Mercurial > hg > nginx-site

comparison xml/en/docs/http/ngx_http_auth_jwt_module.xml @ 2713:efb3d27dfa23

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Updated docs for the upcoming NGINX Plus release.
author Yaroslav Zhuravlev <yar@nginx.com>
date Mon, 26 Apr 2021 12:52:35 +0100
parents 1f2bd0d9a06c
children 9dd8c203a54a
comparison
equal deleted inserted replaced
2712:caa04d53b7af 2713:efb3d27dfa23
16 <para> 16 <para>
17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) 17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3)
18 implements client authorization by validating the provided 18 implements client authorization by validating the provided
19 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) 19 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT)
20 using the specified keys. 20 using the specified keys.
21 JWT claims must be encoded in a 21 JWT claims can be encoded in a
22 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS) 22 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS)
23 structure. 23 or
24 <link url="https://tools.ietf.org/html/rfc7516">JSON Web Encryption</link> (JWE)
25 (1.19.7) structure.
24 The module can be used for 26 The module can be used for
25 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> 27 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link>
26 authentication. 28 authentication.
27 </para> 29 </para>
28 30
35 <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>, 37 <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>,
36 via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. 38 via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
37 </para> 39 </para>
38 40
39 <para> 41 <para>
40 The module supports the following cryptographic 42 <note>
41 <link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">algorithms</link>: 43 This module is available as part of our
42 44 <commercial_version>commercial subscription</commercial_version>.
45 </note>
46 </para>
47
48 </section>
49
50
51 <section id="algorithms" name="Supported Algorithms">
52
53 <para>
54 The module supports the following JSON Web
55 <link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">Algorithms</link>.
56 </para>
57
58 <para>
59 JWS algorithms:
43 <list type="bullet"> 60 <list type="bullet">
44 61
45 <listitem> 62 <listitem>
46 HS256, HS384, HS512 63 HS256, HS384, HS512
47 </listitem> 64 </listitem>
58 EdDSA (Ed25519 and Ed448 signatures) (1.15.7) 75 EdDSA (Ed25519 and Ed448 signatures) (1.15.7)
59 </listitem> 76 </listitem>
60 77
61 </list> 78 </list>
62 79
80 <note>
63 Prior to version 1.13.7, 81 Prior to version 1.13.7,
64 only HS256, RS256, ES256 algorithms were supported. 82 only HS256, RS256, ES256 algorithms were supported.
65 </para> 83 </note>
66 84 </para>
67 <para> 85
68 <note> 86 <para>
69 This module is available as part of our 87 JWE content encryption algorithms (1.19.7):
70 <commercial_version>commercial subscription</commercial_version>. 88 <list type="bullet">
71 </note> 89
90 <listitem>
91 A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
92 </listitem>
93
94 <listitem>
95 A128GCM, A192GCM, A256GCM
96 </listitem>
97
98 </list>
99 </para>
100
101 <para>
102 JWE key management algorithms (1.19.9):
103 <list type="bullet">
104
105 <listitem>
106 A128KW, A192KW, A256KW
107 </listitem>
108
109 <listitem>
110 A128GCMKW, A192GCMKW, A256GCMKW
111 </listitem>
112
113 <listitem>
114 dir&mdash;direct use of a shared symmetric key as the content encryption key
115 </listitem>
116
117 </list>
72 </para> 118 </para>
73 119
74 </section> 120 </section>
75 121
76 122
147 Prior to version 1.13.7, only one key name could be specified, 193 Prior to version 1.13.7, only one key name could be specified,
148 and the result was undefined for arrays. 194 and the result was undefined for arrays.
149 </note> 195 </note>
150 </para> 196 </para>
151 197
198 <para>
199 <note>
200 Variable values for tokens encrypted with JWE
201 are available only after decryption which occurs during the
202 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase.
203 </note>
204 </para>
205
152 </directive> 206 </directive>
153 207
154 208
155 <directive name="auth_jwt_header_set"> 209 <directive name="auth_jwt_header_set">
156 <syntax><value>$variable</value> <value>name</value> ...</syntax> 210 <syntax><value>$variable</value> <value>name</value> ...</syntax>
247 JWT claims. 301 JWT claims.
248 </para> 302 </para>
249 303
250 </directive> 304 </directive>
251 305
306
307 <directive name="auth_jwt_type">
308 <syntax><value>signed</value> | <value>encrypted</value></syntax>
309 <default>signed</default>
310 <context>http</context>
311 <context>server</context>
312 <context>location</context>
313 <context>limit_except</context>
314 <appeared-in>1.19.7</appeared-in>
315
316 <para>
317 Specifies which type of JSON Web Token to expect:
318 JWS (<literal>signed</literal>) or
319 JWE (<literal>encrypted</literal>).
320 </para>
321
322 </directive>
323
252 </section> 324 </section>
253 325
254 326
255 <section id="variables" name="Embedded Variables"> 327 <section id="variables" name="Embedded Variables">
256 328
275 <para> 347 <para>
276 For nested claims and claims including a dot (“.”), 348 For nested claims and claims including a dot (“.”),
277 the value of the variable cannot be evaluated; 349 the value of the variable cannot be evaluated;
278 the <link id="auth_jwt_claim_set"/> directive should be used instead. 350 the <link id="auth_jwt_claim_set"/> directive should be used instead.
279 </para> 351 </para>
352
353 <para>
354 Variable values for tokens encrypted with JWE
355 are available only after decryption which occurs during the
356 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase.
357 </para>
280 </tag-desc> 358 </tag-desc>
281 359
282 </list> 360 </list>
283 </para> 361 </para>
284 362