http-auth-jwt #

JWT (JSON Web Token) authentication module — validates Bearer / cookie tokens against a key, redirects unauthenticated clients to a login URL, and exposes claims as nginx variables.

Source: upstream source

Directives

auth_jwt_algorithm #

syntax: auth_jwt_algorithm 1 arg (string);  ·  context: http, server, location

The algorithm to use. One of: HS256, HS384, HS512, RS256, RS384, RS512

auth_jwt_enabled #

syntax: auth_jwt_enabled 1 arg;  ·  context: http, server, location

Set to "on" to enable JWT checking.

auth_jwt_extract_request_claims #

syntax: auth_jwt_extract_request_claims 1+ args;  ·  context: http, server, location

Set to a space-delimited list of claims to extract from the JWT and set as request headers. These will be accessible via e.g: $http_jwt_sub

auth_jwt_extract_response_claims #

syntax: auth_jwt_extract_response_claims 1+ args;  ·  context: http, server, location

Set to a space-delimited list of claims to extract from the JWT and set as response headers. These will be accessible via e.g: $sent_http_jwt_sub

auth_jwt_extract_var_claims #

syntax: auth_jwt_extract_var_claims 1+ args;  ·  context: http, server, location

Set to a space-delimited list of claims to extract from the JWT and make available as NGINX variables. These will be accessible via e.g: $jwt_claim_sub

auth_jwt_key #

syntax: auth_jwt_key 1 arg (string);  ·  context: http, server, location

The key to use to decode/verify the JWT, *in binhex format* -- see below.

auth_jwt_keyfile_path #

syntax: auth_jwt_keyfile_path 1 arg (string);  ·  context: http, server, location

Set to the path from which the key should be read when auth_jwt_use_keyfile is enabled.

auth_jwt_location #

syntax: auth_jwt_location 1 arg (string);  ·  context: http, server, location

Indicates where the JWT is located in the request -- see below.

auth_jwt_loginurl #

syntax: auth_jwt_loginurl 1 arg (string);  ·  context: http, server, location

The URL to redirect to if auth_jwt_redirect is enabled and authentication fails.

auth_jwt_redirect #

syntax: auth_jwt_redirect on | off (on/off flag);  ·  context: http, server, location

Set to "on" to redirect to auth_jwt_loginurl if authentication fails.

auth_jwt_use_keyfile #

syntax: auth_jwt_use_keyfile on | off (on/off flag);  ·  context: http, server, location

Set to "on" to read the key from a file rather than from the auth_jwt_key directive.

auth_jwt_validate_sub #

syntax: auth_jwt_validate_sub on | off (on/off flag);  ·  context: http, server, location

Set to "on" to validate the sub claim (e.g. user id) in the JWT.

Example

error_log /var/log/nginx/debug.log debug;
access_log /var/log/nginx/access.log;

log_format  extract_test  'Log extract test sub: $jwt_claim_sub';

server {
    listen %{PORT};
    listen %{SSL_PORT} ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/test.crt;
    ssl_certificate_key /etc/nginx/test.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF";
    auth_jwt_loginurl "https://example.com/login";
    auth_jwt_enabled off;

    location /ping {
        return 200 "pong";
    }

    location / {
        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }

    location /secure/cookie/default {
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_location COOKIE=jwt;
        
        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }

    location /secure/cookie/default/validate-sub {
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_validate_sub on;
        auth_jwt_location COOKIE=jwt;
        
        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }
        
    location /secure/cookie/default/no-redirect {
        auth_jwt_enabled on;
        auth_jwt_redirect off;
        auth_jwt_location COOKIE=jwt;

        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }

    location /secure/cookie/hs256 {
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_location COOKIE=jwt;
        auth_jwt_algorithm HS256;

        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }

    location /secure/cookie/hs384 {
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_location COOKIE=jwt;
        auth_jwt_algorithm HS384;

        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }

    location /secure/cookie/hs512 {
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_location COOKIE=jwt;
        auth_jwt_algorithm HS512;

        alias /usr/share/nginx/html/;
        try_files index.html =404;
    }

    location /secure/cookie/es256 {
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_location COOKIE=jwt;
        auth_jwt_algorithm ES256;
        auth_jwt_key "-----BEGIN PUBLIC KEY-----
…

↑ back to index