emqx / emqx

The most scalable open-source MQTT broker for IoT, IIoT, and connected vehicles
https://www.emqx.com/
Other
14.04k stars 2.23k forks source link

Use JWT claims in ACL #11784

Open jonathan-dev opened 1 year ago

jonathan-dev commented 1 year ago

What would you like to be added or enhanced?

I would like to be able to use custom JWT claims to specify access rules in the ACL (in addition to just using Client ID or Username)

Why is this needed?

This is needed to give more flexibility to represent complex sets of permission (or to write them down in a simpler way)

thalesmg commented 1 year ago

Hi @jonathan-dev , thanks for your suggestion.

It's already possible to define ACL rules directly in the JWT, and also custom claims to be checked in the JWT. For reference: https://www.emqx.io/docs/en/latest/access-control/authn/jwt.html

If you mean something else, please clarify what your use case. A few concrete examples might be helpful as well.

jonathan-dev commented 1 year ago

I figured that there is some similar functionality (the link you sent). I was thinking about being able to have a claim of group name that I could use as a topic placeholder like it's possible with ${clientid} and ${username} currently.

What is the reason the the topic placeholders are only restricted to those two things?

zmstone commented 1 year ago

As we can see from the example "testall3/#" is not a template (or a template without placeholders)

zmstone commented 1 year ago

Could you be more specific about “group name”?

jonathan-dev commented 1 year ago

The group name just stands for any custom jwt claim. So for example I want to have the claim group=123 and have users with that claim being able to write to all topics prefixed by that group /123/# and write that as ${group}.

I don't know if there are some caveats with that that I don't know or other reason why this is not a desirable feature or even maybe a bad idea.

I just thout that it would make the rules quite a bit more flexible