diff --git a/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf b/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf
index 2584c4e3c..684421e71 100644
--- a/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf
+++ b/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf
@@ -21,14 +21,14 @@ emqx_authn_jwt {
}
}
- certificate {
+ public_key {
desc {
en: """The public key used to verify the JWT."""
zh: """用于验证 JWT 的公钥。"""
}
label {
- en: """Certificate"""
- zh: """证书"""
+ en: """Public Key"""
+ zh: """公钥"""
}
}
@@ -123,7 +123,7 @@ emqx_authn_jwt {
server_name_indication {
desc {
en: """Server Name Indication (SNI)."""
- zh: """服务器名称指示(SNI),未指定时将使用 endpoint 作为 SNI。"""
+ zh: """服务器名称指示(SNI)。"""
}
label {
en: """Server Name Indication"""
@@ -133,8 +133,20 @@ emqx_authn_jwt {
verify_claims {
desc {
- en: """The list of claims to verify."""
- zh: """The list of claims to verify."""
+ en: """
+A list of custom claims to validate, which is a list of name/value pairs.
+Values can use the following placeholders:
+- ${username}: Will be replaced at runtime with Username used by the client when connecting
+- ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting
+Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in verify_claims.
+"""
+ zh: """
+需要验证的自定义声明列表,它是一个名称/值对列表。
+值可以使用以下占位符:
+- ${username}: 将在运行时被替换为客户端连接时使用的用户名
+- ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符
+认证时将验证 JWT(取自 Password 字段)中 claims 的值是否与 verify_claims 中要求的相匹配。
+"""
}
label {
en: """Verify Claims"""
@@ -142,17 +154,6 @@ emqx_authn_jwt {
}
}
- pool_size {
- desc {
- en: """JWKS connection count."""
- zh: """JWKS 连接数量。"""
- }
- label {
- en: """Pool Size"""
- zh: """连接池大小"""
- }
- }
-
ssl {
desc {
en: """SSL options."""
diff --git a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf
index b96544f29..0bb4b6984 100644
--- a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf
+++ b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf
@@ -35,15 +35,15 @@ emqx_authn_mongodb {
desc {
en: """
Statement that is executed during the authentication process.
-Commands can support following wildcards:\n
-- `${username}`: substituted with client's username\n
-- `${clientid}`: substituted with the clientid
+Commands can support following wildcards:
+- ${username}: Will be replaced at runtime with Username used by the client when connecting
+- ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting
"""
zh: """
认证过程中所使用的查询命令。
查询命令支持如下占位符:
-- `${username}`: 将在运行时被替换为客户端连接时使用的用户名
-- `${clientid}`: 将在运行时被替换为客户端连接时使用的客户端标识符
+- ${username}: 将在运行时被替换为客户端连接时使用的用户名
+- ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符
"""
}
label: {
diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
index 58c51facb..f5a4c16a6 100644
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@@ -66,13 +66,12 @@ fields('public-key') ->
{use_jwks, sc(hoconsc:enum([false]), #{required => true, desc => ?DESC(use_jwks)})},
{algorithm,
sc(hoconsc:enum(['public-key']), #{required => true, desc => ?DESC(algorithm)})},
- {certificate, fun certificate/1}
+ {public_key, fun public_key/1}
] ++ common_fields();
fields('jwks') ->
[
{use_jwks, sc(hoconsc:enum([true]), #{required => true, desc => ?DESC(use_jwks)})},
{endpoint, fun endpoint/1},
- {pool_size, fun pool_size/1},
{refresh_interval, fun refresh_interval/1},
{ssl, #{
type => hoconsc:union([
@@ -125,10 +124,10 @@ secret_base64_encoded(desc) -> ?DESC(?FUNCTION_NAME);
secret_base64_encoded(default) -> false;
secret_base64_encoded(_) -> undefined.
-certificate(type) -> string();
-certificate(desc) -> ?DESC(?FUNCTION_NAME);
-certificate(required) -> ture;
-certificate(_) -> undefined.
+public_key(type) -> string();
+public_key(desc) -> ?DESC(?FUNCTION_NAME);
+public_key(required) -> ture;
+public_key(_) -> undefined.
endpoint(type) -> string();
endpoint(desc) -> ?DESC(?FUNCTION_NAME);
@@ -179,12 +178,6 @@ verify_claims(required) ->
verify_claims(_) ->
undefined.
-pool_size(type) -> integer();
-pool_size(desc) -> ?DESC(?FUNCTION_NAME);
-pool_size(default) -> 8;
-pool_size(validator) -> [fun(I) -> I > 0 end];
-pool_size(_) -> undefined.
-
%%------------------------------------------------------------------------------
%% APIs
%%------------------------------------------------------------------------------
@@ -294,10 +287,10 @@ create2(#{
create2(#{
use_jwks := false,
algorithm := 'public-key',
- certificate := Certificate,
+ public_key := PublicKey,
verify_claims := VerifyClaims
}) ->
- JWK = create_jwk_from_pem_or_file(Certificate),
+ JWK = create_jwk_from_public_key(PublicKey),
{ok, #{
jwk => JWK,
verify_claims => VerifyClaims
@@ -320,15 +313,14 @@ create2(
verify_claims => VerifyClaims
}}.
-create_jwk_from_pem_or_file(CertfileOrFilePath) when
- is_binary(CertfileOrFilePath);
- is_list(CertfileOrFilePath)
+create_jwk_from_public_key(PublicKey) when
+ is_binary(PublicKey); is_list(PublicKey)
->
- case filelib:is_file(CertfileOrFilePath) of
+ case filelib:is_file(PublicKey) of
true ->
- jose_jwk:from_pem_file(CertfileOrFilePath);
+ jose_jwk:from_pem_file(PublicKey);
false ->
- jose_jwk:from_pem(iolist_to_binary(CertfileOrFilePath))
+ jose_jwk:from_pem(iolist_to_binary(PublicKey))
end.
connector_opts(#{ssl := #{enable := Enable} = SSL} = Config) ->
diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
index f7534b880..670ffe6fb 100644
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@@ -174,7 +174,7 @@ t_jwt_authenticator_public_key(_) ->
mechanism => jwt,
use_jwks => false,
algorithm => 'public-key',
- certificate => PublicKey,
+ public_key => PublicKey,
verify_claims => []
},
{ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config),