154 lines
4.4 KiB
Plaintext
154 lines
4.4 KiB
Plaintext
emqx_authn_jwt_schema {
|
|
|
|
acl_claim_name.desc:
|
|
"""The JWT claim designated for accessing ACL (Access Control List) rules can be specified,
|
|
such as using the `acl` claim. A typical decoded JWT with this claim might appear as:
|
|
`{"username": "user1", "acl": ...}`.
|
|
|
|
Supported ACL Rule Formats:
|
|
|
|
- Object Format:
|
|
Utilizes action types pub (publish), sub (subscribe), or all (both publish and subscribe).
|
|
The value is a list of topic filters.
|
|
Example: `{"pub": ["topic1"], "sub": [], "all": ["${username}/#"]}`.
|
|
This example signifies that the token owner can publish to topic1 and perform both publish and subscribe
|
|
actions on topics starting with their username.
|
|
Note: In this format, if no topic matches, the action is denied, and the authorization process terminates.
|
|
|
|
- Array Format (resembles File-Based ACL Rules):
|
|
Example: `[{"permission": "allow", "action": "all", "topic": "${username}/#"}]`.
|
|
Additionally, the `pub` or `publish` action rules can be extended with `qos` and `retain` field,
|
|
and `sub` or `subscribe` action rules can be extended with a `qos` field.
|
|
Note: Here, if no rule matches, the action is not immediately denied.
|
|
The process continues to other configured authorization sources,
|
|
and ultimately falls back to the default permission in config `authorization.no_match`.
|
|
|
|
The ACL claim utilizes MQTT topic wildcard matching rules for publishing or subscribing.
|
|
A special syntax for the 'subscribe' action allows the use of `eq` for an exact match.
|
|
For instance, `eq t/#` permits or denies subscription to `t/#`, but not to `t/1`."""
|
|
|
|
acl_claim_name.label:
|
|
"""ACL claim name"""
|
|
|
|
algorithm.desc:
|
|
"""JWT signing algorithm, Supports HMAC (configured as <code>hmac-based</code>) and RSA, ECDSA (configured as <code>public-key</code>)."""
|
|
|
|
algorithm.label:
|
|
"""JWT Signing Algorithm"""
|
|
|
|
cacertfile.desc:
|
|
"""Path to a file containing PEM-encoded CA certificates."""
|
|
|
|
cacertfile.label:
|
|
"""CA Certificate File"""
|
|
|
|
certfile.desc:
|
|
"""Path to a file containing the user certificate."""
|
|
|
|
certfile.label:
|
|
"""Certificate File"""
|
|
|
|
enable.desc:
|
|
"""Enable/disable SSL."""
|
|
|
|
enable.label:
|
|
"""Enable/disable SSL"""
|
|
|
|
endpoint.desc:
|
|
"""JWKS endpoint, it's a read-only endpoint that returns the server's public key set in the JWKS format."""
|
|
|
|
endpoint.label:
|
|
"""JWKS Endpoint"""
|
|
|
|
from.desc:
|
|
"""Field to take JWT from."""
|
|
|
|
from.label:
|
|
"""From Field"""
|
|
|
|
jwt_hmac.desc:
|
|
"""Configuration when the JWT for authentication is issued using the HMAC algorithm."""
|
|
|
|
jwt_jwks.desc:
|
|
"""Configuration when JWTs used for authentication need to be fetched from the JWKS endpoint."""
|
|
|
|
keyfile.desc:
|
|
"""Path to a file containing the user's private PEM-encoded key."""
|
|
|
|
keyfile.label:
|
|
"""Key File"""
|
|
|
|
jwt_public_key.desc:
|
|
"""Configuration when the JWT for authentication is issued using RSA or ECDSA algorithm."""
|
|
|
|
public_key.desc:
|
|
"""The public key used to verify the JWT."""
|
|
|
|
public_key.label:
|
|
"""Public Key"""
|
|
|
|
refresh_interval.desc:
|
|
"""JWKS refresh interval."""
|
|
|
|
refresh_interval.label:
|
|
"""JWKS Refresh Interval"""
|
|
|
|
secret.desc:
|
|
"""The key to verify the JWT using HMAC algorithm."""
|
|
|
|
secret.label:
|
|
"""Secret"""
|
|
|
|
secret_base64_encoded.desc:
|
|
"""Whether secret is base64 encoded."""
|
|
|
|
secret_base64_encoded.label:
|
|
"""Whether Secret is Base64 Encoded"""
|
|
|
|
server_name_indication.desc:
|
|
"""Server Name Indication (SNI)."""
|
|
|
|
server_name_indication.label:
|
|
"""Server Name Indication"""
|
|
|
|
ssl.desc:
|
|
"""SSL options."""
|
|
|
|
ssl.label:
|
|
"""SSL Options"""
|
|
|
|
use_jwks.desc:
|
|
"""Whether to use JWKS."""
|
|
|
|
use_jwks.label:
|
|
"""Whether to Use JWKS"""
|
|
|
|
verify.desc:
|
|
"""Enable or disable SSL peer verification."""
|
|
|
|
verify.label:
|
|
"""Verify"""
|
|
|
|
verify_claims.desc:
|
|
"""A list of custom claims to validate, which is a list of name/value pairs.
|
|
Values can use the following placeholders:
|
|
- <code>${username}</code>: Will be replaced at runtime with <code>Username</code> used by the client when connecting
|
|
- <code>${clientid}</code>: Will be replaced at runtime with <code>Client ID</code> used by the client when connecting
|
|
Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in <code>verify_claims</code>."""
|
|
|
|
verify_claims.label:
|
|
"""Verify Claims"""
|
|
|
|
disconnect_after_expire.desc:
|
|
"""Disconnect the client after the token expires."""
|
|
|
|
disconnect_after_expire.label:
|
|
"""Disconnect After Expire"""
|
|
|
|
jwks_headers.label:
|
|
"""HTTP Headers"""
|
|
jwks_headers.desc:
|
|
"""List of HTTP headers to send with the JWKS request."""
|
|
|
|
}
|