JWT Error 401, 40x

[bleur]

Hi,
I am trying to configure the mosquito broker to work with keycloak, but problems and errors occur when trying to log in from mosquito to keycloak. The 401 and 405 errors are returned. So that after some time the account is blocked.
Could you help me.
It is my local config for mosqutitto JWT.

log_type  all
listener 1883

auth_plugin /mosquitto/go-auth.so
auth_opt_log_level trace

auth_opt_backends jwt
auth_opt_jwt_mode remote


auth_opt_jwt_host keycloak.server
auth_opt_jwt_port 443
auth_opt_jwt_getuser_uri  /auth/realms/mosquitto/protocol/openid-connect/userinfo
#auth_opt_jwt_superuser_uri /auth/realms/mosquitto/protocol/openid-connect/userinfo
#auth_opt_jwt_superuser_uri
auth_opt_jwt_aclcheck_uri /auth/realms/mosquitto/protocol/openid-connect/userinfo
auth_opt_jwt_with_tls true
#auth_opt_jwt_verify_peer
auth_opt_jwt_response_mode status
auth_opt_jwt_params_mode json
#auth_opt_jwt_user_agent        mosquitto
auth_opt_jwt_with_tls true
#auth_opt_jwt_http_method GET
#auth_opt_jwt_host_whitelist keycloak.server

[iegomez]

I've never used Keycloak, so I'd suggest checking logs to see what's going on.

[bleur]

I've never used Keycloak, so I'd suggest checking logs to see what's going on.

Keycloak logs or mosquitto?

Mosquitto logs

mosquitto-go-auth | 1725978815: mosquitto version 2.0.15 starting
mosquitto-go-auth | 1725978815: Config loaded from /etc/mosquitto/mosquitto.conf.
mosquitto-go-auth | 1725978815: Loading plugin: /mosquitto/go-auth.so
mosquitto-go-auth | 1725978815:  ├── Username/password checking enabled.
mosquitto-go-auth | 1725978815:  ├── TLS-PSK checking enabled.
mosquitto-go-auth | 1725978815:  └── Extended authentication not enabled.
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=info msg="log_level unkwown, using default info level"
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=warning msg="unknown or empty hasher, defaulting to PBKDF2"
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=info msg="Backend registered: JWT"
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=info msg="registered acl checker: jwt"
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=info msg="registered user checker: jwt"
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=info msg="registered superuser checker: jwt"
mosquitto-go-auth | time="2024-09-10T14:33:35Z" level=info msg="No cache set."
mosquitto-go-auth | 1725978815: Opening ipv4 listen socket on port 1883.
mosquitto-go-auth | 1725978815: Opening ipv6 listen socket on port 1883.
mosquitto-go-auth | 1725978815: mosquitto version 2.0.15 running
mosquitto-go-auth | 1725978817: New connection from 10.37.12.13:51441 on port 1883.
mosquitto-go-auth | time="2024-09-10T14:33:37Z" level=info msg="error code: 401"
mosquitto-go-auth | 1725978817: Sending CONNACK to mqtt-explorer-6df666e6 (0, 5)
mosquitto-go-auth | 1725978817: Client mqtt-explorer-6df666e6 disconnected, not authorised.
mosquitto-go-auth | 1725978836: New connection from 10.37.12.13:51471 on port 1883.
mosquitto-go-auth | time="2024-09-10T14:33:56Z" level=info msg="error code: 401"
mosquitto-go-auth | 1725978836: Sending CONNACK to mqtt-explorer-6df666e6 (0, 5)
mosquitto-go-auth | 1725978836: Client mqtt-explorer-6df666e6 disconnected, not authorised.
mosquitto-go-auth | 1725979043: New connection from 10.37.12.13:51537 on port 1883.
mosquitto-go-auth | time="2024-09-10T14:37:23Z" level=info msg="error code: 401"
mosquitto-go-auth | 1725979043: Sending CONNACK to mqtt-explorer-6df666e6 (0, 5)
mosquitto-go-auth | 1725979043: Client mqtt-explorer-6df666e6 disconnected, not authorised.

[iegomez]

I mean anything you can get your hands on. Turn on debug logging, maybe stand up a local instance of Keycloak and check traffic, etc.
I'm sorry but you'll have to debug this, I can't help you.

[iegomez]

Sorry, I closed by mistake. As I said, you'll need to gather all info you can and only then I could try to help if you still haven't caught the issue.

[bleur]

OK, I will try to debug it and collect logss