Placeholders such as ${cert_subject} in JWT AuthN do not work

[tigercl]

What happened?

Now ${cert_subject} and ${cert_common_name} in JWT authentication are not replaced with actual values ​​at runtime.

The authn configuration is as follows:

What did you expect to happen?

Make placeholders work

How can we reproduce it (as minimally and precisely as possible)?

No response

Anything else we need to know?

No response

EMQX version

EMQX 5.7.0

OS version

macOS 13

Log files

[tigercl]

After this issue is fixed, there is still a risk of crash.

In function replace_placeholder of module emqx_authn_jwt.erl:

replace_placeholder(L, Variables) ->
    replace_placeholder(L, Variables, []).

replace_placeholder([], _Variables, Acc) ->
    Acc;
replace_placeholder([{Name, {placeholder, PL}} | More], Variables, Acc) ->
    Value = maps:get(PL, Variables),
    replace_placeholder(More, Variables, [{Name, Value} | Acc]);
replace_placeholder([{Name, Value} | More], Variables, Acc) ->
    replace_placeholder(More, Variables, [{Name, Value} | Acc]).

If there is no corresponding key in Variables, then maps:get(PL, Variables) will crash, as mentioned in Issue#13253, this is possible when fail_if_no_peer_cert is set to false.

[zmstone]

This is not a bug, but a feature request.
JWT authn only supports placeholders for clientid and username to check against the JWT claims.
A workaround for now is to use peer_cert_as_username or peer_cert_as_clientid.

[tigercl]

@zmstone But EMQX documentation does not mention that the placeholders supported by JWT authn are different from other authn: authentication-placeholders

[tigercl]

I found it: JWT AuthN

Maybe it's time to support it.