Currently, the jwt lets the user access all the topics since the username is not a criterion.
It will help if we can isolate the topics accessible too.

+1

I suppose that the feature you want is acl, this acl could be configured in acl.conf in emqx/etc. this plugin is just for authentification not acl.

The thing here is that if I have a valid JWT token, and if I know another username than my own, I can use this JWT to authenticate as the other user (any user actually, just need one valid JWT)