MQTT 5.0 Enhanced Authentication - SCRAM

This authenticator implements Salted Challenge Response Authentication Mechanism (SCRAM) authentication and uses the built-in database of EMQX to store client credentials (users).

SCRAM is a more complicated mechanism than password verification. It requires exchanging additional MQTT packages during connection. SCRAM authentication does not depend on external data sources, and it is simple and lightweight to use.

TIP

SCRAM authenticator only supports MQTT 5.0 connection.

Configure with Dashboard

On the EMQX Dashboard, click Access Control -> Authentication on the left navigation menu.
Click Create at the top right corner, then click to select SCRAM as Mechanism, and Built-in Database as Backend. This will lead you to the Configuration tab.
Configure the following settings for the authentication backend:
- Password Hash: Select the password hash algorithm: sha256 or sha512.
- Iteration Count: This parameter defines the number of iterations used in the SCRAM authentication process to hash the password. A higher iteration count increases security by making the hashing process more computationally expensive, thereby slowing down brute force attacks. The default value is 4096. Adjusting this value can impact performance and security, so it should be configured based on your system's needs.
- Precondition: A Variform expression used to control whether this Built-in Database authenticator should be applied to a client connection. The expression is evaluated against attributes from the client (such as username, clientid, listener, etc.). The authenticator will only be invoked if the expression evaluates to the string "true". Otherwise, it will be skipped. For more information about the precondition, see Authentication Preconditions.
Click Create to finish the settings.

Configure with Configuration Items

Sample configuration:

hcl

{
    mechanism = scram
    backend = built_in_database
    algorithm = sha512
    iteration_count = 4096
}

where,

algorithm: password hash algorithm, options: sha256 and sha512
iteration_count (optional): Iteration-count parameter for SCRAM; Default: 4096

Authentication Flow

scram_workflow

Installation Guide

Publish/Subscribe

Client SDK

REST API

Configure Load Balancer

Performance and Tuning

Network and TLS

Authentication

Password-Based Authentication

Authorization

Smart Data Hub

Schema Registry

LLM-Based MQTT Data Processing

Configuration Files

EMQX Dashboard

Monitoring

Access Control

Integration

Management

Single Sign-On (SSO)

Namespace

Logs and Observability

Integrate with OpenTelemetry

Plugin and Extension

Plugins

MQTT over QUIC

Cluster Linking

File Transfer over MQTT

Multi-Protocol Gateway

JT/T 808 Gateway

MQTT Guide

Design and Implementation

Incompatible Changes between EMQX 4.4 and EMQX 5.1

MQTT 5.0 Enhanced Authentication - SCRAM

Configure with Dashboard

Configure with Configuration Items

Authentication Flow

Password-Based Authentication

Schema Registry

Monitoring

Access Control

Integration

Management

Integrate with OpenTelemetry

Plugins

JT/T 808 Gateway

MQTT 5.0 Enhanced Authentication - SCRAM ​

Configure with Dashboard ​

Configure with Configuration Items ​

Authentication Flow ​

MQTT 5.0 Enhanced Authentication - SCRAM

Configure with Dashboard

Configure with Configuration Items

Authentication Flow