Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
425 questions
How to setup custom JWT authentication with Azure Event Grid namespace
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 18%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Jarik Poplavski
0
Reputation points
Hello,
I am trying to configure custom JWT based authentication for MQTT clients as described in this guide Authenticate with namespaces using JSON Web Tokens.
As a prototype I use the client code example provided in https://github.com/Azure-Samples/MqttApplicationSamples, under jwt_authentication scenario. However, instead of Microsoft Entra ID JWT, I want use it with custom OAuth JWT.
Following the guide, I have registered the custom token issuer with my EG namespace and linked to is public certificate in a key vault. However, I have no success connecting my MQTT client using the issued tokens.
The behavior and logs seems to be different, depending on the MQTT v5 CONNECT packet value. The example above uses OAUTH2-JWT, and if I keep it, I see errors like this in the log space:
ValidateToken error: ValidateJwt client error. CorrelationId: d5d659a6-3832-4e43-ab8c-090b609ff88b. Message: IDX10214: Audience validation failed. Audiences: '$MY_MQTT_HOSTNAME$'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'https://eventgrid.azure.net, .. Reason: SecurityTokenInvalidAudienceException
Even if I follow the description from the documentation, eg. "Value must contain standard Event Grid namespace hostname". If I update the audience to https://eventgrid.azure.net, the authentication is still failing, but now with the following error:
ValidateToken error: ValidateJwt client error. CorrelationId: c1dd38eb-1b68-4308-8f04-510f554db7ac. Message: IDX40003: Neither
tidnortenantIdclaim is present in the token obtained from Microsoft identity platform. . Reason: SecurityTokenInvalidIssuerException
If I change MQTT v5 CONNECT packet value to CUSTOM_JWT, as described in Authentication using Custom JWT, the following error is logged in the EG log space:
OperationName: connect ResultSignature: ServiceError ResultDescription: Internal error has occurred AuthenticationType: AccessToken ClientIdentitySource: JWT ClientIdentity: ..as provided in my app.. SessionName: ..as provided in my app.. Protocol: MQTT5 Type: EGNFailedMqttConnections
and the MQTT client app registers a different MQTT error code: ReturnCode=ConnectionRefusedUnacceptableProtocolVersion, ReasonCode=ImplementationSpecificError.
Is there a way of getting more information about the errors to understand what the exact problem causing the authentication failures?
Thank you!
Best regards,
Jarik
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 40%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Khadeer Ali 3,510 Reputation points Microsoft Vendor2025-02-10T15:46:22.48+00:00 We are currently checking internally on this thread. We will review it once we receive the details from them.
-
VenkateshDodda-MSFT 23,791 Reputation points Microsoft Employee2025-02-12T09:47:13.09+00:00 @Jarik Poplavski Thanks for your patience on this.
Based on the above shared information I understand that you are using custom JWT auth. So please use the following values for Authentication method:
And for Audience (aud) use the MQTT Namespace hostname, it will be like this “ xxxx.ts.eventgrid.azure.net”.
It appears that there is some confusion for valid audience values when using custom JWT auth I have shared the documentation feedback to the team internally to update the documentation with correct values to prevent the further confusion.
Hope this helps, let me know if you have any further questions.
-
VenkateshDodda-MSFT 23,791 Reputation points Microsoft Employee
2025-02-13T10:58:04.8966667+00:00 @Jarik Poplavski Following up to see if you have a chance to check my previous response and helped. Do let me know if you have any further questions on this.
-
Jarik Poplavski 0 Reputation points
2025-02-14T10:30:53.49+00:00 I have tried again and still no success connecting to the MQTT with JWT.
Just to recap on my test setup:
- I have made an EG namespace, enabled MQTT broker with custom JWT auth.
- I have uploaded the certificate of my JWT issuer (used to sign JWT with) and connected it to EG
- The JWT token issued by my tool looks like this:
- I have added a client registration to the MQTT broker
- My MQTT client is using MQTTnet version 5.0.1.1416 and the connection configuration is done like this:
where token is my JWT byte-encoded with UTF8, MqttHostname is provided by the event grid namespace, and MqttAuthName is client identifying name, eg. DEVICE-CLIENT-123 (same as "sub" claim in the JWT). - While connecting, I can capture following logs from MQTTnet library:
- Just to confirm, if I use the very same client, but with configured X509 authentication, then everything is working as expected.
- I don't see any records in table EGNFailedMqttConnections
I don't know how to proceed from here or what I should validate in my setup.
Thank you for you assistance!
Best regards,
Jarik
-
VenkateshDodda-MSFT 23,791 Reputation points Microsoft Employee
2025-02-14T11:01:27.4833333+00:00 @Jarik Poplavski Thanks for sharing more details. based on the shared information earlier in question we have looked at the backend logs and we see that
*"Managed identity SystemAssigned is configured for custom JWT auth, but this identity is not assigned to namespace *"
Could you please check and add system assigned identity to the namespace and give the permission to read certificate for Custom JWT validation in their Key VaultHope this helps, if you are still facing the issue could you please the requested details over the private message to check and assist you further on this.
How to access private message: https://learn.microsoft.com/en-us/answers/support/private-messages
-
VenkateshDodda-MSFT 23,791 Reputation points Microsoft Employee
2025-02-17T10:51:39.2533333+00:00 @Jarik Poplavski Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
-
Jarik Poplavski 0 Reputation points
2025-02-18T08:37:49.01+00:00 Hello!
I answered you private message with the requested information about the setup last Friday. It is still not working, do I need to provide more details?
Br. Jarik
-
VenkateshDodda-MSFT 23,791 Reputation points Microsoft Employee
2025-02-18T08:56:43.7966667+00:00 @Jarik Poplavski Thanks for sharing the requested details let me check and update you accordingly.
-
Jarik Poplavski 0 Reputation points
2025-02-18T11:45:56.37+00:00 I have just managed to get the connection working with custom JWT. It started to work when I switched to an older version of MQTTnet, 4.3.2.930. Do you know if there is a known compatibility with MQTTnet 5.0.1?
Thank you!
-
VenkateshDodda-MSFT 23,791 Reputation points Microsoft Employee
2025-02-18T12:05:01.14+00:00 @Jarik Poplavski you can refer to this documentation about the list of limitation in MQTT V5 https://learn.microsoft.com/en-us/azure/event-grid/mqtt-support#mqttv5-current-limitations
Sign in to comment
Sign in to answer