Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_auth_jwt_module.xml @ 2713:efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Mon, 26 Apr 2021 12:52:35 +0100 |
parents | 1f2bd0d9a06c |
children | 9dd8c203a54a |
comparison
equal
deleted
inserted
replaced
2712:caa04d53b7af | 2713:efb3d27dfa23 |
---|---|
16 <para> | 16 <para> |
17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) | 17 The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3) |
18 implements client authorization by validating the provided | 18 implements client authorization by validating the provided |
19 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) | 19 <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) |
20 using the specified keys. | 20 using the specified keys. |
21 JWT claims must be encoded in a | 21 JWT claims can be encoded in a |
22 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS) | 22 <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS) |
23 structure. | 23 or |
24 <link url="https://tools.ietf.org/html/rfc7516">JSON Web Encryption</link> (JWE) | |
25 (1.19.7) structure. | |
24 The module can be used for | 26 The module can be used for |
25 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> | 27 <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> |
26 authentication. | 28 authentication. |
27 </para> | 29 </para> |
28 | 30 |
35 <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>, | 37 <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>, |
36 via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. | 38 via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive. |
37 </para> | 39 </para> |
38 | 40 |
39 <para> | 41 <para> |
40 The module supports the following cryptographic | 42 <note> |
41 <link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">algorithms</link>: | 43 This module is available as part of our |
42 | 44 <commercial_version>commercial subscription</commercial_version>. |
45 </note> | |
46 </para> | |
47 | |
48 </section> | |
49 | |
50 | |
51 <section id="algorithms" name="Supported Algorithms"> | |
52 | |
53 <para> | |
54 The module supports the following JSON Web | |
55 <link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">Algorithms</link>. | |
56 </para> | |
57 | |
58 <para> | |
59 JWS algorithms: | |
43 <list type="bullet"> | 60 <list type="bullet"> |
44 | 61 |
45 <listitem> | 62 <listitem> |
46 HS256, HS384, HS512 | 63 HS256, HS384, HS512 |
47 </listitem> | 64 </listitem> |
58 EdDSA (Ed25519 and Ed448 signatures) (1.15.7) | 75 EdDSA (Ed25519 and Ed448 signatures) (1.15.7) |
59 </listitem> | 76 </listitem> |
60 | 77 |
61 </list> | 78 </list> |
62 | 79 |
80 <note> | |
63 Prior to version 1.13.7, | 81 Prior to version 1.13.7, |
64 only HS256, RS256, ES256 algorithms were supported. | 82 only HS256, RS256, ES256 algorithms were supported. |
65 </para> | 83 </note> |
66 | 84 </para> |
67 <para> | 85 |
68 <note> | 86 <para> |
69 This module is available as part of our | 87 JWE content encryption algorithms (1.19.7): |
70 <commercial_version>commercial subscription</commercial_version>. | 88 <list type="bullet"> |
71 </note> | 89 |
90 <listitem> | |
91 A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 | |
92 </listitem> | |
93 | |
94 <listitem> | |
95 A128GCM, A192GCM, A256GCM | |
96 </listitem> | |
97 | |
98 </list> | |
99 </para> | |
100 | |
101 <para> | |
102 JWE key management algorithms (1.19.9): | |
103 <list type="bullet"> | |
104 | |
105 <listitem> | |
106 A128KW, A192KW, A256KW | |
107 </listitem> | |
108 | |
109 <listitem> | |
110 A128GCMKW, A192GCMKW, A256GCMKW | |
111 </listitem> | |
112 | |
113 <listitem> | |
114 dir—direct use of a shared symmetric key as the content encryption key | |
115 </listitem> | |
116 | |
117 </list> | |
72 </para> | 118 </para> |
73 | 119 |
74 </section> | 120 </section> |
75 | 121 |
76 | 122 |
147 Prior to version 1.13.7, only one key name could be specified, | 193 Prior to version 1.13.7, only one key name could be specified, |
148 and the result was undefined for arrays. | 194 and the result was undefined for arrays. |
149 </note> | 195 </note> |
150 </para> | 196 </para> |
151 | 197 |
198 <para> | |
199 <note> | |
200 Variable values for tokens encrypted with JWE | |
201 are available only after decryption which occurs during the | |
202 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. | |
203 </note> | |
204 </para> | |
205 | |
152 </directive> | 206 </directive> |
153 | 207 |
154 | 208 |
155 <directive name="auth_jwt_header_set"> | 209 <directive name="auth_jwt_header_set"> |
156 <syntax><value>$variable</value> <value>name</value> ...</syntax> | 210 <syntax><value>$variable</value> <value>name</value> ...</syntax> |
247 JWT claims. | 301 JWT claims. |
248 </para> | 302 </para> |
249 | 303 |
250 </directive> | 304 </directive> |
251 | 305 |
306 | |
307 <directive name="auth_jwt_type"> | |
308 <syntax><value>signed</value> | <value>encrypted</value></syntax> | |
309 <default>signed</default> | |
310 <context>http</context> | |
311 <context>server</context> | |
312 <context>location</context> | |
313 <context>limit_except</context> | |
314 <appeared-in>1.19.7</appeared-in> | |
315 | |
316 <para> | |
317 Specifies which type of JSON Web Token to expect: | |
318 JWS (<literal>signed</literal>) or | |
319 JWE (<literal>encrypted</literal>). | |
320 </para> | |
321 | |
322 </directive> | |
323 | |
252 </section> | 324 </section> |
253 | 325 |
254 | 326 |
255 <section id="variables" name="Embedded Variables"> | 327 <section id="variables" name="Embedded Variables"> |
256 | 328 |
275 <para> | 347 <para> |
276 For nested claims and claims including a dot (“.”), | 348 For nested claims and claims including a dot (“.”), |
277 the value of the variable cannot be evaluated; | 349 the value of the variable cannot be evaluated; |
278 the <link id="auth_jwt_claim_set"/> directive should be used instead. | 350 the <link id="auth_jwt_claim_set"/> directive should be used instead. |
279 </para> | 351 </para> |
352 | |
353 <para> | |
354 Variable values for tokens encrypted with JWE | |
355 are available only after decryption which occurs during the | |
356 <link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. | |
357 </para> | |
280 </tag-desc> | 358 </tag-desc> |
281 | 359 |
282 </list> | 360 </list> |
283 </para> | 361 </para> |
284 | 362 |