Auth0 Home Blog Docs

JWT for IoT/Websocket Connection Authentication


Hello community! I have an interesting use case for JWT that I would like some feedback on.

My intent is to be able to verify a websocket request from a ‘headless’ client using the websocket api in node.

The library I am using for the websocket client/server is ws.js

What I am doing is creating a custom header in the websocket client called ‘authenticate’.

The header value is a JWT. The JWT has a payload of a UUID string generated during device provisioning that is paired in the database with the device serial number hex value.

I use the serial number to sign the JWT.

Upon receiving the connection request over TLS, the websocket server decodes the payload and looks up the UUID in the database and returns device information including the serial number, if found.

Assuming the UUID is in the database, the server then attempts to verify the JWT using the serial number as the ‘secret’.

Assuming the verify function does not throw an error or otherwise fail to verify the token, the client is authenticated and the connection is allowed.

The only mechanism that I can think for breaking this would be a brute force attack on the signature.

Your thoughts?