Migrate Your Business from GCP IoT Core 03｜Use JSON Web Token (JWT) to Verify Device Credentials

In the previous articles, we introduced how to connect our GCP IoT Core devices to EMQX Cloud and secure the connections via TLS/SSL ports.

GCP IoT Core requires that each device must prepare a JSON Web Token (JWT, RFC 7519). JWTs are used for short-lived authentication between devices and the MQTT bridges. When creating an MQTT client, the JWT must be passed in the password field of the CONNECT message. When connecting over HTTP, a JWT must be included in the header of each HTTP request.

EMQX Cloud supports JWT as an external authentication. Users can connect devices to EMQX Cloud with the password generated by the original secret key pair in the GCP IoT Core platform, enabling the smoothest migration possible.

In this tutorial, you can learn how to connect GCP IoT Core devices to EMQX Cloud via JWT.

JWTs of GCP IoT Core

GCP IoT Core uses public key (or asymmetric) authentication.

• The device uses a private key to sign a JSON Web Token (JWT). The token is passed to GCP IoT Core as proof of the device's identity.
• The service uses the device public key (uploaded before the JWT is sent) to verify the device's identity.

JWT header

JWTs are composed of three sections: a header, a payload (containing a claim set), and a signature. The header and payload are JSON objects, which are serialized to UTF-8 bytes, then encoded using base64url encoding.

The JWT's header, payload, and signature are concatenated with periods. As a result, a JWT typically takes the following form:

{Base64url encoded header}.{Base64url encoded payload}.{Base64url encoded signature}

JWT claims

The JWT payload contains a set of claims, and it is signed using asymmetric keys. The JWT claim set contains information about the JWT, such as the target of the token, the issuer, the time the token was issued, and/or the lifetime of the token. Like the JWT header, the JWT claim set is a JSON object and is used in the calculation of the signature.

A JSON representation of the required reserved fields in a Cloud IoT Core JWT claim set is shown below:

{
  "aud": "your-project",
  "iat": 1509654401,
  "exp": 1612893233
}

JWT signature

To compute the signature, sign the base64url-encoded header, base64-url encoded claim set, and a secret key (such as an rsa_private.pem file) using the algorithm you defined in the header. The signature is then base64url-encoded, and the result is the JWT. The following example shows a JWT before base64url encoding:

{"alg": "RS256", "typ": "JWT"}.{"aud": "your-project", "iat": 1509654401, "exp": 1612893233}.[signature bytes]

Creating public/private key pairs can refer to the following command:

openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem

• rsa_private.pem: The private key that must be securely stored on the device and used to sign the authentication JWT.
• rsa_public.pem: The public key that must be stored in server (such as EMQX or Cloud IoT Core) and used to verify the signature of the authentication JWT.

After the final encoding, the JWT tokens looks like the following:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJlbXEteC1jbG91ZCIsImlhdCI6MTY2NjI0MTU1MSwiZXhwIjoxNjc0MTk3NDQxfQ.SqQsTDZ5kTxRxSnlGs3nHXFRG_Kdjh8GxlsAWyvY4emFB9HbHUH0FHRYbgEbDvFqEPSQWjGKHRz8oXtn2MJFkwQRVfZnhY2fqQuSnFqNc6iGuSqXb-A-v2bc97vuk_x4j-Hguak0sDXzrzj00bwEfOrn4VkkTCPUlgv9EDUZLAbz9PBt0M1WuMrOWKUXgR8Vg8zilZ0H6T8bT6SfxXqzd94C0APjVP4W8Y5-Vs39SCl1VbtqdKIseg6tQYkLbeJX81gOKC-cFI5MvMchqBrxpUqWahPEmcXYcLo-A6veVmMQ01TK-5uyuABXrsEMUGlE7LjwRbhTTtXfNT8WLMqJOw

In GCP IoT Core, each device connection requires at least one public key. You can get the public key file on the following page.

GCP IoT Core does not require a specific token generation method. A good collection of helper client libraries can be found on JWT.io. In this way, you can get the password (Encoded JWT tokens) used for authentication when connecting to the device.

EMQX Cloud JWT Authentication

We will implement the JWT authentication by following steps.

1. In left menu Authentication & ACL - External Auth & ACL, select JWT Auth.

   

2. Choose password for From feild, and upload Pubkey generated before. Leave the rest fields as default.

   

3. A popup tip returns If the configuration is set successfully.

   

Connection Test

Here we use MQTTX, an MQTT client to demonstrate device connection to the broker. You can also choose other methods to do the same test.

1. Replace broker.emqx.io with the deployment connection address, and fill in the Client ID (Optional) of your device.
2. Password: Encoded JWT tokens

3. Leave the rest fields as default. Click Connect, and MQTTX will switch to message mode when it is successfully connected.

   

4. Send a message through a topic (you don’t need to register the topic in EMQX Cloud)

   

5. In Monitor page the GCP IoT device is connected to EMQX Cloud.

   

Summary

To sum up, EMQX Cloud JWT authentication can verify device credentials in the scenario that your devices are using the same Pubkey, so that you can migrate the devices easily without resetting the passwords.

Other articles in this series

• Migrate Your Business from GCP IoT Core 01 | Create Deployment and Connect Devices
• Migrate Your Business from GCP IoT Core 02 | Enable TLS/SSL over MQTT to Secure Your Connection
• Migrate Your Business from GCP IoT Core 04｜VPC Network Peering and Transfer Data to GCP
• Migrate Your Business from GCP IoT Core 05｜Bridge Data to GCP Pub/Sub