You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: en_US/access-control/authn/authn.md
+16-4Lines changed: 16 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -89,7 +89,7 @@ When an authentication chain is configured, EMQX processes authenticators in the
89
89
Here’s how it works, using password-based authentication as an example:
90
90
91
91
1.**Evaluate Preconditions (if configured):**
92
-
If the authenticator has a [precondition](#authenticator-preconditions), EMQX first evaluates the expression based on client information (e.g., `listener`, `clientid`, `username`).
92
+
If the authenticator has a [precondition](#authenticator-preconditions), EMQX first evaluates the expression based on client attributes information (e.g., `listener`, `clientid`, `username`).
93
93
- If the expression evaluates to `true`, the authenticator is invoked.
94
94
- If not, the authenticator is skipped.
95
95
2.**Execute the Authenticator:**
@@ -106,11 +106,23 @@ Here’s how it works, using password-based authentication as an example:
106
106
107
107
### Authenticator Preconditions
108
108
109
-
Starting from EMQX 5.9, you can assign a precondition to each authenticator to control whether it should be invoked for a given client.
109
+
Starting from EMQX 5.9, you can assign a precondition to each authenticator to control whether it should be invoked for a given client. A precondition is a [Variform expression](../../configuration/configuration.md#variform-expressions) that evaluates client attributes (such as `listener`, `username`, `clientid`, etc.). If the expression does not evaluate to `true`, the authenticator is skipped.
110
110
111
-
A precondition is a [Variform expression](../../configuration/configuration.md#variform-expressions) that evaluates client metadata (such as `listener`, `username`, `clientid`, etc.). If the expression does not evaluate to `true`, the authenticator is skipped.
111
+
This feature enables conditional logic in the authentication chain. It allows for fine-grained control over authentication logic, such as applying different authenticators for clients connecting through different listeners or based on client attributes. EMQX can then invoke authenticators only when appropriate and avoid unnecessary requests to external systems.
112
112
113
-
This feature enables conditional logic in the authentication chain, allowing EMQX to invoke authenticators only when appropriate and avoid unnecessary requests to external systems.
113
+
#### Supported Client Attributes in Precondition
114
+
115
+
Supported client attributes in a precondition include:
116
+
117
+
-`username`: The username of the client
118
+
-`password`: The password of the client
119
+
-`clientid`: The client ID of the client
120
+
-`client_attrs.*`: The client attributes of the client
121
+
-`cert_common_name`: The subject field from the client's TLS certificate
122
+
-`cert_subject`: The Common Name (CN) from the client's TLS certificate
123
+
-`peersni`: The SNI (Server Name Indication) sent by the TLS client
0 commit comments