Page tree
Skip to end of metadata
Go to start of metadata

Create a realm

Create a new realm for your IoT network within Keycloak with default settings. 

Create a client for Border Gateway

  1. Create a new client (e.g. call it "bgw_client)
  2. Go to tab "Settings" and set "Implicit Flow Enabled" to ON
  3. Go to tab "Mappers" and create the following two attribute mappers:
    • User attribute mapper. Token Claim Name must be bgw_rules


    • Group attribute mapper. Token Claim Name must be group_bgw_rules:


Add rules to users and groups

Rules are defined as attributes that are then included in the access token. The rules format allows wildcards # and + in the same way it is commonly used for MQTT topics. Here are some examples:

  •  Rule HTTP/GET/<local_domain>/8080/building1/#

    • Allowed: GET https://<external_domain>/building1/floor1/temperature

    • Allowed: GET https://<external_domain>/building1/floor2
    • Denied: GET https://<external_domain>/building2/floor1
  • Rule MQTT/SUB/<local_domain>/1883/building1/+/temperature
    • Allowed: SUB mqtts://<external_domain>:8883/building1/floor1/temperature
    • Denied: SUB mqtts://<external_domain>:8883/building2/floor2/temperature
    • Denied: SUB mqtts://<external_domain>:8883/building1/floor3/humidity

Add a user attributes with the same key that is set for User Attribute in attribute mapper (i.e. bgw_rules). Multiple rules should be separated with spaces.

Add rules as group attributes with the same key that is set for User Attribute attribute mapper (i.e. group_bgw_rules). Multiple rules should be separated with spaces.

Create an anonymous user

Create a new user with username "anonymous" and set password to "anonymous". Add an attribute to user anonymous with key "bgw_rules" and value "HTTP/# MQTT/#". This will grant users that connect to the Border Gateway without providing authentication full access to your HTTP and MQTT services. See the Configuration documentation on how to limit the access.


  • No labels