You can configure both JWT and mutual authentication as your authentication methods in a property. You can either configure your authentication methods to overlap and allow one device to make requests with either of them to access different resources, or you can add special rules to your property configuration and allow some devices to use mutual authentication and other devices to use JWTs.

Both authentication methods in a default rule

To allow an IoT device to use either authentication method in a request to get access to topics, you can configure both JWT and mutual authentication behaviors in the default rule of your property.

You need to make sure that these authentication methods don't overlap in authorization data they extract from JWTs or client certificates. To do so, configure one authentication behavior to extract client IDs and the other to extract authorization groups. That way, the IoT device can get access to resources controlled by authorization groups and client IDs with one request.

📘

You can't configure a property to extract the same authorization data with both authentication methods in the default rule.

For example, this default rule configuration lets you access different resources based on how you authenticate your requests. In some requests, you can use JWTs to get access to regular topics based on the authorization groups extracted from these tokens. In other requests, you can use client certificates to get access to identity topics based on the client IDs extracted from this certificates. In yet another requests, you can mix both authentication methods and get access to resources based on the authorization groups extracted from JWTs and the client IDs extracted from client certificates.

Default rule with JWT and mutual authentication behaviors

Both authentication methods in authentication rules

To allow some IoT devices to authorize requests with mutual authentication and some other devices with JWTs, you can configure the JWT and mutual authentication behaviors in your property, each in a separate rule. This lets you match requests based on the authentication method that the device uses and extract authorization details with the relevant configuration.

The Authentication with a client certificate rule is the first rule that you need to configure in your property. It includes two mutual authentication behaviors that you can configure to extract a client ID and authorization groups from client certificates. This rule's match criteria only apply the mutual authentication configuration to requests that present client certificates in the authorization process. If no client certificate is present in the request, the rule lets the Authentication without a client certificate rule handle it.

The Authentication without a client certificate rule is the other rule that you need to configure in your property. It includes the JWT behavior that you can configure to extract a client ID and authorization groups from JWTs passed in the requests. This rule's match criteria only apply the JWT configuration to requests that don't present client certificates to the edge servers in the authorization process.

1. In the Property Configuration Settings section, click Add Rule.

2. From the list of available rules, select the Authentication with a client certificate.

   A rule with two mutual authentication behaviors appears.

3. Verify that the match criteria apply to all requests that present Client certificate and that the Provided box is checked.

4. Depending on your configuration, set up the mutual authentication behaviors to extract client IDs, authorization groups, or both from client certificates.

   You can also add variable hash, variable regex, and variable substring transformation behaviors to manage variables extracted from a client certificate. See Configure the Mutual Authentication behavior.

5. In the Property Configuration Settings section, click Add Rule.

6. From the list of available rules, select the Authentication without a client certificate.
   A rule with the JWT behavior appears.

7. Verify that the match criteria apply to all requests that don't present Client certificate and that the Provided box is unchecked.

8. Depending on your configuration, set up the JWT behavior to extract client IDs, authorization groups, or both from the JWTs passed in requests.

   See Configure the JWT verification behavior.

Example

Suppose you have two IoT devices, one authorizing its requests with a client certificate and the other with JWTs. For the first device's requests, this property uses the mutual authentication configuration, extracts both a client ID and authorization groups, and grants access to the relevant resources based on this authorization data. For the other device's requests, this property uses the JWT authorization configuration, extracts both a client ID and authorization groups, and grants access to the relevant resources based on this authorization data.

Mutual authentication configuration in an authentication rule

JWT configured in an authentication rule