External Authentication and Access Control

External authentication and access control allow users to integrate their own services for authentication. For example, EMQX Cloud supports data sources like MySQL and PostgreSQL, as well as connecting to HTTP services for authentication.

Principles and Authentication Process

After configuring the authentication service, EMQX Cloud will use the client's information to populate the query and perform authentication based on the user-configured sources. Authentication is determined by the result returned from each authentication method.

Authentication Chain

By default, authentication follows a sequence of default authentication followed by external authentication methods. When multiple authentication methods are enabled, the order of execution is determined by the order in which they are configured.

If authentication succeeds at any step, the process terminates, and the client is granted access.
If authentication fails, the process stops, and the client is denied access.
If the current data source doesn't match, EMQX Cloud moves on to the next authentication source in the chain.

Handle Multiple Authentication Sources

If multiple sources (e.g., MySQL, PostgreSQL) are configured:

EMQX will first query the first enabled source (e.g., MySQL). If authentication is successful, no further sources will be queried.
If the first source doesn't return a result, EMQX proceeds to query the next source (e.g., PostgreSQL) and uses the result to determine whether authentication succeeds.

External Authentication Data Sources

HTTP authentication/access control

MySQL authentication/access control

PostgreSQL authentication/access control

redis authentication/access control

JWT authentication/access control

View Authentication Order

When multiple authentication data sources are added, users can view their execution order. Authentication is processed sequentially from left to right in the authentication chain.

Reorder Authentication Sources

To adjust the order of extended authentication sources, you can disable a specific authentication method by clicking Disable on the authentication settings page. When re-enabled, it will be placed at the end of the authentication chain.

Create Dedicated Deployment

Configure PrivateLink

Single Sign-On (SSO)

Platform API

Deployment API

Serverless Deployment API

Dedicated / BYOC Deployment API

External Authentication and Access Control

Principles and Authentication Process

Authentication Chain

Handle Multiple Authentication Sources

External Authentication Data Sources

View Authentication Order

Reorder Authentication Sources

Serverless Deployment API

Dedicated / BYOC Deployment API

External Authentication and Access Control ​

Principles and Authentication Process ​

Authentication Chain ​

Handle Multiple Authentication Sources ​

External Authentication Data Sources ​

View Authentication Order ​

Reorder Authentication Sources ​

External Authentication and Access Control

Principles and Authentication Process

Authentication Chain

Handle Multiple Authentication Sources

External Authentication Data Sources

View Authentication Order

Reorder Authentication Sources