Implementing JWT authentication with a HiveMQ Cloud broker (Starter Plan) for remote equipment access

I’m diving a bit deeper into an implementation of temporary credentials for remote access to equipment, carrying on from this comment:

I will try the JWT tokens issued by Auth0 and passed to a HiveMQ “Starter Plan” broker. Still figuring out the details, such as the web app for requesting a token (perhaps a Streamlit Web App in Hugging Face Spaces [2] or a Flask App in PythonAnywhere), since it seems like I can’t host that natively in Auth0.

See also a somewhat lengthy ChatGPT transcript.

Aside: By switching to JWT for the broker, it disables the typical username/password authentication I’ve been used to with HiveMQ.

Some observations:

1. Hugging Face Spaces with Gradio has a very easy “login with Hugging Face” button (also possible but more involved to do with e.g., streamlit), which would address the concern of having some kind of firewall or barrier for people to request access, but may be redundant since I still need a JWKS endpoint to give to HiveMQ for JWT generation.
2. GitHub - conradbez/streamlit-auth0 is another option that might speed up that “first pass” authentication
3. Redis was mentioned as a potential solution for queue management [transcript]
4. When trying to use Auth0 within a streamlit app, I’m confused on what to put for REDIRECT_URL [transcript]

There are simpler, less robust options:

Would be worth going through this tutorial.

• Auth0 Python SDK Quickstarts: Login

Following isn’t maintained, but the example is pretty simple and could likely be copied/modified. Apparently latest branch might be OK.

• GitHub - conradbez/streamlit-auth0
• Error message after successful login · Issue #27 · conradbez/streamlit-auth0 · GitHub

Easy gradio login button:

• app.py · templates/gradio-oauth at main

Overall I think it will be important to get each of the MWEs working, then get slightly more complex.

1. Local Flask + Auth0
2. Local Streamlit + Auth0
3. Deployed Streamlit + Auth0
4. Hugging Face Spaces + Auth0
5. Login with Hugging Face button (gradio)
6. Login with Hugging Face button (streamlit)
7. HiveMQ Starter + Auth0 (HiveMQ JWT tutorial, just plain issuing keys)
8. Flask + HiveMQ Starter + Auth0
9. HiveMQ Starter + Hugging Face + Streamlit + Auth0 (HiveMQ JWT tutorial)

Thanks to @kenzo exploring this in depth, it seems like more effort than it’s worth at the given point, and comes with certain limitations.

In particular, JWTs through Auth0 have a max expiration of 30 days.

There may be a workaround to the expiration, but it seems somewhat involved and might not work well with HiveMQ:

JWTs seem to be geared more towards “sessions” rather than long-term access.

Even getting Auth0 and HiveMQ connected with each other wasn’t very fruitful. Tutorials in this regard are limited or outdated.

@kenzo’s suggested alternative is to use the HiveMQ API (still required to have the paid Starter Plan) to generate random passwords and remove the old ones when the new password is generated. We’ve switched the broker back from “JWT authentication” to “Access credentials” (i.e., username/password combinations).

Later, we can work on adding some kind of “bot attack prevention” (i.e., a login interface or captcha verification). Some potential resources:

• GitHub - mkhorasani/Streamlit-Authenticator: A secure authentication module to manage user access in a Streamlit application.
• Adding Simple Authentication to Your Streamlit App | by Charan H U | Medium
• GitHub - asehmi/auth-simple-for-streamlit: A simple username/password database authentication solution for Streamlit
• Data-Science-Meetup-Oxford/StreamlitComponent at master · asehmi/Data-Science-Meetup-Oxford · GitHub

In particular, the easiest (and least secure, yet still meaningful) approach is to put a single, shared/global password for all users behind some kind of wall.