search

getautomata / emq-auth-jwt

EMQ JWT Authentication Plugin
Apache License 2.0
0 stars 1 forks source link

Implement ACL support for JWTs #1

Open dopry opened 6 years ago

dopry commented 6 years ago

Our authorization service will add a scopes collection to the JWT. 

{
  iat: 1416929109,
  jti: aa7f8d0a95c,
  scopes: [ 
    "emq:subscribe:/user/+/status", 
    "emq:publish:/user/23445/#"
  ]
}

A scope entry will be in the form of: {{service}}:{{action}}:{{mqtt topic}}

{{service}} will be a constant, emq {{action}} will be on of 'publish' or 'subscribe' {{mqtt topic}} will be and MQTT topic, wildcards are allowed, see: http://www.steves-internet-guide.com/understanding-mqtt-topics/ for more detail on MQTT topics.

When a user tries to publish or subscribe to a topic the scopes property of the JWT should be inspected and if the topic matches the actions should be allowed. Otherwise, the action should be rejected.

  1. Given a request to publish a message to a topic and there a no matching scopes then the request should be rejected. 
message = "hello"
topic = "/user/23445/status"
scopes = [ ]
  1. Given a request to publish 'hello' to a topic and there is a matching scope then the request should be accepted. 
message = "hello"
topic = "/user/23445/status"
# matching scopes could be any of the following
scopes = [
  "emq:publish:/user/23445/status", 
  "emq:publish:/user/23445/+",
  "emq:publish:/user/+/+",  
  "emq:publish:/+/+/+",  
  "emq:publish:/user/23445/#", 
  "emq:publish:/user/#"
  "emq:publish:/#"
]
  1. Given a request to subscribe to a topic and there a no matching scopes then the request should be rejected. 
topic = "/user/23445/status"
scopes = [ ]
  1. Given a request to subscribe to a topic and there is a matching scope then the request should be accepted. 
topic = "/user/23445/status"
# matching scopes could be any of the following
scopes = [
  "emq:subscribe:/user/23445/status", 
  "emq:subscribe:/user/23445/+",
  "emq:subscribe:/user/+/+",  
  "emq:subscribe:/+/+/+",  
  "emq:subscribe:/user/23445/#", 
  "emq:subscribe:/user/#"
  "emq:subscribe:/#"
]
knvpk commented 5 years ago

If we keep the scopes as static in JWT, what about dynamic scopes (topics generated on the go). My use case is in creating a chat application and topics will be generated on the go whenever a user initiated the chat with other one or a user creates a group.

dopry commented 5 years ago

@pavankumarkatakam There is nothing preventing you from providing additional access control outside of the broker in a chat application or issuing additional tokens for 'group' conversations with their own scopes.