JWT is a Token-based authentication mechanism. It does not rely on the server to retain client authentication information or session information. It can issue authentication information in batches while holding keys, which is an easiest authentication method.
The client uses Token as the user name or password (depending on the plugin configuration). When initiating the connection, EMQ X Broker uses the key and certificate in the configuration to decrypt. If it can be successfully decrypted, the authentication successes, otherwise the authentication fails.
After JWT authentication is enabled by default, you can connect with the following password and any username:
If you want to use JWT Auth you need open
etc/plugins/emqx_auth_jwt.conf and edit as：
To enable JWT authentication, the following needs to be configured in
# etc/plugins/emqx_auth_jwt.conf ## Key auth.jwt.secret = emqxsecret ## The way the client carries the token ## Value: username | password auth.jwt.from = password ## Advanced options ## Public key file, certificate is used when signing the key auth.jwt.pubkey = etc/certs/jwt_public_key.pem ## Value: on | off auth.jwt.verify_claims = off ## auth.jwt.verify_claims.$name = expected ## Variables: ## - %u: username ## - %c: clientid # auth.jwt.verify_claims.username = %u
JWT contains authentication information by itself. Once leaked, anyone can get all the permissions of the token. It is recommended to enable TLS encrypted transmission when using JWT.
During the use of JWT, a token cannot be invalidated before it expires. Please properly set the validity time and keep the encryption information well.