我的书签
添加书签
移除书签JWT ACL
JWT ACL uses ACL rules from JWTs provided by a client during authentication. To keep JWTs reasonably small, clients using JWT ACL are not supposed to have many ACL rules.
Plugin:
emqx_auth_jwt
TIP
The emqx_auth_jwt authorization features are tightly coupled with authentication features.
ACL information stored in claims
To enable authorization via JWT one should specify claim name for searching ACL rules.
# etc/plugins/emqx_auth_jwt.conf## Server addressauth.jwt.acl_claim_name = acl
If the provided claim is not found in the JWT, no ACL check will be applied for this client, unless there are other ACL plugins or modules enabled.
Data structure
The data structure of ACL rules is the following:
{# ... payload claims ..."acl": {"sub": ["some/topic/for/sub/1","some/topic/for/sub/2"],"pub": ["some/topics/for/pub/1","some/topics/for/pub/2"],"all": ["some/topics/for/pubsub/1","some/topics/for/pubsub/2"]}}
pub, sub and all lists serve as whitelists for the corresponding operations.
You can use the following placeholders in topic whitelists:
- %u: Username
- %c: Client ID
For example:
{# ... payload claims ..."acl": {"pub": ["some/stats/%c"]}}
EMQX Broker will automatically interpolate topic names before checking ACL.
ACL expiration
JWT ACL engine will prohibit all operations after the deadline specified in exp JWT claim, so a client with an expired JWT has to reconnect with a fresh JWT.
To make ACL rules valid forever, a client may not provide exp claim at all.
WARING
- Using long-living JWTs is not considered secure.
- When ACL cache is enabled, the ACL rule’s expiration is either when the cache or JWT expires, whichever is the later.
