Mercurial > hg > nginx-site
diff xml/en/docs/http/ngx_http_auth_jwt_module.xml @ 2713:efb3d27dfa23
Updated docs for the upcoming NGINX Plus release.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Mon, 26 Apr 2021 12:52:35 +0100 |
parents | 1f2bd0d9a06c |
children | 9dd8c203a54a |
line wrap: on
line diff
--- a/xml/en/docs/http/ngx_http_auth_jwt_module.xml +++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml @@ -18,9 +18,11 @@ The <literal>ngx_http_auth_jwt_module</l implements client authorization by validating the provided <link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT) using the specified keys. -JWT claims must be encoded in a +JWT claims can be encoded in a <link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS) -structure. +or +<link url="https://tools.ietf.org/html/rfc7516">JSON Web Encryption</link> (JWE) +(1.19.7) structure. The module can be used for <link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link> authentication. @@ -37,9 +39,24 @@ via the <link doc="ngx_http_core_module. </para> <para> -The module supports the following cryptographic -<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">algorithms</link>: +<note> +This module is available as part of our +<commercial_version>commercial subscription</commercial_version>. +</note> +</para> + +</section> + +<section id="algorithms" name="Supported Algorithms"> + +<para> +The module supports the following JSON Web +<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">Algorithms</link>. +</para> + +<para> +JWS algorithms: <list type="bullet"> <listitem> @@ -60,15 +77,44 @@ EdDSA (Ed25519 and Ed448 signatures) (1. </list> +<note> Prior to version 1.13.7, only HS256, RS256, ES256 algorithms were supported. +</note> </para> <para> -<note> -This module is available as part of our -<commercial_version>commercial subscription</commercial_version>. -</note> +JWE content encryption algorithms (1.19.7): +<list type="bullet"> + +<listitem> +A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 +</listitem> + +<listitem> +A128GCM, A192GCM, A256GCM +</listitem> + +</list> +</para> + +<para> +JWE key management algorithms (1.19.9): +<list type="bullet"> + +<listitem> +A128KW, A192KW, A256KW +</listitem> + +<listitem> +A128GCMKW, A192GCMKW, A256GCMKW +</listitem> + +<listitem> +dir—direct use of a shared symmetric key as the content encryption key +</listitem> + +</list> </para> </section> @@ -149,6 +195,14 @@ and the result was undefined for arrays. </note> </para> +<para> +<note> +Variable values for tokens encrypted with JWE +are available only after decryption which occurs during the +<link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. +</note> +</para> + </directive> @@ -249,6 +303,24 @@ JWT claims. </directive> + +<directive name="auth_jwt_type"> +<syntax><value>signed</value> | <value>encrypted</value></syntax> +<default>signed</default> +<context>http</context> +<context>server</context> +<context>location</context> +<context>limit_except</context> +<appeared-in>1.19.7</appeared-in> + +<para> +Specifies which type of JSON Web Token to expect: +JWS (<literal>signed</literal>) or +JWE (<literal>encrypted</literal>). +</para> + +</directive> + </section> @@ -277,6 +349,12 @@ For nested claims and claims including a dot (“.”), the value of the variable cannot be evaluated; the <link id="auth_jwt_claim_set"/> directive should be used instead. </para> + +<para> +Variable values for tokens encrypted with JWE +are available only after decryption which occurs during the +<link doc="../dev/development_guide.xml" id="http_phases">Access</link> phase. +</para> </tag-desc> </list>