JWT

    Plugin:

    The client uses Token as the user name or password (depending on the plugin configuration). When initiating the connection, EMQX Broker uses the key and certificate in the configuration to decrypt. If it can be successfully decrypted, the authentication successes, otherwise the authentication fails.

    After JWT authentication is enabled by default, you can connect with the following password and any username:

    JWT authentication plugin can extract ACL rules from authentication tokens. These ACL rules will be later used to authorize client’s actions. See JWT ACL.

    If you want to use JWT Auth you need open and edit as:

    The field where the client carries the JWT Token, used to configure where the client carries the JWT string, optional fields are username and password.

    auth.jwt.verify_claims

    If you enable the auth.jwt.verify_claims option, EMQXwill verify the validity of the data in the Payload after verifying the validity of the JWT.

    suppose your Payload is:

    You can use the following configuration to verify that client is equal to emqx_client_username when the client carries this Token.

    Support for verification using fixed values or current client information:

    • %c: current client client id

    • auth.jwt.secret: a symmetric encryption method that validates the JWT Token field. It supports the following algorithms:

      • HS256 - HMAC, using the SHA-256 hash algorithm.
      • HS384 - HMAC, using the SHA-384 hash algorithm.
      • HS512 - HMAC, using the SHA-512 hash algorithm.

    • : authenticates the JWT Token field using asymmetric encryption. It supports the following algorithms.

      • RS384 - RSA, using the SHA-384 hash algorithm.
      • RS512 - RSA, using the SHA-512 hash algorithm.
      • ES256 - ECDSA, using the P-256 curve.
      • ES384 - ECDSA, using the P-384 curve.
      • ES512 - ECDSA, using the P-512 curve.
    • auth.jwt.jwks: configured as server address to get the list of available keys from the JWKs server.

    The three types of keys are allowed to be configured simultaneously. EMQX checks the Token in the order of auth.jwt.secret, , auth.jwt.jwks.

    TIP

    JWT contains authentication information by itself. Once leaked, anyone can get all the permissions of the token. It is recommended to enable TLS encrypted transmission when using JWT.