Overview
Authentication ensures that only trusted users, services, and devices can connect to MAPS Messaging.
It provides a flexible framework where different protocols and interfaces can use different authentication methods, depending on your security needs.
Key Principles
- Pluggable providers — choose the right backend (built-in, LDAP, Cognito, etc.) for your deployment.
- Per-interface control — each listener (MQTT, AMQP, NATS, REST, etc.) can reference a different authentication policy.
- Protocol-aware — works consistently across MQTT, AMQP, NATS, STOMP, CoAP, and REST.
- Separation of concerns — authentication is configured once, then referenced by name, avoiding duplication.
Supported Authentication Methods
MAPS supports a wide range of authentication providers:
- Built-in authentication (local users & roles)
- Apache
.htpasswd/.htgroupfiles - Unix / system accounts
- LDAP / Active Directory
- Auth0 (OIDC)
- AWS Cognito (OIDC / JWT)
- Certificate-based (mTLS) — client certificate validation
Per-Interface Flexibility
Authentication can be specified per interface.
For example, you might run:
- NATS open to anonymous clients for internal testing
- MQTT over TLS with username/password for IoT devices
- REST API with OIDC integration (Auth0 or Cognito)
- AMQP with LDAP for enterprise integration
This makes it possible to mix and match authentication methods within the same server instance.
Choosing the Right Method
| Scenario | Recommended method |
|---|---|
| Local test setups, simple labs | Built-in auth |
| Reuse existing Apache setups | .htpasswd / .htgroup |
| Tight OS-level control | Unix system accounts |
| Enterprise identity management | LDAP / Active Directory |
| SaaS / cloud identity | Auth0 |
| AWS-native environments | AWS Cognito |
| High-security device identity | Certificate-based (mTLS) |