Access Token based authentication for MQTT

Plain MQTT (without SSL)
MQTTS (MQTT over SSL)

Access Token based authentication is the default device authentication type. The unique access token is generated once the device is created in IoT Hub. It can be changed afterwards. The client must specify the access token as a username in MQTT connect message.

Plain MQTT (without SSL)

Let’s review a simple command to upload temperature readings using Access Token YOUR_ACCESS_TOKEN to IoT Hub. See MQTT API for more details. The command is using plain MQTT without TLS:

mosquitto_pub -d -q 1 -h "iothub.magenta.at" -p "1883" \ 
-t "v1/devices/me/telemetry" -u "YOUR_ACCESS_TOKEN" -m {"temperature":25}

The above command requires mosquitto clients library that you can install using the following command: apt-get install mosquitto-clients. Don’t forget to replace iothub.magenta.at with the host of your IoT Hub instance and YOUR_ACCESS_TOKEN with the access token of your device.

MQTTS (MQTT over SSL)

One-way SSL authentication is a standard authentication mode, where your client device verifies the identity of a server using server certificate.

Follow the MQTT over SSL guide to provision server certificate if you are hosting your own IoT Hub instance.

Once provisioned, you should prepare a CA root certificate in pem format. This certificate will be used by mqtt client to validate the server certificate. Save the CA root certificate to your working directory as “ca-root.pem”. An example of CA root certificate for iothub.magenta.at is located here.

Now you may use the ca-root.pem to setup secure connection to your IoT Hub instance (iothub.magenta.at) and Access Token (YOUR_ACCESS_TOKEN) to authenticate the device to upload telemetry:

mosquitto_pub --cafile ca-root.pem -d -q 1 -h "iothub.magenta.at" -p "8883" \
-t "v1/devices/me/telemetry" -u "YOUR_ACCESS_TOKEN" -m {"temperature":25}