http-auth-jwt #
JWT (JSON Web Token) authentication module — validates Bearer / cookie tokens against a key, redirects unauthenticated clients to a login URL, and exposes claims as nginx variables.
Source: upstream source
Directives
auth_jwt_algorithm #
syntax: auth_jwt_algorithm 1 arg (string); · context: http, server, location
The algorithm to use. One of: HS256, HS384, HS512, RS256, RS384, RS512
auth_jwt_enabled #
syntax: auth_jwt_enabled 1 arg; · context: http, server, location
Set to "on" to enable JWT checking.
auth_jwt_extract_request_claims #
syntax: auth_jwt_extract_request_claims 1+ args; · context: http, server, location
Set to a space-delimited list of claims to extract from the JWT and set as request headers. These will be accessible via e.g: $http_jwt_sub
auth_jwt_extract_response_claims #
syntax: auth_jwt_extract_response_claims 1+ args; · context: http, server, location
Set to a space-delimited list of claims to extract from the JWT and set as response headers. These will be accessible via e.g: $sent_http_jwt_sub
auth_jwt_extract_var_claims #
syntax: auth_jwt_extract_var_claims 1+ args; · context: http, server, location
Set to a space-delimited list of claims to extract from the JWT and make available as NGINX variables. These will be accessible via e.g: $jwt_claim_sub
auth_jwt_key #
syntax: auth_jwt_key 1 arg (string); · context: http, server, location
The key to use to decode/verify the JWT, *in binhex format* -- see below.
auth_jwt_keyfile_path #
syntax: auth_jwt_keyfile_path 1 arg (string); · context: http, server, location
Set to the path from which the key should be read when auth_jwt_use_keyfile is enabled.
auth_jwt_location #
syntax: auth_jwt_location 1 arg (string); · context: http, server, location
Indicates where the JWT is located in the request -- see below.
auth_jwt_loginurl #
syntax: auth_jwt_loginurl 1 arg (string); · context: http, server, location
The URL to redirect to if auth_jwt_redirect is enabled and authentication fails.
auth_jwt_redirect #
syntax: auth_jwt_redirect on | off (on/off flag); · context: http, server, location
Set to "on" to redirect to auth_jwt_loginurl if authentication fails.
auth_jwt_use_keyfile #
syntax: auth_jwt_use_keyfile on | off (on/off flag); · context: http, server, location
Set to "on" to read the key from a file rather than from the auth_jwt_key directive.
auth_jwt_validate_sub #
syntax: auth_jwt_validate_sub on | off (on/off flag); · context: http, server, location
Set to "on" to validate the sub claim (e.g. user id) in the JWT.
Example
error_log /var/log/nginx/debug.log debug;
access_log /var/log/nginx/access.log;
log_format extract_test 'Log extract test sub: $jwt_claim_sub';
server {
listen %{PORT};
listen %{SSL_PORT} ssl;
server_name localhost;
ssl_certificate /etc/nginx/test.crt;
ssl_certificate_key /etc/nginx/test.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
auth_jwt_loginurl "https://example.com/login";
auth_jwt_enabled off;
location /ping {
return 200 "pong";
}
location / {
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/default {
auth_jwt_enabled on;
auth_jwt_redirect on;
auth_jwt_location COOKIE=jwt;
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/default/validate-sub {
auth_jwt_enabled on;
auth_jwt_redirect on;
auth_jwt_validate_sub on;
auth_jwt_location COOKIE=jwt;
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/default/no-redirect {
auth_jwt_enabled on;
auth_jwt_redirect off;
auth_jwt_location COOKIE=jwt;
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/hs256 {
auth_jwt_enabled on;
auth_jwt_redirect on;
auth_jwt_location COOKIE=jwt;
auth_jwt_algorithm HS256;
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/hs384 {
auth_jwt_enabled on;
auth_jwt_redirect on;
auth_jwt_location COOKIE=jwt;
auth_jwt_algorithm HS384;
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/hs512 {
auth_jwt_enabled on;
auth_jwt_redirect on;
auth_jwt_location COOKIE=jwt;
auth_jwt_algorithm HS512;
alias /usr/share/nginx/html/;
try_files index.html =404;
}
location /secure/cookie/es256 {
auth_jwt_enabled on;
auth_jwt_redirect on;
auth_jwt_location COOKIE=jwt;
auth_jwt_algorithm ES256;
auth_jwt_key "-----BEGIN PUBLIC KEY-----
…