diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index 0509cfd62..8c43332ca 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -365,11 +365,11 @@ verify(JWT, JWKs, VerifyClaims, AclClaimName) -> acl(Claims, AclClaimName) -> Acl = case Claims of - #{<<"exp">> := Expire, AclClaimName := Rules} -> + #{AclClaimName := Rules} -> #{ acl => #{ rules => Rules, - expire => Expire + expire => maps:get(<<"exp">>, Claims, undefined) } }; _ -> diff --git a/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl b/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl index 4c36b0fa6..16600a0ac 100644 --- a/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl @@ -305,6 +305,50 @@ t_check_expire(_Config) -> ok = emqtt:disconnect(C). +t_check_no_expire(_Config) -> + Payload = #{ + <<"username">> => <<"username">>, + <<"acl">> => #{<<"sub">> => [<<"a/b">>]} + }, + + JWT = generate_jws(Payload), + + {ok, C} = emqtt:start_link( + [ + {clean_start, true}, + {proto_ver, v5}, + {clientid, <<"clientid">>}, + {username, <<"username">>}, + {password, JWT} + ] + ), + {ok, _} = emqtt:connect(C), + ?assertMatch( + {ok, #{}, [0]}, + emqtt:subscribe(C, <<"a/b">>, 0) + ), + + ?assertMatch( + {ok, #{}, [0]}, + emqtt:unsubscribe(C, <<"a/b">>) + ), + + ok = emqtt:disconnect(C). + +t_check_undefined_expire(_Config) -> + Acl = #{expire => undefined, rules => #{<<"sub">> => [<<"a/b">>]}}, + Client = #{acl => Acl}, + + ?assertMatch( + {matched, allow}, + emqx_authz_client_info:authorize(Client, subscribe, <<"a/b">>, undefined) + ), + + ?assertMatch( + {matched, deny}, + emqx_authz_client_info:authorize(Client, subscribe, <<"a/bar">>, undefined) + ). + %%------------------------------------------------------------------------------ %% Helpers %%------------------------------------------------------------------------------