Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_auth_jwt_module.xml @ 2768:9dd8c203a54a
Updated docs for the upcoming NGINX Plus release.
| author | Yaroslav Zhuravlev <yar@nginx.com> |
|---|---|
| date | Wed, 22 Sep 2021 13:47:23 +0300 |
| parents | efb3d27dfa23 |
| children | 4add6ae1296f |
comparison
equal
deleted
inserted
replaced
| 2767:c56adb7148a4 | 2768:9dd8c203a54a |
|---|---|
| 7 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> | 7 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> |
| 8 | 8 |
| 9 <module name="Module ngx_http_auth_jwt_module" | 9 <module name="Module ngx_http_auth_jwt_module" |
| 10 link="/en/docs/http/ngx_http_auth_jwt_module.html" | 10 link="/en/docs/http/ngx_http_auth_jwt_module.html" |
| 11 lang="en" | 11 lang="en" |
| 12 rev="11"> | 12 rev="12"> |
| 13 | 13 |
| 14 <section id="summary"> | 14 <section id="summary"> |
| 15 | 15 |
| 16 <para> | 16 <para> |
| 17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) | 17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) |
| 18 implements client authorization by validating the provided | 18 implements client authorization by validating the provided |
| 19 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) | 19 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) |
| 20 using the specified keys. | 20 using the specified keys. |
| 21 JWT claims can be encoded in a | 21 The module supports |
| 22 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS) | 22 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS), |
| 23 or | |
| 24 <link url="https://tools.ietf.org/html/rfc7516">JSON Web Encryption</link> (JWE) | 23 <link url="https://tools.ietf.org/html/rfc7516">JSON Web Encryption</link> (JWE) |
| 25 (1.19.7) structure. | 24 (1.19.7), and Nested JWT (1.21.0). |
| 26 The module can be used for | 25 The module can be used for |
| 27 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> | 26 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> |
| 28 authentication. | 27 authentication. |
| 29 </para> | 28 </para> |
| 30 | 29 |
| 110 A128GCMKW, A192GCMKW, A256GCMKW | 109 A128GCMKW, A192GCMKW, A256GCMKW |
| 111 </listitem> | 110 </listitem> |
| 112 | 111 |
| 113 <listitem> | 112 <listitem> |
| 114 dir—direct use of a shared symmetric key as the content encryption key | 113 dir—direct use of a shared symmetric key as the content encryption key |
| 114 </listitem> | |
| 115 | |
| 116 <listitem> | |
| 117 RSA-OAEP, RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512 (1.21.0) | |
| 115 </listitem> | 118 </listitem> |
| 116 | 119 |
| 117 </list> | 120 </list> |
| 118 </para> | 121 </para> |
| 119 | 122 |
| 239 <link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link> | 242 <link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link> |
| 240 format for validating JWT signature. | 243 format for validating JWT signature. |
| 241 Parameter value can contain variables. | 244 Parameter value can contain variables. |
| 242 </para> | 245 </para> |
| 243 | 246 |
| 247 <para> | |
| 248 Several <literal>auth_jwt_key_file</literal> directives | |
| 249 can be specified on the same level (1.21.1): | |
| 250 <example> | |
| 251 auth_jwt_key_file conf/keys.json; | |
| 252 auth_jwt_key_file conf/key.jwk; | |
| 253 </example> | |
| 254 If at least one of the specified keys cannot be loaded or processed, | |
| 255 nginx will return the | |
| 256 <http-status code="500" text="Internal Server Error"/> error. | |
| 257 </para> | |
| 258 | |
| 244 </directive> | 259 </directive> |
| 245 | 260 |
| 246 | 261 |
| 247 <directive name="auth_jwt_key_request"> | 262 <directive name="auth_jwt_key_request"> |
| 248 <syntax><value>uri</value></syntax> | 263 <syntax><value>uri</value></syntax> |
| 277 proxy_cache foo; | 292 proxy_cache foo; |
| 278 proxy_pass http://idp.example.com/keys; | 293 proxy_pass http://idp.example.com/keys; |
| 279 } | 294 } |
| 280 } | 295 } |
| 281 </example> | 296 </example> |
| 297 Several <literal>auth_jwt_key_request</literal> directives | |
| 298 can be specified on the same level (1.21.1): | |
| 299 <example> | |
| 300 auth_jwt_key_request /jwks_uri; | |
| 301 auth_jwt_key_request /jwks2_uri; | |
| 302 </example> | |
| 303 If at least one of the specified keys cannot be loaded or processed, | |
| 304 nginx will return the | |
| 305 <http-status code="500" text="Internal Server Error"/> error. | |
| 282 </para> | 306 </para> |
| 283 | 307 |
| 284 </directive> | 308 </directive> |
| 285 | 309 |
| 286 | 310 |
| 303 | 327 |
| 304 </directive> | 328 </directive> |
| 305 | 329 |
| 306 | 330 |
| 307 <directive name="auth_jwt_type"> | 331 <directive name="auth_jwt_type"> |
| 308 <syntax><value>signed</value> | <value>encrypted</value></syntax> | 332 <syntax><value>signed</value> | |
| 333 <value>encrypted</value> | | |
| 334 <value>nested</value></syntax> | |
| 309 <default>signed</default> | 335 <default>signed</default> |
| 310 <context>http</context> | 336 <context>http</context> |
| 311 <context>server</context> | 337 <context>server</context> |
| 312 <context>location</context> | 338 <context>location</context> |
| 313 <context>limit_except</context> | 339 <context>limit_except</context> |
| 314 <appeared-in>1.19.7</appeared-in> | 340 <appeared-in>1.19.7</appeared-in> |
| 315 | 341 |
| 316 <para> | 342 <para> |
| 317 Specifies which type of JSON Web Token to expect: | 343 Specifies which type of JSON Web Token to expect: |
| 318 JWS (<literal>signed</literal>) or | 344 JWS (<literal>signed</literal>), |
| 319 JWE (<literal>encrypted</literal>). | 345 JWE (<literal>encrypted</literal>), |
| 346 or signed and then encrypted | |
| 347 Nested JWT (<literal>nested</literal>) (1.21.0). | |
| 348 </para> | |
| 349 | |
| 350 </directive> | |
| 351 | |
| 352 | |
| 353 <directive name="auth_jwt_require"> | |
| 354 <syntax><value>value</value> ...</syntax> | |
| 355 <default/> | |
| 356 <context>http</context> | |
| 357 <context>server</context> | |
| 358 <context>location</context> | |
| 359 <context>limit_except</context> | |
| 360 <appeared-in>1.21.2</appeared-in> | |
| 361 | |
| 362 <para> | |
| 363 Defines additional conditions for JWT validation. | |
| 364 The value can contain text, variables, and their combination. | |
| 365 The authentication will succeed only | |
| 366 if all the values are not empty and are not equal to “0”. | |
| 367 <example> | |
| 368 map $jwt_claim_iss $valid_jwt_iss { | |
| 369 "good" 1; | |
| 370 } | |
| 371 ... | |
| 372 | |
| 373 auth_jwt_require $valid_jwt_iss; | |
| 374 </example> | |
| 320 </para> | 375 </para> |
| 321 | 376 |
| 322 </directive> | 377 </directive> |
| 323 | 378 |
| 324 </section> | 379 </section> |
| 355 are available only after decryption which occurs during the | 410 are available only after decryption which occurs during the |
| 356 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. | 411 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. |
| 357 </para> | 412 </para> |
| 358 </tag-desc> | 413 </tag-desc> |
| 359 | 414 |
| 415 <tag-name id="var_jwt_payload"><var>$jwt_payload</var></tag-name> | |
| 416 <tag-desc> | |
| 417 returns the decrypted top-level payload | |
| 418 of <literal>nested</literal> | |
| 419 or <literal>encrypted</literal> tokens (1.21.2). | |
| 420 For nested tokens returns the enclosed JWS token. | |
| 421 For encrypted tokens returns JSON with claims. | |
| 422 </tag-desc> | |
| 423 | |
| 360 </list> | 424 </list> |
| 361 </para> | 425 </para> |
| 362 | 426 |
| 363 </section> | 427 </section> |
| 364 | 428 |