Mercurial > hg > nginx-site
changeset 1763:a7974b8d2a23
Updated docs for the upcoming NGINX Plus release.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Mon, 22 Aug 2016 14:20:57 +0300 |
parents | 3064cb25e29d |
children | c150a7041263 |
files | xml/en/GNUmakefile xml/en/docs/http/ngx_http_access_module.xml xml/en/docs/http/ngx_http_auth_basic_module.xml xml/en/docs/http/ngx_http_auth_jwt_module.xml xml/en/docs/http/ngx_http_auth_request_module.xml xml/en/docs/http/ngx_http_core_module.xml xml/en/docs/index.xml xml/ru/docs/http/ngx_http_access_module.xml xml/ru/docs/http/ngx_http_auth_basic_module.xml xml/ru/docs/http/ngx_http_auth_request_module.xml xml/ru/docs/http/ngx_http_core_module.xml xml/ru/docs/index.xml |
diffstat | 12 files changed, 254 insertions(+), 24 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/GNUmakefile Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/en/GNUmakefile Mon Aug 22 14:20:57 2016 +0300 @@ -39,6 +39,7 @@ http/ngx_http_access_module \ http/ngx_http_addition_module \ http/ngx_http_auth_basic_module \ + http/ngx_http_auth_jwt_module \ http/ngx_http_auth_request_module \ http/ngx_http_autoindex_module \ http/ngx_http_browser_module \
--- a/xml/en/docs/http/ngx_http_access_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/en/docs/http/ngx_http_access_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Module ngx_http_access_module" link="/en/docs/http/ngx_http_access_module.html" lang="en" - rev="3"> + rev="4"> <section id="summary"> @@ -21,8 +21,9 @@ <para> Access can also be limited by -<link doc="ngx_http_auth_basic_module.xml">password</link> or by the -<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>. +<link doc="ngx_http_auth_basic_module.xml">password</link>, by the +<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>, +or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>. Simultaneous limitation of access by address and by password is controlled by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. </para>
--- a/xml/en/docs/http/ngx_http_auth_basic_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/en/docs/http/ngx_http_auth_basic_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Module ngx_http_auth_basic_module" link="/en/docs/http/ngx_http_auth_basic_module.html" lang="en" - rev="7"> + rev="8"> <section id="summary"> @@ -22,8 +22,9 @@ <para> Access can also be limited by -<link doc="ngx_http_access_module.xml">address</link> or by the -<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>. +<link doc="ngx_http_access_module.xml">address</link>, by the +<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>, +or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>. Simultaneous limitation of access by address and by password is controlled by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. </para>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -0,0 +1,207 @@ +<?xml version="1.0"?> + +<!-- + Copyright (C) Nginx, Inc. + --> + +<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> + +<module name="Module ngx_http_auth_jwt_module" + link="/en/docs/http/ngx_http_auth_jwt_module.html" + lang="en" + rev="1"> + +<section id="summary"> + +<para> +The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) +implements client authorization by validating the provided +<link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) +using the specified keys. +JWT claims must be encoded in a +<link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS) +structure. +The module can be used for +<link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> +authentication. +</para> + +<para> +The module may be combined with +other access modules, such as +<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, +<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, +and +<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>, +via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. +</para> + +<para> +<note> +This module is available as part of our +<commercial_version>commercial subscription</commercial_version>. +</note> +</para> + +</section> + + +<section id="example" name="Example Configuration"> + +<para> +<example> +location / { + auth_jwt "closed site"; + auth_jwt_key_file conf/keys.json; +} +</example> +</para> + +</section> + + +<section id="directives" name="Directives"> + +<directive name="auth_jwt"> +<syntax><value>string</value> [<value>token=$variable</value>] | +<literal>off</literal></syntax> +<default>off</default> +<context>http</context> +<context>server</context> +<context>location</context> + +<para> +Enables validation of JSON Web Token. +The specified <value>string</value> is used as a <literal>realm</literal>. +Parameter value can contain variables. +</para> + +<para> +The optional <literal>token</literal> argument specifies a variable +that contains JSON Web Token. +By default, JWT is passed in the <header>Authorization</header> header +as a +<link url="https://tools.ietf.org/html/rfc6750">Bearer Token</link>. +JWT may be also passed as a cookie or a part of a query string: +<example> +auth_jwt "closed site" token=$cookie_auth_token; +</example> +</para> + +<para> +The special value <literal>off</literal> cancels the effect +of the <literal>auth_jwt</literal> directive +inherited from the previous configuration level. +</para> + +</directive> + + +<directive name="auth_jwt_key_file"> +<syntax><value>file</value></syntax> +<default/> +<context>http</context> +<context>server</context> +<context>location</context> + +<para> +Specifies a <value>file</value> in +<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link> +format for validating JWT signature. +Parameter value can contain variables. +</para> + +</directive> + +</section> + +<section id="variables" name="Embedded Variables"> + +<para> +The <literal>ngx_http_auth_jwt_module</literal> module +supports embedded variables. +</para> + +<para> +Variables that return +<link url="https://tools.ietf.org/html/rfc7519#section-4">JWT claims</link>: + +<list type="tag" compact="no"> +<tag-name id="var_jwt_claim_aud"><var>$jwt_claim_aud</var></tag-name> +<tag-desc> +the <literal>aud</literal> (audience) claim +</tag-desc> + +<tag-name id="var_jwt_claim_email"><var>$jwt_claim_email</var></tag-name> +<tag-desc> +the <literal>email</literal> claim +</tag-desc> + +<tag-name id="var_jwt_claim_exp"><var>$jwt_claim_exp</var></tag-name> +<tag-desc> +the <literal>exp</literal> (expiration time) claim +</tag-desc> + +<tag-name id="var_jwt_claim_iat"><var>$jwt_claim_iat</var></tag-name> +<tag-desc> +the <literal>iat</literal> (issued at) claim +</tag-desc> + +<tag-name id="var_jwt_claim_iss"><var>$jwt_claim_iss</var></tag-name> +<tag-desc> +the issuer of the claim +</tag-desc> + +<tag-name id="var_jwt_claim_jti"><var>$jwt_claim_jti</var></tag-name> +<tag-desc> +the JWT ID +</tag-desc> + +<tag-name id="var_jwt_claim_nbf"><var>$jwt_claim_nbf</var></tag-name> +<tag-desc> +the <literal>nbf</literal> (not-before time) claim +</tag-desc> + +<tag-name id="var_jwt_claim_sub"><var>$jwt_claim_sub</var></tag-name> +<tag-desc> +the subject of the JWT +</tag-desc> +</list> +</para> + +<para> +Variables that return parameters of +<link url="https://tools.ietf.org/html/rfc7515#section-4">JOSE header</link>: + +<list type="tag" compact="no"> +<tag-name id="var_jwt_header_alg"><var>$jwt_header_alg</var></tag-name> +<tag-desc> +the <literal>alg</literal> (algorithm) header parameter +</tag-desc> + +<tag-name id="var_jwt_header_cty"><var>$jwt_header_cty</var></tag-name> +<tag-desc> +the <literal>cty</literal> (content type) header parameter +</tag-desc> + +<tag-name id="var_jwt_header_enc"><var>$jwt_header_enc</var></tag-name> +<tag-desc> +the <literal>enc</literal> (encryption algorithm) header parameter +</tag-desc> + +<tag-name id="var_jwt_header_kid"><var>$jwt_header_kid</var></tag-name> +<tag-desc> +the <literal>kid</literal> (key ID) header parameter +</tag-desc> + +<tag-name id="var_jwt_header_typ"><var>$jwt_header_typ</var></tag-name> +<tag-desc> +the <literal>typ</literal> (type) header parameter +</tag-desc> + +</list> +</para> + +</section> + +</module>
--- a/xml/en/docs/http/ngx_http_auth_request_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/en/docs/http/ngx_http_auth_request_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Module ngx_http_auth_request_module" link="/en/docs/http/ngx_http_auth_request_module.html" lang="en" - rev="3"> + rev="4"> <section id="summary"> @@ -37,8 +37,10 @@ <para> The module may be combined with other access modules, such as -<link doc="ngx_http_access_module.xml">ngx_http_access_module</link> and +<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, <link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, +and +<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link>, via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. <note> Before version 1.7.3, responses to authorization subrequests could not be cached
--- a/xml/en/docs/http/ngx_http_core_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/en/docs/http/ngx_http_core_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Module ngx_http_core_module" link="/en/docs/http/ngx_http_core_module.html" lang="en" - rev="59"> + rev="60"> <section id="directives" name="Directives"> @@ -2142,8 +2142,10 @@ Allows access if all (<literal>all</literal>) or at least one (<literal>any</literal>) of the <link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, -<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link> or -<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link> +<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, +<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>, +or +<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link> modules allow access. </para>
--- a/xml/en/docs/index.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/en/docs/index.xml Mon Aug 22 14:20:57 2016 +0300 @@ -8,7 +8,7 @@ <article name="nginx documentation" link="/en/docs/" lang="en" - rev="29" + rev="30" toc="no"> @@ -200,6 +200,11 @@ </listitem> <listitem> +<link doc="http/ngx_http_auth_jwt_module.xml"> +ngx_http_auth_jwt_module</link> +</listitem> + +<listitem> <link doc="http/ngx_http_auth_request_module.xml"> ngx_http_auth_request_module</link> </listitem>
--- a/xml/ru/docs/http/ngx_http_access_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/ru/docs/http/ngx_http_access_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_access_module" link="/ru/docs/http/ngx_http_access_module.html" lang="ru" - rev="3"> + rev="4"> <section id="summary"> @@ -21,8 +21,9 @@ <para> Ограничить доступ можно также по -<link doc="ngx_http_auth_basic_module.xml">паролю</link> или по -<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link>. +<link doc="ngx_http_auth_basic_module.xml">паролю</link>, по +<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link> +или по <link doc="ngx_http_auth_jwt_module.xml">JWT</link>. Одновременное ограничение доступа по адресу и паролю управляется директивой <link doc="ngx_http_core_module.xml" id="satisfy"/>. </para>
--- a/xml/ru/docs/http/ngx_http_auth_basic_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/ru/docs/http/ngx_http_auth_basic_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_auth_basic_module" link="/ru/docs/http/ngx_http_auth_basic_module.html" lang="ru" - rev="7"> + rev="8"> <section id="summary"> @@ -22,8 +22,9 @@ <para> Ограничить доступ можно также по -<link doc="ngx_http_access_module.xml">адресу</link> или по -<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link>. +<link doc="ngx_http_access_module.xml">адресу</link>, по +<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link> +или по <link doc="ngx_http_auth_jwt_module.xml">JWT</link>. Одновременное ограничение доступа по адресу и паролю управляется директивой <link doc="ngx_http_core_module.xml" id="satisfy"/>. </para>
--- a/xml/ru/docs/http/ngx_http_auth_request_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/ru/docs/http/ngx_http_auth_request_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_auth_request_module" link="/ru/docs/http/ngx_http_auth_request_module.html" lang="ru" - rev="3"> + rev="4"> <section id="summary"> @@ -36,8 +36,10 @@ <para> Модуль может быть скомбинирован с другими модулями доступа, такими как -<link doc="ngx_http_access_module.xml">ngx_http_access_module</link> и -<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, +<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, +<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link> +и +<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link>, с помощью директивы <link doc="ngx_http_core_module.xml" id="satisfy"/>. <note> До версии 1.7.3 ответы на авторизационные подзапросы не могли быть закэшированы
--- a/xml/ru/docs/http/ngx_http_core_module.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/ru/docs/http/ngx_http_core_module.xml Mon Aug 22 14:20:57 2016 +0300 @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_core_module" link="/ru/docs/http/ngx_http_core_module.html" lang="ru" - rev="59"> + rev="60"> <section id="directives" name="Директивы"> @@ -2143,8 +2143,10 @@ Разрешает доступ, если все (<literal>all</literal>) или хотя бы один (<literal>any</literal>) из модулей <link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, -<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link> или +<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link> +или +<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link> разрешают доступ. </para>
--- a/xml/ru/docs/index.xml Thu Aug 11 16:09:21 2016 +0300 +++ b/xml/ru/docs/index.xml Mon Aug 22 14:20:57 2016 +0300 @@ -8,7 +8,7 @@ <article name="nginx: документация" link="/ru/docs/" lang="ru" - rev="29" + rev="30" toc="no"> @@ -204,6 +204,11 @@ </listitem> <listitem> +<link doc="http/ngx_http_auth_jwt_module.xml"> +ngx_http_auth_jwt_module</link> [en] +</listitem> + +<listitem> <link doc="http/ngx_http_auth_request_module.xml"> ngx_http_auth_request_module</link> </listitem>