search

emqx / emqx-auth-jwt

EMQX JWT Authentication Plugin
https://www.emqx.com
Apache License 2.0
29 stars 24 forks source link

ACL implementation #36

Open Francesko90 opened 6 years ago

Francesko90 commented 6 years ago

I see that all authentication plugin have ACL (mysql, postgree, etc)

In this plugin it's possibile for all client subscribe to all topics if client know topic structure My idea was to have inside the jwt the names of the topic where client can subscribe or publish

{
  "id": 5,
  "iat": 1522935842,
  "exp": 1522939442
 "topics" ["x","y","z"]
}

Is it a bad idea? Is there anything else that allows you to do this already?

dopry commented 6 years ago

@terry-xiaoyu, @emqplus, I've asked someone to help with this feature over the next few days for one of my projects. It's being done in our fork, https://github.com/spry-group/emq-auth-jwt/issues/1. If you have any feedback on the specification so we can keep it ready to submit here let me know.

memelet commented 5 years ago

What ever happened to this? It looks like the work was completed on the fork.

dopry commented 5 years ago

We completed it and are using it in our own projects. We never got feedback from @terry-xiaoyu or @emqplus as to whether they like the implementation and would like us to submit a PR.

memelet commented 5 years ago

So its not your master branch, but with the PR applied?

knvpk commented 5 years ago

Can i use authentication with jwt and ACL with mysql plugin is that possible because, currently i have a doubt that is raised in fork project above on static scopes. https://github.com/spry-group/emq-auth-jwt/issues/1#issuecomment-471426924

kozelok commented 4 years ago

Is it possible to add this to the main plugin?

dopry commented 4 years ago

@pavankumarkatakam I suspect you can use JWT for authentication (getting the user identity) and mysql for authorization as long as permissions are keyed on the subject of the JWT. You'd probably have to review the code to be sure. Our design is meant to minimize points of failure. Our requirements for the brokers reliability are fairly high and we didn't want to introduce an additional dependency on SQL. RDBMS typically does not scale well in real-time applications. We issue access tokens with fairly narrow scopes and short lifespans Typically there are only 3 -5 topic permissions in a single token. Althought a client may request multiple access tokens with different scopes. We determine scopes based on the audience of the token request to our OIDC server.

pigochu commented 3 years ago

I want to use JWT for authentication and use emqx-auth-http for acl . But JWT login has no username , and emqx-auth-http will not send password( JWT ) to web server. So I don't know who login .... I want to implement dynamic topic ACL .... so I hope EMQX can add this feature.

hylowaker commented 3 years ago

+1

n8o commented 3 years ago

+1

sj-lt commented 3 years ago

Hi all, It would be very nice to have this feature in main implementation. @HJianBo is this even considered in emqx team ?