Although the original protocol does not support it, we have added authentication over TCP for InfluxDB line protocol. This works by using an elliptic curve P-256 JSON Web Token (JWT) to sign a server challenge. This page shows how to authenticate clients with QuestDB when using InfluxDB line protocol for the TCP endpoint.
The jose package is a C-language
be used for convenience to generate cryptographic keys. It's also recommended to
install jq for parsing the JSON
output from the keys generated by
In order to use this feature, you need to create an authentication file using the following template:
Only elliptic curve (P-256) are supported (key type
authentication file can be generated using the
jose utility with the following
Once you created the file, you will need to reference it in the server configuration:
For the server configuration above, the corresponding JSON Web Key must be stored on the client side. When sending a fully-composed JWK, it will have the following keys:
For this kind of key, the
d property is used to generate the the secret key.
y parameters are used to generate the public key (values that we
retrieve in the server authentication file).
The server will now expect the client to send its key id (terminated with
connect(). The server will respond with a challenge (printable
characters terminated with
\n). The client needs to sign the challenge and
respond to the server with the
base64 encoded signature (terminated with
\n). If all is good the client can then continue, if not the server will
disconnect and log the failure.