emqx_authn_jwt_schema {
acl_claim_name.desc:
"""The JWT claim designated for accessing ACL (Access Control List) rules can be specified,
such as using the `acl` claim. A typical decoded JWT with this claim might appear as:
`{"username": "user1", "acl": ...}`.
Supported ACL Rule Formats:
- Object Format:
Utilizes action types pub (publish), sub (subscribe), or all (both publish and subscribe).
The value is a list of topic filters.
Example: `{"pub": ["topic1"], "sub": [], "all": ["${username}/#"]}`.
This example signifies that the token owner can publish to topic1 and perform both publish and subscribe
actions on topics starting with their username.
Note: In this format, if no topic matches, the action is denied, and the authorization process terminates.
- Array Format (resembles File-Based ACL Rules):
Example: `[{"permission": "allow", "action": "all", "topic": "${username}/#"}]`.
Additionally, the `pub` or `publish` action rules can be extended with `qos` and `retain` field,
and `sub` or `subscribe` action rules can be extended with a `qos` field.
Note: Here, if no rule matches, the action is not immediately denied.
The process continues to other configured authorization sources,
and ultimately falls back to the default permission in config `authorization.no_match`.
The ACL claim utilizes MQTT topic wildcard matching rules for publishing or subscribing.
A special syntax for the 'subscribe' action allows the use of `eq` for an exact match.
For instance, `eq t/#` permits or denies subscription to `t/#`, but not to `t/1`."""
acl_claim_name.label:
"""ACL claim name"""
algorithm.desc:
"""JWT signing algorithm, Supports HMAC (configured as hmac-based) and RSA, ECDSA (configured as public-key)."""
algorithm.label:
"""JWT Signing Algorithm"""
cacertfile.desc:
"""Path to a file containing PEM-encoded CA certificates."""
cacertfile.label:
"""CA Certificate File"""
certfile.desc:
"""Path to a file containing the user certificate."""
certfile.label:
"""Certificate File"""
enable.desc:
"""Enable/disable SSL."""
enable.label:
"""Enable/disable SSL"""
endpoint.desc:
"""JWKS endpoint, it's a read-only endpoint that returns the server's public key set in the JWKS format."""
endpoint.label:
"""JWKS Endpoint"""
from.desc:
"""Field to take JWT from."""
from.label:
"""From Field"""
jwt_hmac.desc:
"""Configuration when the JWT for authentication is issued using the HMAC algorithm."""
jwt_jwks.desc:
"""Configuration when JWTs used for authentication need to be fetched from the JWKS endpoint."""
keyfile.desc:
"""Path to a file containing the user's private PEM-encoded key."""
keyfile.label:
"""Key File"""
jwt_public_key.desc:
"""Configuration when the JWT for authentication is issued using RSA or ECDSA algorithm."""
public_key.desc:
"""The public key used to verify the JWT."""
public_key.label:
"""Public Key"""
refresh_interval.desc:
"""JWKS refresh interval."""
refresh_interval.label:
"""JWKS Refresh Interval"""
secret.desc:
"""The key to verify the JWT using HMAC algorithm."""
secret.label:
"""Secret"""
secret_base64_encoded.desc:
"""Whether secret is base64 encoded."""
secret_base64_encoded.label:
"""Whether Secret is Base64 Encoded"""
server_name_indication.desc:
"""Server Name Indication (SNI)."""
server_name_indication.label:
"""Server Name Indication"""
ssl.desc:
"""SSL options."""
ssl.label:
"""SSL Options"""
use_jwks.desc:
"""Whether to use JWKS."""
use_jwks.label:
"""Whether to Use JWKS"""
verify.desc:
"""Enable or disable SSL peer verification."""
verify.label:
"""Verify"""
verify_claims.desc:
"""A list of custom claims to validate, which is a list of name/value pairs.
Values can use the following placeholders:
- ${username}: Will be replaced at runtime with Username used by the client when connecting
- ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting
Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in verify_claims."""
verify_claims.label:
"""Verify Claims"""
}