InfluxDB Line Protocol Authentication works by using an elliptic curve P-256 JSON Web Token (JWT) to sign a server challenge. This page shows how to authenticate clients with QuestDB when using InfluxDB line protocol for the TCP endpoint.
If you are using the QuestDB Enterprise edition, setting up authentication for InfluxDB Line Protocol as described on this page is not necessary. QuestDB Enterprise comes with built-in, advanced security features that handle authentication and authorization, providing a streamlined and secure experience out-of-the-box.
QuestDB should be running and accessible. Not running? Checkout the quick start.
The jose package is a C-language
be used for convenience to generate cryptographic keys. It's also recommended to
install jq for parsing the JSON
output from the keys generated by
In order to use this feature, you need to create an authentication file using the following template:
Only elliptic curve (P-256) are supported (key type
authentication file can be generated using the
jose utility with the following
Once you created the file, you will need to reference it in the server configuration:
For the server configuration above, the corresponding JSON Web Key must be stored on the client side. When sending a fully-composed JWK, it will have the following keys:
For this kind of key, the
d property is used to generate the the secret key.
y parameters are used to generate the public key (values that we
retrieve in the server authentication file).
The server will now expect the client to send its key id (terminated with
connect(). The server will respond with a challenge (printable
characters terminated with
\n). The client needs to sign the challenge and
respond to the server with the
base64 encoded signature (terminated with
\n). If all is good the client can then continue, if not the server will
disconnect and log the failure.