emqx/changes/ce/feat-12872.en.md

Customizable client attributes in `clientinfo`.

Introduced a new field `client_attrs` in the `clientinfo` object.
This enhancement enables the initialization of `client_attrs` with specific
attributes derived from the `clientinfo` fields, immediately up on accepting
an MQTT connection.

### Initialization of `client_attrs`

- The `client_attrs` fields can be initially populated from one of the
  following `clientinfo` fields:
  - `cn`: The common name from the TLS client's certificate.
  - `dn`: The distinguished name from the TLS client's certificate, that is, the certificate "Subject".
  - `clientid`: The MQTT client ID provided by the client.
  - `username`: The username provided by the client.
  - `user_property`: Extract a property value from 'User-Property' of the MQTT CONNECT packet.

### Extension through Authentication Responses

- Additional attributes may be merged into `client_attrs` from authentication responses. Supported
  authentication backends include:
  - **HTTP**: Attributes can be included in the JSON object of the HTTP response body through a
    `client_attrs` field.
  - **JWT**: Attributes can be included via a `client_attrs` claim within the JWT.

### Usage in Authentication and Authorization

- If `client_attrs` is initialized before authentication, it can be used in external authentication
  requests. For instance, `${client_attrs.property1}` can be used within request templates
  directed at an HTTP server for the purpose of authenticity validation.

- The `client_attrs` can be utilized in authorization configurations or request templates, enhancing
  flexibility and control. Examples include:
  - In `acl.conf`, use `{allow, all, all, ["${client_attrs.namespace}/#"]}` to apply permissions
    based on the `namespace` attribute.
  - In other authorization backends, `${client_attrs.namespace}` can be used within request templates
    to dynamically include client attributes.