Open Francesko90 opened 6 years ago
@terry-xiaoyu, @emqplus, I've asked someone to help with this feature over the next few days for one of my projects. It's being done in our fork, https://github.com/spry-group/emq-auth-jwt/issues/1. If you have any feedback on the specification so we can keep it ready to submit here let me know.
What ever happened to this? It looks like the work was completed on the fork.
We completed it and are using it in our own projects. We never got feedback from @terry-xiaoyu or @emqplus as to whether they like the implementation and would like us to submit a PR.
So its not your master branch, but with the PR applied?
Can i use authentication with jwt and ACL with mysql plugin is that possible because, currently i have a doubt that is raised in fork project above on static scopes. https://github.com/spry-group/emq-auth-jwt/issues/1#issuecomment-471426924
Is it possible to add this to the main plugin?
@pavankumarkatakam I suspect you can use JWT for authentication (getting the user identity) and mysql for authorization as long as permissions are keyed on the subject of the JWT. You'd probably have to review the code to be sure. Our design is meant to minimize points of failure. Our requirements for the brokers reliability are fairly high and we didn't want to introduce an additional dependency on SQL. RDBMS typically does not scale well in real-time applications. We issue access tokens with fairly narrow scopes and short lifespans Typically there are only 3 -5 topic permissions in a single token. Althought a client may request multiple access tokens with different scopes. We determine scopes based on the audience of the token request to our OIDC server.
I want to use JWT for authentication and use emqx-auth-http for acl . But JWT login has no username , and emqx-auth-http will not send password( JWT ) to web server. So I don't know who login .... I want to implement dynamic topic ACL .... so I hope EMQX can add this feature.
+1
+1
Hi all, It would be very nice to have this feature in main implementation. @HJianBo is this even considered in emqx team ?
I see that all authentication plugin have ACL (mysql, postgree, etc)
In this plugin it's possibile for all client subscribe to all topics if client know topic structure My idea was to have inside the jwt the names of the topic where client can subscribe or publish
Is it a bad idea? Is there anything else that allows you to do this already?