Mercurial > hg > nginx-site
annotate xml/en/docs/http/ngx_http_auth_jwt_module.xml @ 2986:2b161541806a
Documented the CryptoKey object in njs Reference.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Thu, 01 Jun 2023 17:12:18 +0100 |
parents | 8bd6f772005f |
children |
rev | line source |
---|---|
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
1 <?xml version="1.0"?> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
2 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
3 <!-- |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
4 Copyright (C) Nginx, Inc. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
5 --> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
6 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
7 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
8 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
9 <module name="Module ngx_http_auth_jwt_module" |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
10 link="/en/docs/http/ngx_http_auth_jwt_module.html" |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
11 lang="en" |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
12 rev="12"> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
13 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
14 <section id="summary"> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
15 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
16 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
18 implements client authorization by validating the provided |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
19 <link url="https://datatracker.ietf.org/doc/html/rfc7519">JSON Web Token</link> (JWT) |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
20 using the specified keys. |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
21 The module supports |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
22 <link url="https://datatracker.ietf.org/doc/html/rfc7515">JSON Web Signature</link> (JWS), |
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
23 <link url="https://datatracker.ietf.org/doc/html/rfc7516">JSON Web Encryption</link> (JWE) |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
24 (1.19.7), and Nested JWT (1.21.0). |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
25 The module can be used for |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
26 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
27 authentication. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
28 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
29 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
30 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
31 The module may be combined with |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
32 other access modules, such as |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
33 <link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
34 <link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
35 and |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
36 <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>, |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
37 via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
38 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
39 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
40 <para> |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
41 <note> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
42 This module is available as part of our |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
43 <commercial_version>commercial subscription</commercial_version>. |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
44 </note> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
45 </para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
46 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
47 </section> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
48 |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
49 |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
50 <section id="algorithms" name="Supported Algorithms"> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
51 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
52 <para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
53 The module supports the following JSON Web |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
54 <link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">Algorithms</link>. |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
55 </para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
56 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
57 <para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
58 JWS algorithms: |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
59 <list type="bullet"> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
60 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
61 <listitem> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
62 HS256, HS384, HS512 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
63 </listitem> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
64 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
65 <listitem> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
66 RS256, RS384, RS512 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
67 </listitem> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
68 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
69 <listitem> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
70 ES256, ES384, ES512 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
71 </listitem> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
72 |
2304
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
73 <listitem> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
74 EdDSA (Ed25519 and Ed448 signatures) (1.15.7) |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
75 </listitem> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
76 |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
77 </list> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
78 |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
79 <note> |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
80 Prior to version 1.13.7, |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
81 only HS256, RS256, ES256 algorithms were supported. |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
82 </note> |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
83 </para> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
84 |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
85 <para> |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
86 JWE content encryption algorithms (1.19.7): |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
87 <list type="bullet"> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
88 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
89 <listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
90 A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
91 </listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
92 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
93 <listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
94 A128GCM, A192GCM, A256GCM |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
95 </listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
96 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
97 </list> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
98 </para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
99 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
100 <para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
101 JWE key management algorithms (1.19.9): |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
102 <list type="bullet"> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
103 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
104 <listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
105 A128KW, A192KW, A256KW |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
106 </listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
107 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
108 <listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
109 A128GCMKW, A192GCMKW, A256GCMKW |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
110 </listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
111 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
112 <listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
113 dir—direct use of a shared symmetric key as the content encryption key |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
114 </listitem> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
115 |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
116 <listitem> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
117 RSA-OAEP, RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512 (1.21.0) |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
118 </listitem> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
119 |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
120 </list> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
121 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
122 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
123 </section> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
124 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
125 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
126 <section id="example" name="Example Configuration"> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
127 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
128 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
129 <example> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
130 location / { |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
131 auth_jwt "closed site"; |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
132 auth_jwt_key_file conf/keys.json; |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
133 } |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
134 </example> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
135 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
136 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
137 </section> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
138 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
139 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
140 <section id="directives" name="Directives"> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
141 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
142 <directive name="auth_jwt"> |
1831
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
143 <syntax> |
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
144 <value>string</value> |
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
145 [<literal>token=</literal><value>$variable</value>] | |
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
146 <literal>off</literal></syntax> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
147 <default>off</default> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
148 <context>http</context> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
149 <context>server</context> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
150 <context>location</context> |
2139
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
151 <context>limit_except</context> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
152 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
153 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
154 Enables validation of JSON Web Token. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
155 The specified <value>string</value> is used as a <literal>realm</literal>. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
156 Parameter value can contain variables. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
157 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
158 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
159 <para> |
1831
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
160 The optional <literal>token</literal> parameter specifies a variable |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
161 that contains JSON Web Token. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
162 By default, JWT is passed in the <header>Authorization</header> header |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
163 as a |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
164 <link url="https://datatracker.ietf.org/doc/html/rfc6750">Bearer Token</link>. |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
165 JWT may be also passed as a cookie or a part of a query string: |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
166 <example> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
167 auth_jwt "closed site" token=$cookie_auth_token; |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
168 </example> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
169 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
170 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
171 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
172 The special value <literal>off</literal> cancels the effect |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
173 of the <literal>auth_jwt</literal> directive |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
174 inherited from the previous configuration level. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
175 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
176 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
177 </directive> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
178 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
179 |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
180 <directive name="auth_jwt_claim_set"> |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
181 <syntax><value>$variable</value> <value>name</value> ...</syntax> |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
182 <default/> |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
183 <context>http</context> |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
184 <appeared-in>1.11.10</appeared-in> |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
185 |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
186 <para> |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
187 Sets the <value>variable</value> to a JWT claim parameter |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
188 identified by key names. |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
189 Name matching starts from the top level of the JSON tree. |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
190 For arrays, the variable keeps a list of array elements separated by commas. |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
191 <example> |
2424
dd3ac7eefeed
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2408
diff
changeset
|
192 auth_jwt_claim_set $email info e-mail; |
dd3ac7eefeed
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2408
diff
changeset
|
193 auth_jwt_claim_set $job info "job title"; |
2082
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
194 </example> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
195 <note> |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
196 Prior to version 1.13.7, only one key name could be specified, |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
197 and the result was undefined for arrays. |
fee7627f6a5a
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1925
diff
changeset
|
198 </note> |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
199 </para> |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
200 |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
201 <para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
202 <note> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
203 Variable values for tokens encrypted with JWE |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
204 are available only after decryption which occurs during the |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
205 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
206 </note> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
207 </para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
208 |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
209 </directive> |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
210 |
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
211 |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
212 <directive name="auth_jwt_header_set"> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
213 <syntax><value>$variable</value> <value>name</value> ...</syntax> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
214 <default/> |
2139
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
215 <context>http</context> |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
216 <appeared-in>1.11.10</appeared-in> |
2139
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
217 |
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
218 <para> |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
219 Sets the <value>variable</value> to a JOSE header parameter |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
220 identified by key names. |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
221 Name matching starts from the top level of the JSON tree. |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
222 For arrays, the variable keeps a list of array elements separated by commas. |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
223 <note> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
224 Prior to version 1.13.7, only one key name could be specified, |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
225 and the result was undefined for arrays. |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
226 </note> |
2139
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
227 </para> |
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
228 |
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
229 </directive> |
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
230 |
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
231 |
2835
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
232 <directive name="auth_jwt_key_cache"> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
233 <syntax><value>time</value></syntax> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
234 <default>0</default> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
235 <context>http</context> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
236 <context>server</context> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
237 <context>location</context> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
238 <appeared-in>1.21.4</appeared-in> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
239 |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
240 <para> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
241 Enables or disables caching of keys |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
242 obtained from a <link id="auth_jwt_key_file">file</link> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
243 or from a <link id="auth_jwt_key_request">subrequest</link>, |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
244 and sets caching time for them. |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
245 Caching of keys obtained from variables is not supported. |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
246 By default, caching of keys is disabled. |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
247 </para> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
248 |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
249 </directive> |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
250 |
b64410025027
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2831
diff
changeset
|
251 |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
252 <directive name="auth_jwt_key_file"> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
253 <syntax><value>file</value></syntax> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
254 <default/> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
255 <context>http</context> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
256 <context>server</context> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
257 <context>location</context> |
2139
f6e578b1b02d
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2086
diff
changeset
|
258 <context>limit_except</context> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
259 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
260 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
261 Specifies a <value>file</value> in |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
262 <link url="https://datatracker.ietf.org/doc/html/rfc7517#section-5">JSON Web Key Set</link> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
263 format for validating JWT signature. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
264 Parameter value can contain variables. |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
265 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
266 |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
267 <para> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
268 Several <literal>auth_jwt_key_file</literal> directives |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
269 can be specified on the same level (1.21.1): |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
270 <example> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
271 auth_jwt_key_file conf/keys.json; |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
272 auth_jwt_key_file conf/key.jwk; |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
273 </example> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
274 If at least one of the specified keys cannot be loaded or processed, |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
275 nginx will return the |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
276 <http-status code="500" text="Internal Server Error"/> error. |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
277 </para> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
278 |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
279 </directive> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
280 |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
281 |
2304
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
282 <directive name="auth_jwt_key_request"> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
283 <syntax><value>uri</value></syntax> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
284 <default/> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
285 <context>http</context> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
286 <context>server</context> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
287 <context>location</context> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
288 <context>limit_except</context> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
289 <appeared-in>1.15.6</appeared-in> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
290 |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
291 <para> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
292 Allows retrieving a |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
293 <link url="https://datatracker.ietf.org/doc/html/rfc7517#section-5">JSON Web Key Set</link> |
2304
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
294 file from a subrequest for validating JWT signature and |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
295 sets the URI where the subrequest will be sent to. |
2694
1f2bd0d9a06c
Documented variables support for auth_jwt_key_request.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2424
diff
changeset
|
296 Parameter value can contain variables. |
2304
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
297 To avoid validation overhead, |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
298 it is recommended to cache the key file: |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
299 <example> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
300 proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m; |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
301 |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
302 server { |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
303 ... |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
304 |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
305 location / { |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
306 auth_jwt "closed site"; |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
307 auth_jwt_key_request /jwks_uri; |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
308 } |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
309 |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
310 location = /jwks_uri { |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
311 internal; |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
312 proxy_cache foo; |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
313 proxy_pass http://idp.example.com/keys; |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
314 } |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
315 } |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
316 </example> |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
317 Several <literal>auth_jwt_key_request</literal> directives |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
318 can be specified on the same level (1.21.1): |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
319 <example> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
320 auth_jwt_key_request /jwks_uri; |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
321 auth_jwt_key_request /jwks2_uri; |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
322 </example> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
323 If at least one of the specified keys cannot be loaded or processed, |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
324 nginx will return the |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
325 <http-status code="500" text="Internal Server Error"/> error. |
2304
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
326 </para> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
327 |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
328 </directive> |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
329 |
f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
2143
diff
changeset
|
330 |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
331 <directive name="auth_jwt_leeway"> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
332 <syntax><value>time</value></syntax> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
333 <default>0s</default> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
334 <context>http</context> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
335 <context>server</context> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
336 <context>location</context> |
2143
231cad90a823
Corrected appeared-in version for the auth_jwt_leeway directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2142
diff
changeset
|
337 <appeared-in>1.13.10</appeared-in> |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
338 |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
339 <para> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
340 Sets the maximum allowable leeway to compensate |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
341 clock skew when verifying the |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
342 <link url="https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4">exp</link> |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
343 and |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
344 <link url="https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5">nbf</link> |
2142
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
345 JWT claims. |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
346 </para> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
347 |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
348 </directive> |
ca7568f67dee
Sorted directives alphabetically.
Ruslan Ermilov <ru@nginx.com>
parents:
2139
diff
changeset
|
349 |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
350 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
351 <directive name="auth_jwt_type"> |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
352 <syntax><value>signed</value> | |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
353 <value>encrypted</value> | |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
354 <value>nested</value></syntax> |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
355 <default>signed</default> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
356 <context>http</context> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
357 <context>server</context> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
358 <context>location</context> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
359 <context>limit_except</context> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
360 <appeared-in>1.19.7</appeared-in> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
361 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
362 <para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
363 Specifies which type of JSON Web Token to expect: |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
364 JWS (<literal>signed</literal>), |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
365 JWE (<literal>encrypted</literal>), |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
366 or signed and then encrypted |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
367 Nested JWT (<literal>nested</literal>) (1.21.0). |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
368 </para> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
369 |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
370 </directive> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
371 |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
372 |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
373 <directive name="auth_jwt_require"> |
2866
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
374 <syntax> |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
375 <value>$value</value> ... |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
376 [<literal>error</literal>=<literal>401</literal> | |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
377 <literal>403</literal>] |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
378 </syntax> |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
379 <default/> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
380 <context>http</context> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
381 <context>server</context> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
382 <context>location</context> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
383 <context>limit_except</context> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
384 <appeared-in>1.21.2</appeared-in> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
385 |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
386 <para> |
2866
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
387 Specifies additional checks for JWT validation. |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
388 The value can contain text, variables, and their combination, |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
389 and must start with a variable (1.21.7). |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
390 The authentication will succeed only |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
391 if all the values are not empty and are not equal to “0”. |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
392 <example> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
393 map $jwt_claim_iss $valid_jwt_iss { |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
394 "good" 1; |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
395 } |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
396 ... |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
397 |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
398 auth_jwt_require $valid_jwt_iss; |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
399 </example> |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
400 </para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
401 |
2866
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
402 <para> |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
403 If any of the checks fails, |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
404 the <literal>401</literal> error code is returned. |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
405 The optional <literal>error</literal> parameter (1.21.7) |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
406 allows redefining the error code to <literal>403</literal>. |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
407 </para> |
8bd6f772005f
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2835
diff
changeset
|
408 |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
409 </directive> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
410 |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
411 </section> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
412 |
1831
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
413 |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
414 <section id="variables" name="Embedded Variables"> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
415 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
416 <para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
417 The <literal>ngx_http_auth_jwt_module</literal> module |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
418 supports embedded variables: |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
419 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
420 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
421 <para> |
1831
b5e416ace4bf
Corrected style and variables description in auth_jwt.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
1763
diff
changeset
|
422 <list type="tag" compact="yes"> |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
423 <tag-name id="var_jwt_header_"><var>$jwt_header_</var><value>name</value></tag-name> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
424 <tag-desc> |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
425 returns the value of a specified |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
426 <link url="https://datatracker.ietf.org/doc/html/rfc7515#section-4">JOSE header</link> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
427 </tag-desc> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
428 |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
429 <tag-name id="var_jwt_claim_"><var>$jwt_claim_</var><value>name</value></tag-name> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
430 <tag-desc> |
1925
a58b35cc0823
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
1831
diff
changeset
|
431 returns the value of a specified |
2831
4add6ae1296f
Updated links to datatracker.ietf.org.
Sergey Kandaurov <pluknet@nginx.com>
parents:
2768
diff
changeset
|
432 <link url="https://datatracker.ietf.org/doc/html/rfc7519#section-4">JWT claim</link> |
2408
183c16ce60d0
Added info about nested claims and claims with a dot to $jwt_claim_name.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2304
diff
changeset
|
433 |
183c16ce60d0
Added info about nested claims and claims with a dot to $jwt_claim_name.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2304
diff
changeset
|
434 <para> |
183c16ce60d0
Added info about nested claims and claims with a dot to $jwt_claim_name.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2304
diff
changeset
|
435 For nested claims and claims including a dot (“.”), |
183c16ce60d0
Added info about nested claims and claims with a dot to $jwt_claim_name.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2304
diff
changeset
|
436 the value of the variable cannot be evaluated; |
183c16ce60d0
Added info about nested claims and claims with a dot to $jwt_claim_name.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2304
diff
changeset
|
437 the <link id="auth_jwt_claim_set"/> directive should be used instead. |
183c16ce60d0
Added info about nested claims and claims with a dot to $jwt_claim_name.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2304
diff
changeset
|
438 </para> |
2713
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
439 |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
440 <para> |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
441 Variable values for tokens encrypted with JWE |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
442 are available only after decryption which occurs during the |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
443 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. |
efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2694
diff
changeset
|
444 </para> |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
445 </tag-desc> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
446 |
2768
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
447 <tag-name id="var_jwt_payload"><var>$jwt_payload</var></tag-name> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
448 <tag-desc> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
449 returns the decrypted top-level payload |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
450 of <literal>nested</literal> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
451 or <literal>encrypted</literal> tokens (1.21.2). |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
452 For nested tokens returns the enclosed JWS token. |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
453 For encrypted tokens returns JSON with claims. |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
454 </tag-desc> |
9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
2713
diff
changeset
|
455 |
1763
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
456 </list> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
457 </para> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
458 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
459 </section> |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
460 |
a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
Ruslan Ermilov <ru@nginx.com>
parents:
diff
changeset
|
461 </module> |