| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 |
- emqx_authn_jwt_schema {
- acl_claim_name.desc:
- """The JWT claim designated for accessing ACL (Access Control List) rules can be specified,
- such as using the `acl` claim. A typical decoded JWT with this claim might appear as:
- `{"username": "user1", "acl": ...}`.
- Supported ACL Rule Formats:
- - Object Format:
- Utilizes action types pub (publish), sub (subscribe), or all (both publish and subscribe).
- The value is a list of topic filters.
- Example: `{"pub": ["topic1"], "sub": [], "all": ["${username}/#"]}`.
- This example signifies that the token owner can publish to topic1 and perform both publish and subscribe
- actions on topics starting with their username.
- Note: In this format, if no topic matches, the action is denied, and the authorization process terminates.
- - Array Format (resembles File-Based ACL Rules):
- Example: `[{"permission": "allow", "action": "all", "topic": "${username}/#"}]`.
- Additionally, the `pub` or `publish` action rules can be extended with `qos` and `retain` field,
- and `sub` or `subscribe` action rules can be extended with a `qos` field.
- Note: Here, if no rule matches, the action is not immediately denied.
- The process continues to other configured authorization sources,
- and ultimately falls back to the default permission in config `authorization.no_match`.
- The ACL claim utilizes MQTT topic wildcard matching rules for publishing or subscribing.
- A special syntax for the 'subscribe' action allows the use of `eq` for an exact match.
- For instance, `eq t/#` permits or denies subscription to `t/#`, but not to `t/1`."""
- acl_claim_name.label:
- """ACL claim name"""
- algorithm.desc:
- """JWT signing algorithm, Supports HMAC (configured as <code>hmac-based</code>) and RSA, ECDSA (configured as <code>public-key</code>)."""
- algorithm.label:
- """JWT Signing Algorithm"""
- cacertfile.desc:
- """Path to a file containing PEM-encoded CA certificates."""
- cacertfile.label:
- """CA Certificate File"""
- certfile.desc:
- """Path to a file containing the user certificate."""
- certfile.label:
- """Certificate File"""
- enable.desc:
- """Enable/disable SSL."""
- enable.label:
- """Enable/disable SSL"""
- endpoint.desc:
- """JWKS endpoint, it's a read-only endpoint that returns the server's public key set in the JWKS format."""
- endpoint.label:
- """JWKS Endpoint"""
- from.desc:
- """Field to take JWT from."""
- from.label:
- """From Field"""
- jwt_hmac.desc:
- """Configuration when the JWT for authentication is issued using the HMAC algorithm."""
- jwt_jwks.desc:
- """Configuration when JWTs used for authentication need to be fetched from the JWKS endpoint."""
- keyfile.desc:
- """Path to a file containing the user's private PEM-encoded key."""
- keyfile.label:
- """Key File"""
- jwt_public_key.desc:
- """Configuration when the JWT for authentication is issued using RSA or ECDSA algorithm."""
- public_key.desc:
- """The public key used to verify the JWT."""
- public_key.label:
- """Public Key"""
- refresh_interval.desc:
- """JWKS refresh interval."""
- refresh_interval.label:
- """JWKS Refresh Interval"""
- secret.desc:
- """The key to verify the JWT using HMAC algorithm."""
- secret.label:
- """Secret"""
- secret_base64_encoded.desc:
- """Whether secret is base64 encoded."""
- secret_base64_encoded.label:
- """Whether Secret is Base64 Encoded"""
- server_name_indication.desc:
- """Server Name Indication (SNI)."""
- server_name_indication.label:
- """Server Name Indication"""
- ssl.desc:
- """SSL options."""
- ssl.label:
- """SSL Options"""
- use_jwks.desc:
- """Whether to use JWKS."""
- use_jwks.label:
- """Whether to Use JWKS"""
- verify.desc:
- """Enable or disable SSL peer verification."""
- verify.label:
- """Verify"""
- verify_claims.desc:
- """A list of custom claims to validate. The allowed formats are the following:
- A map where claim names are map keys and expected values are map values:
- <code>{ claim_name = "${username}", ...}</code>.
- A list of maps with <code>name</code> (claim name) and <code>value</code> (expected claim value) keys:
- <code>[{name = "claim_name", value = "${username}"}, ...]</code>.
- Values can use the following placeholders:
- - <code>${username}</code>: Will be replaced at runtime with <code>Username</code> used by the client when connecting
- - <code>${clientid}</code>: Will be replaced at runtime with <code>Client ID</code> used by the client when connecting
- Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in <code>verify_claims</code>."""
- verify_claims.label:
- """Verify Claims"""
- }
|
