Mercurial > hg > nginx-site

view xml/en/docs/http/ngx_http_auth_jwt_module.xml @ 1878:127ae107e5a9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Removed clause about shared memory and Windows versions with ASLR. Starting with nginx 1.9.0 shared memory can be used on Windows versions with address space layout randomization.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 26 Dec 2016 19:38:06 +0300
parents b5e416ace4bf
children a58b35cc0823
line wrap: on
line source

<?xml version="1.0"?>

<!--
  Copyright (C) Nginx, Inc.
  -->

<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

<module name="Module ngx_http_auth_jwt_module"
        link="/en/docs/http/ngx_http_auth_jwt_module.html"
        lang="en"
        rev="2">

<section id="summary">

<para>
The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3)
implements client authorization by validating the provided
<link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT)
using the specified keys.
JWT claims must be encoded in a
<link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS)
structure.
The module can be used for
<link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link>
authentication.
</para>

<para>
The module may be combined with
other access modules, such as
<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>,
<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>,
and
<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>,
via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
</para>

<para>
<note>
This module is available as part of our
<commercial_version>commercial subscription</commercial_version>.
</note>
</para>

</section>


<section id="example" name="Example Configuration">

<para>
<example>
location / {
    auth_jwt          "closed site";
    auth_jwt_key_file conf/keys.json;
}
</example>
</para>

</section>


<section id="directives" name="Directives">

<directive name="auth_jwt">
<syntax>
    <value>string</value>
    [<literal>token=</literal><value>$variable</value>] |
    <literal>off</literal></syntax>
<default>off</default>
<context>http</context>
<context>server</context>
<context>location</context>

<para>
Enables validation of JSON Web Token.
The specified <value>string</value> is used as a <literal>realm</literal>.
Parameter value can contain variables.
</para>

<para>
The optional <literal>token</literal> parameter specifies a variable
that contains JSON Web Token.
By default, JWT is passed in the <header>Authorization</header> header
as a
<link url="https://tools.ietf.org/html/rfc6750">Bearer Token</link>.
JWT may be also passed as a cookie or a part of a query string:
<example>
auth_jwt "closed site" token=$cookie_auth_token;
</example>
</para>

<para>
The special value <literal>off</literal> cancels the effect
of the <literal>auth_jwt</literal> directive
inherited from the previous configuration level.
</para>

</directive>


<directive name="auth_jwt_key_file">
<syntax><value>file</value></syntax>
<default/>
<context>http</context>
<context>server</context>
<context>location</context>

<para>
Specifies a <value>file</value> in
<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link>
format for validating JWT signature.
Parameter value can contain variables.
</para>

</directive>

</section>


<section id="variables" name="Embedded Variables">

<para>
The <literal>ngx_http_auth_jwt_module</literal> module
supports embedded variables.
</para>

<para>
Variables that return
<link url="https://tools.ietf.org/html/rfc7519#section-4">JWT claims</link>:

<list type="tag" compact="yes">
<tag-name id="var_jwt_claim_aud"><var>$jwt_claim_aud</var></tag-name>
<tag-desc>
audience
</tag-desc>

<tag-name id="var_jwt_claim_email"><var>$jwt_claim_email</var></tag-name>
<tag-desc>
email
</tag-desc>

<tag-name id="var_jwt_claim_exp"><var>$jwt_claim_exp</var></tag-name>
<tag-desc>
expiration time
</tag-desc>

<tag-name id="var_jwt_claim_iat"><var>$jwt_claim_iat</var></tag-name>
<tag-desc>
issued at
</tag-desc>

<tag-name id="var_jwt_claim_iss"><var>$jwt_claim_iss</var></tag-name>
<tag-desc>
issuer
</tag-desc>

<tag-name id="var_jwt_claim_jti"><var>$jwt_claim_jti</var></tag-name>
<tag-desc>
JWT ID
</tag-desc>

<tag-name id="var_jwt_claim_nbf"><var>$jwt_claim_nbf</var></tag-name>
<tag-desc>
not-before
</tag-desc>

<tag-name id="var_jwt_claim_sub"><var>$jwt_claim_sub</var></tag-name>
<tag-desc>
subject
</tag-desc>
</list>
</para>

<para>
Variables that return parameters of
<link url="https://tools.ietf.org/html/rfc7515#section-4">JOSE header</link>:

<list type="tag" compact="yes">
<tag-name id="var_jwt_header_alg"><var>$jwt_header_alg</var></tag-name>
<tag-desc>
algorithm
</tag-desc>

<tag-name id="var_jwt_header_cty"><var>$jwt_header_cty</var></tag-name>
<tag-desc>
content type
</tag-desc>

<tag-name id="var_jwt_header_enc"><var>$jwt_header_enc</var></tag-name>
<tag-desc>
encryption algorithm
</tag-desc>

<tag-name id="var_jwt_header_kid"><var>$jwt_header_kid</var></tag-name>
<tag-desc>
key ID
</tag-desc>

<tag-name id="var_jwt_header_typ"><var>$jwt_header_typ</var></tag-name>
<tag-desc>
type
</tag-desc>

</list>
</para>

</section>

</module>