set the Authentication Method to the same value as the Authentication Method originally used to authenticate the Network Connection. The Client MAY respond to this request by initiating a re-authentication, but it is not required to do so.
Non-normative comment:
The request for re-authentication from the server is used when the server knows that a re-authentication is required, but the client might not.
MQTT v5.0 introduces a new AUTH mechanism. This allows MQTT to bind with various authentication mechanisms such as SASL within the CONNECT / CONNACK exchange.
In its current form the Client is permitted to flow an Auth Packet for re-authenication at any point. There are a few potential issues with this approach:
1. Implementations might exploit the AUTH flow for application data and control.
2. Only the Client can initiate the re-authentication. In many cases the Server is likely to coordinate Clients to refresh keys.
3. It is likely that existing deployments simply use DISCONNECT to coordinate re-authentication and this might lead to little uptake on re-auth.
There are benefits to the current approach, for example in reducing bandwidth.
{"report":{"apdex":0,"isInitial":true,"journeyId":"81f4eeca-967a-4ab9-8d54-474cb6447363","key":"jira.project.issue.view-issue","navigationType":0,"readyForUser":4343.5,"redirectCount":0,"resourceLoadedEnd":4180.400000095367,"resourceLoadedStart":561.5999999046326,"resourceTiming":[{"duration":361.5,"initiatorType":"link","name":"https://issues.oasis-open.org/s/3edeca31ab9ba77980aae0809fbe7121-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/0a4716d29b2d5b1bdcdb168b4efc119e/_/download/contextbatch/css/_super/batch.css","startTime":561.5999999046326,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":561.5999999046326,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":923.0999999046326,"responseStart":0,"secureConnectionStart":0},{"duration":374.90000009536743,"initiatorType":"link","name":"https://issues.oasis-open.org/s/7d2823769c2e7b66e860863fe879b7f8-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/9aebb1c0aaa4c36289529757ec9dbb54/_/download/contextbatch/css/project.issue.navigator,jira.view.issue,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&richediton=true","startTime":562,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":562,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":936.9000000953674,"responseStart":0,"secureConnectionStart":0},{"duration":391,"initiatorType":"link","name":"https://issues.oasis-open.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/8.0.5/_/download/batch/com.atlassian.auiplugin:split_aui.pattern.label/com.atlassian.auiplugin:split_aui.pattern.label.css","startTime":562.0999999046326,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":562.0999999046326,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":953.0999999046326,"responseStart":0,"secureConnectionStart":0},{"duration":404.69999980926514,"initiatorType":"link","name":"https://issues.oasis-open.org/s/645acc233eb869f48a571293b8358a7d-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/1.0/_/download/batch/jira.webresources:global-static-adgs/jira.webresources:global-static-adgs.css","startTime":562.3000001907349,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":562.3000001907349,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":967,"responseStart":0,"secureConnectionStart":0},{"duration":404.80000019073486,"initiatorType":"link","name":"https://issues.oasis-open.org/s/a0dd6509771c1de0667aae5429c04cda-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/1.0/_/download/batch/jira.webresources:global-static/jira.webresources:global-static.css","startTime":562.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":562.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":967.3000001907349,"responseStart":0,"secureConnectionStart":0},{"duration":850.4000000953674,"initiatorType":"script","name":"https://issues.oasis-open.org/s/e5479157e7a0c08b005e6522f2f04104-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/0a4716d29b2d5b1bdcdb168b4efc119e/_/download/contextbatch/js/_super/batch.js?locale=en-US","startTime":562.6999998092651,"connectEnd":1153.3000001907349,"connectStart":1105.0999999046326,"domainLookupEnd":1105.0999999046326,"domainLookupStart":1105.0999999046326,"fetchStart":562.6999998092651,"redirectEnd":0,"redirectStart":0,"requestStart":1153.4000000953674,"responseEnd":1413.0999999046326,"responseStart":1191.5999999046326,"secureConnectionStart":1128.8000001907349},{"duration":3617.0999999046326,"initiatorType":"script","name":"https://issues.oasis-open.org/s/83514d5d4e8543747b02042eafcdc99c-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/9aebb1c0aaa4c36289529757ec9dbb54/_/download/contextbatch/js/project.issue.navigator,jira.view.issue,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en-US&richediton=true","startTime":563.3000001907349,"connectEnd":1213.9000000953674,"connectStart":1166,"domainLookupEnd":1166,"domainLookupStart":1166,"fetchStart":563.3000001907349,"redirectEnd":0,"redirectStart":0,"requestStart":1213.9000000953674,"responseEnd":4180.400000095367,"responseStart":1243.3000001907349,"secureConnectionStart":1189.6999998092651},{"duration":924.7999997138977,"initiatorType":"script","name":"https://issues.oasis-open.org/s/70bb2263e59e7e1f04fbd137c80b895b-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/aae1242f5fc81cc6a5bb8bc963ccda29/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en-US","startTime":563.4000000953674,"connectEnd":1462,"connectStart":1413,"domainLookupEnd":1413,"domainLookupStart":1413,"fetchStart":563.4000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":1462.0999999046326,"responseEnd":1488.1999998092651,"responseStart":1487.1999998092651,"secureConnectionStart":1437},{"duration":962.8000001907349,"initiatorType":"script","name":"https://issues.oasis-open.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":563.5999999046326,"connectEnd":1499.3000001907349,"connectStart":1450.8000001907349,"domainLookupEnd":1450.8000001907349,"domainLookupStart":1450.6999998092651,"fetchStart":563.5999999046326,"redirectEnd":0,"redirectStart":0,"requestStart":1499.4000000953674,"responseEnd":1526.4000000953674,"responseStart":1525.5999999046326,"secureConnectionStart":1474.8000001907349},{"duration":1037.9000000953674,"initiatorType":"script","name":"https://issues.oasis-open.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":563.6999998092651,"connectEnd":1574.8000001907349,"connectStart":1526.1999998092651,"domainLookupEnd":1526.1999998092651,"domainLookupStart":1526.1999998092651,"fetchStart":563.6999998092651,"redirectEnd":0,"redirectStart":0,"requestStart":1574.9000000953674,"responseEnd":1601.5999999046326,"responseStart":1600.8000001907349,"secureConnectionStart":1550.3000001907349},{"duration":1151.1999998092651,"initiatorType":"script","name":"https://issues.oasis-open.org/s/cda37faab827dbdf305de8efe8282062-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/8.0.5/_/download/batch/com.atlassian.auiplugin:split_aui.pattern.label/com.atlassian.auiplugin:split_aui.pattern.label.js?locale=en-US","startTime":563.9000000953674,"connectEnd":1688.5,"connectStart":1640.4000000953674,"domainLookupEnd":1640.4000000953674,"domainLookupStart":1640.4000000953674,"fetchStart":563.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":1688.5999999046326,"responseEnd":1715.0999999046326,"responseStart":1714.5,"secureConnectionStart":1664.1999998092651},{"duration":475.40000009536743,"initiatorType":"link","name":"https://issues.oasis-open.org/s/07245784f53abc49bad9d9d4d36c577a-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/cadc4f20cc5c138dee060d42cf85f220/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":564.0999999046326,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":564.0999999046326,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1039.5,"responseStart":0,"secureConnectionStart":0},{"duration":1218.5,"initiatorType":"script","name":"https://issues.oasis-open.org/rest/api/1.0/shortcuts/803004/a29179d70fa8562374ee16707692af77/shortcuts.js?context=issuenavigation&context=issueaction","startTime":564.1999998092651,"connectEnd":1755.5,"connectStart":1707,"domainLookupEnd":1707,"domainLookupStart":1707,"fetchStart":564.1999998092651,"redirectEnd":0,"redirectStart":0,"requestStart":1755.5999999046326,"responseEnd":1782.6999998092651,"responseStart":1781.9000000953674,"secureConnectionStart":1731.0999999046326},{"duration":662.3000001907349,"initiatorType":"link","name":"https://issues.oasis-open.org/s/f77fd89aa211a76b20e9b0e63564383c-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/4a9288299d147101bf66484f4be48925/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-jira.view.issue,-project.issue.navigator/batch.css?jira.create.linked.issue=true&richediton=true","startTime":667.0999999046326,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":667.0999999046326,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1329.4000000953674,"responseStart":0,"secureConnectionStart":0},{"duration":2025.2999997138977,"initiatorType":"script","name":"https://issues.oasis-open.org/s/41525c48ddceeb9b11e54085268fc285-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/4a9288299d147101bf66484f4be48925/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-jira.view.issue,-project.issue.navigator/batch.js?jira.create.linked.issue=true&locale=en-US&richediton=true","startTime":667.3000001907349,"connectEnd":2665.199999809265,"connectStart":2616.9000000953674,"domainLookupEnd":2616.9000000953674,"domainLookupStart":2616.9000000953674,"fetchStart":667.3000001907349,"redirectEnd":0,"redirectStart":0,"requestStart":2665.300000190735,"responseEnd":2692.5999999046326,"responseStart":2691.800000190735,"secureConnectionStart":2640.699999809265},{"duration":2981.5,"initiatorType":"script","name":"https://issues.oasis-open.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":706,"connectEnd":3660.699999809265,"connectStart":3612.199999809265,"domainLookupEnd":3612.199999809265,"domainLookupStart":3612.199999809265,"fetchStart":706,"redirectEnd":0,"redirectStart":0,"requestStart":3660.800000190735,"responseEnd":3687.5,"responseStart":3686.5,"secureConnectionStart":3636},{"duration":3038.4000000953674,"initiatorType":"script","name":"https://issues.oasis-open.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/nu8zej/803004/aeedb5937bed650f2f0cc4ec9ceaa5d3/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":762.5999999046326,"connectEnd":3735.800000190735,"connectStart":3687.4000000953674,"domainLookupEnd":3687.4000000953674,"domainLookupStart":3687.4000000953674,"fetchStart":762.5999999046326,"redirectEnd":0,"redirectStart":0,"requestStart":3735.9000000953674,"responseEnd":3801,"responseStart":3800.199999809265,"secureConnectionStart":3711.4000000953674},{"duration":1627.1999998092651,"initiatorType":"xmlhttprequest","name":"https://issues.oasis-open.org/rest/webResources/1.0/resources","startTime":1532.4000000953674,"connectEnd":3129.5,"connectStart":3081,"domainLookupEnd":3081,"domainLookupStart":3081,"fetchStart":1532.4000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":3129.5,"responseEnd":3159.5999999046326,"responseStart":3158.9000000953674,"secureConnectionStart":3105}],"threshold":1000,"fetchStart":1,"domainLookupStart":339,"domainLookupEnd":366,"connectStart":366,"connectEnd":465,"secureConnectionStart":391,"requestStart":465,"responseStart":542,"responseEnd":763,"domLoading":546,"domInteractive":4393,"domContentLoadedEventStart":4394,"domContentLoadedEventEnd":4438,"domComplete":6531,"loadEventStart":6531,"loadEventEnd":6533,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[],"measures":[],"correlationId":"d354af13fe724","effectiveType":"4g","downlink":9.1,"rtt":0,"serverDuration":271,"dbReadsTimeInMs":81,"dbConnsTimeInMs":100,"applicationHash":"4d4040e0714d65b7fffa4801569d014c0b16eaa9","experiments":[]}}
Major
As a history, enhanced authentication was proposed a
MQTT-255and extensively discussed at the Bellevue F2F and the September Hursley F2F. At that time the TC decided to approve the connect time enhanced authentication and to create another issue for reauthorization. There were actually 2 such issues createdMQTT-315andMQTT-317. We closedMQTT-315and designed reauthorization asMQTT-317. One of the issues we raised was whether anybody actually wanted reauthorization enough to add it, and the consensus of the TC was to proceed with it. The technical issues and limitations were discussed in a subgrouip and accepted by the TC.We can of course re-open any of the decisions previously made by the TC, but doing this risks ever getting to closure of the spec.
While the enhanced authentication avoids using the name SASL, it is clearly designed to be SASL conforming and to allow SASL mechanisms to be used as Auth Methods. In SASL authentication is all initiated by the client. Some protocols which implement SASL do allow the server to request the client to initiate authentication or reauthentication.
In response to the concerns raised:
1. To exploit the AUTH flow for some other purpose requires both a client and server which agree on such usage. In a client application using a client library this would presumably mean that the client library is involved. If we just want to flow data between client application and server, or client library and server, much better means already exist (using PUBLISH to system topics for instance) which have none of the limitations of using AUTH.
2. The SASL mechanisms with time limited tokens generally make known to the client the time limit of the token. Initiating reauthentication from the server seems to be the thing which is not used as it is not required to implement SASL.
3. Either a client or server is free to not implement reauthentication if it believes there is no requirement. Indeed, they are free to not implement any part of enhanced authentication.