# HG changeset patch # User Ruslan Ermilov # Date 1471864857 -10800 # Node ID a7974b8d2a23d3800a4d8e6c8d6f9a934dc7e2e8 # Parent 3064cb25e29d47739dadaf9895ca19db9aa8ffb6 Updated docs for the upcoming NGINX Plus release. diff --git a/xml/en/GNUmakefile b/xml/en/GNUmakefile --- a/xml/en/GNUmakefile +++ b/xml/en/GNUmakefile @@ -39,6 +39,7 @@ REFS = \ http/ngx_http_access_module \ http/ngx_http_addition_module \ http/ngx_http_auth_basic_module \ + http/ngx_http_auth_jwt_module \ http/ngx_http_auth_request_module \ http/ngx_http_autoindex_module \ http/ngx_http_browser_module \ diff --git a/xml/en/docs/http/ngx_http_access_module.xml b/xml/en/docs/http/ngx_http_access_module.xml --- a/xml/en/docs/http/ngx_http_access_module.xml +++ b/xml/en/docs/http/ngx_http_access_module.xml @@ -10,7 +10,7 @@ + rev="4">
@@ -21,8 +21,9 @@ limiting access to certain client addres Access can also be limited by -password or by the -result of subrequest. +password, by the +result of subrequest, +or by JWT. Simultaneous limitation of access by address and by password is controlled by the directive. diff --git a/xml/en/docs/http/ngx_http_auth_basic_module.xml b/xml/en/docs/http/ngx_http_auth_basic_module.xml --- a/xml/en/docs/http/ngx_http_auth_basic_module.xml +++ b/xml/en/docs/http/ngx_http_auth_basic_module.xml @@ -10,7 +10,7 @@ + rev="8">
@@ -22,8 +22,9 @@ using the “HTTP Basic Authentication” protocol. Access can also be limited by -address or by the -result of subrequest. +address, by the +result of subrequest, +or by JWT. Simultaneous limitation of access by address and by password is controlled by the directive. diff --git a/xml/en/docs/http/ngx_http_auth_jwt_module.xml b/xml/en/docs/http/ngx_http_auth_jwt_module.xml new file mode 100644 --- /dev/null +++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml @@ -0,0 +1,207 @@ + + + + + + + + +
+ + +The ngx_http_auth_jwt_module module (1.11.3) +implements client authorization by validating the provided +JSON Web Token (JWT) +using the specified keys. +JWT claims must be encoded in a +JSON Web Signature (JWS) +structure. +The module can be used for +OpenID Connect +authentication. + + + +The module may be combined with +other access modules, such as +ngx_http_access_module, +ngx_http_auth_basic_module, +and +ngx_http_auth_request_module, +via the directive. + + + + +This module is available as part of our +commercial subscription. + + + +
+ + +
+ + + +location / { + auth_jwt "closed site"; + auth_jwt_key_file conf/keys.json; +} + + + +
+ + +
+ + +string [token=$variable] | +off +off +http +server +location + + +Enables validation of JSON Web Token. +The specified string is used as a realm. +Parameter value can contain variables. + + + +The optional token argument specifies a variable +that contains JSON Web Token. +By default, JWT is passed in the
Authorization
header +as a +Bearer Token. +JWT may be also passed as a cookie or a part of a query string: + +auth_jwt "closed site" token=$cookie_auth_token; + + + + +The special value off cancels the effect +of the auth_jwt directive +inherited from the previous configuration level. + + + + + + +file + +http +server +location + + +Specifies a file in +JSON Web Key Set +format for validating JWT signature. +Parameter value can contain variables. + + + + +
+ +
+ + +The ngx_http_auth_jwt_module module +supports embedded variables. + + + +Variables that return +JWT claims: + + +$jwt_claim_aud + +the aud (audience) claim + + +$jwt_claim_email + +the email claim + + +$jwt_claim_exp + +the exp (expiration time) claim + + +$jwt_claim_iat + +the iat (issued at) claim + + +$jwt_claim_iss + +the issuer of the claim + + +$jwt_claim_jti + +the JWT ID + + +$jwt_claim_nbf + +the nbf (not-before time) claim + + +$jwt_claim_sub + +the subject of the JWT + + + + + +Variables that return parameters of +JOSE header: + + +$jwt_header_alg + +the alg (algorithm) header parameter + + +$jwt_header_cty + +the cty (content type) header parameter + + +$jwt_header_enc + +the enc (encryption algorithm) header parameter + + +$jwt_header_kid + +the kid (key ID) header parameter + + +$jwt_header_typ + +the typ (type) header parameter + + + + + +
+ + diff --git a/xml/en/docs/http/ngx_http_auth_request_module.xml b/xml/en/docs/http/ngx_http_auth_request_module.xml --- a/xml/en/docs/http/ngx_http_auth_request_module.xml +++ b/xml/en/docs/http/ngx_http_auth_request_module.xml @@ -10,7 +10,7 @@ + rev="4">
@@ -37,8 +37,10 @@ configuration parameter. The module may be combined with other access modules, such as -ngx_http_access_module and +ngx_http_access_module, ngx_http_auth_basic_module, +and +ngx_http_auth_jwt_module, via the directive. Before version 1.7.3, responses to authorization subrequests could not be cached diff --git a/xml/en/docs/http/ngx_http_core_module.xml b/xml/en/docs/http/ngx_http_core_module.xml --- a/xml/en/docs/http/ngx_http_core_module.xml +++ b/xml/en/docs/http/ngx_http_core_module.xml @@ -10,7 +10,7 @@ + rev="60">
@@ -2142,8 +2142,10 @@ If a URI has to be modified, the Allows access if all (all) or at least one (any) of the ngx_http_access_module, -ngx_http_auth_basic_module or -ngx_http_auth_request_module +ngx_http_auth_basic_module, +ngx_http_auth_request_module, +or +ngx_http_auth_jwt_module modules allow access. diff --git a/xml/en/docs/index.xml b/xml/en/docs/index.xml --- a/xml/en/docs/index.xml +++ b/xml/en/docs/index.xml @@ -8,7 +8,7 @@
@@ -200,6 +200,11 @@ ngx_http_auth_basic_module + +ngx_http_auth_jwt_module + + + ngx_http_auth_request_module diff --git a/xml/ru/docs/http/ngx_http_access_module.xml b/xml/ru/docs/http/ngx_http_access_module.xml --- a/xml/ru/docs/http/ngx_http_access_module.xml +++ b/xml/ru/docs/http/ngx_http_access_module.xml @@ -10,7 +10,7 @@ + rev="4">
@@ -21,8 +21,9 @@ Ограничить доступ можно также по -паролю или по -результату подзапроса. +паролю, по +результату подзапроса +или по JWT. Одновременное ограничение доступа по адресу и паролю управляется директивой . diff --git a/xml/ru/docs/http/ngx_http_auth_basic_module.xml b/xml/ru/docs/http/ngx_http_auth_basic_module.xml --- a/xml/ru/docs/http/ngx_http_auth_basic_module.xml +++ b/xml/ru/docs/http/ngx_http_auth_basic_module.xml @@ -10,7 +10,7 @@ + rev="8">
@@ -22,8 +22,9 @@ Ограничить доступ можно также по -адресу или по -результату подзапроса. +адресу, по +результату подзапроса +или по JWT. Одновременное ограничение доступа по адресу и паролю управляется директивой . diff --git a/xml/ru/docs/http/ngx_http_auth_request_module.xml b/xml/ru/docs/http/ngx_http_auth_request_module.xml --- a/xml/ru/docs/http/ngx_http_auth_request_module.xml +++ b/xml/ru/docs/http/ngx_http_auth_request_module.xml @@ -10,7 +10,7 @@ + rev="4">
@@ -36,8 +36,10 @@ Модуль может быть скомбинирован с другими модулями доступа, такими как -ngx_http_access_module и -ngx_http_auth_basic_module, +ngx_http_access_module, +ngx_http_auth_basic_module +и +ngx_http_auth_jwt_module, с помощью директивы . До версии 1.7.3 ответы на авторизационные подзапросы не могли быть закэшированы diff --git a/xml/ru/docs/http/ngx_http_core_module.xml b/xml/ru/docs/http/ngx_http_core_module.xml --- a/xml/ru/docs/http/ngx_http_core_module.xml +++ b/xml/ru/docs/http/ngx_http_core_module.xml @@ -10,7 +10,7 @@ + rev="60">
@@ -2143,8 +2143,10 @@ location /i/ { Разрешает доступ, если все (all) или хотя бы один (any) из модулей ngx_http_access_module, -ngx_http_auth_basic_module или +ngx_http_auth_basic_module, ngx_http_auth_request_module +или +ngx_http_auth_jwt_module разрешают доступ. diff --git a/xml/ru/docs/index.xml b/xml/ru/docs/index.xml --- a/xml/ru/docs/index.xml +++ b/xml/ru/docs/index.xml @@ -8,7 +8,7 @@
@@ -204,6 +204,11 @@ ngx_http_auth_basic_module + +ngx_http_auth_jwt_module [en] + + + ngx_http_auth_request_module