Mercurial > hg > nginx-site

changeset 1763:a7974b8d2a23

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Updated docs for the upcoming NGINX Plus release.
author Ruslan Ermilov <ru@nginx.com>
date Mon, 22 Aug 2016 14:20:57 +0300
parents 3064cb25e29d
children c150a7041263
files xml/en/GNUmakefile xml/en/docs/http/ngx_http_access_module.xml xml/en/docs/http/ngx_http_auth_basic_module.xml xml/en/docs/http/ngx_http_auth_jwt_module.xml xml/en/docs/http/ngx_http_auth_request_module.xml xml/en/docs/http/ngx_http_core_module.xml xml/en/docs/index.xml xml/ru/docs/http/ngx_http_access_module.xml xml/ru/docs/http/ngx_http_auth_basic_module.xml xml/ru/docs/http/ngx_http_auth_request_module.xml xml/ru/docs/http/ngx_http_core_module.xml xml/ru/docs/index.xml
diffstat 12 files changed, 254 insertions(+), 24 deletions(-) [+]
line wrap: on
line diff
--- a/xml/en/GNUmakefile
+++ b/xml/en/GNUmakefile
@@ -39,6 +39,7 @@ REFS =									\
 		http/ngx_http_access_module				\
 		http/ngx_http_addition_module				\
 		http/ngx_http_auth_basic_module				\
+		http/ngx_http_auth_jwt_module				\
 		http/ngx_http_auth_request_module			\
 		http/ngx_http_autoindex_module				\
 		http/ngx_http_browser_module				\
--- a/xml/en/docs/http/ngx_http_access_module.xml
+++ b/xml/en/docs/http/ngx_http_access_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_access_module"
         link="/en/docs/http/ngx_http_access_module.html"
         lang="en"
-        rev="3">
+        rev="4">
 
 <section id="summary">
 
@@ -21,8 +21,9 @@ limiting access to certain client addres
 
 <para>
 Access can also be limited by
-<link doc="ngx_http_auth_basic_module.xml">password</link> or by the
-<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>.
+<link doc="ngx_http_auth_basic_module.xml">password</link>, by the
+<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>,
+or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.
 Simultaneous limitation of access by address and by password is controlled
 by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
 </para>
--- a/xml/en/docs/http/ngx_http_auth_basic_module.xml
+++ b/xml/en/docs/http/ngx_http_auth_basic_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_auth_basic_module"
         link="/en/docs/http/ngx_http_auth_basic_module.html"
         lang="en"
-        rev="7">
+        rev="8">
 
 <section id="summary">
 
@@ -22,8 +22,9 @@ using the “HTTP Basic Authentication” protocol.
 
 <para>
 Access can also be limited by
-<link doc="ngx_http_access_module.xml">address</link> or by the
-<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>.
+<link doc="ngx_http_access_module.xml">address</link>, by the
+<link doc="ngx_http_auth_request_module.xml">result of subrequest</link>,
+or by <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.
 Simultaneous limitation of access by address and by password is controlled
 by the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
 </para>
new file mode 100644
--- /dev/null
+++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml
@@ -0,0 +1,207 @@
+<?xml version="1.0"?>
+
+<!--
+  Copyright (C) Nginx, Inc.
+  -->
+
+<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
+
+<module name="Module ngx_http_auth_jwt_module"
+        link="/en/docs/http/ngx_http_auth_jwt_module.html"
+        lang="en"
+        rev="1">
+
+<section id="summary">
+
+<para>
+The <literal>ngx_http_auth_jwt_module</literal> module (1.11.3)
+implements client authorization by validating the provided
+<link url="https://tools.ietf.org/html/rfc7519">JSON Web Token</link> (JWT)
+using the specified keys.
+JWT claims must be encoded in a
+<link url="https://tools.ietf.org/html/rfc7515">JSON Web Signature</link> (JWS)
+structure.
+The module can be used for
+<link url="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect</link>
+authentication.
+</para>
+
+<para>
+The module may be combined with
+other access modules, such as
+<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>,
+<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>,
+and
+<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>,
+via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
+</para>
+
+<para>
+<note>
+This module is available as part of our
+<commercial_version>commercial subscription</commercial_version>.
+</note>
+</para>
+
+</section>
+
+
+<section id="example" name="Example Configuration">
+
+<para>
+<example>
+location / {
+    auth_jwt          "closed site";
+    auth_jwt_key_file conf/keys.json;
+}
+</example>
+</para>
+
+</section>
+
+
+<section id="directives" name="Directives">
+
+<directive name="auth_jwt">
+<syntax><value>string</value> [<value>token=$variable</value>] |
+<literal>off</literal></syntax>
+<default>off</default>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+
+<para>
+Enables validation of JSON Web Token.
+The specified <value>string</value> is used as a <literal>realm</literal>.
+Parameter value can contain variables.
+</para>
+
+<para>
+The optional <literal>token</literal> argument specifies a variable
+that contains JSON Web Token.
+By default, JWT is passed in the <header>Authorization</header> header
+as a
+<link url="https://tools.ietf.org/html/rfc6750">Bearer Token</link>.
+JWT may be also passed as a cookie or a part of a query string:
+<example>
+auth_jwt "closed site" token=$cookie_auth_token;
+</example>
+</para>
+
+<para>
+The special value <literal>off</literal> cancels the effect
+of the <literal>auth_jwt</literal> directive
+inherited from the previous configuration level.
+</para>
+
+</directive>
+
+
+<directive name="auth_jwt_key_file">
+<syntax><value>file</value></syntax>
+<default/>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+
+<para>
+Specifies a <value>file</value> in
+<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link>
+format for validating JWT signature.
+Parameter value can contain variables.
+</para>
+
+</directive>
+
+</section>
+
+<section id="variables" name="Embedded Variables">
+
+<para>
+The <literal>ngx_http_auth_jwt_module</literal> module
+supports embedded variables.
+</para>
+
+<para>
+Variables that return
+<link url="https://tools.ietf.org/html/rfc7519#section-4">JWT claims</link>:
+
+<list type="tag" compact="no">
+<tag-name id="var_jwt_claim_aud"><var>$jwt_claim_aud</var></tag-name>
+<tag-desc>
+the <literal>aud</literal> (audience) claim
+</tag-desc>
+
+<tag-name id="var_jwt_claim_email"><var>$jwt_claim_email</var></tag-name>
+<tag-desc>
+the <literal>email</literal> claim
+</tag-desc>
+
+<tag-name id="var_jwt_claim_exp"><var>$jwt_claim_exp</var></tag-name>
+<tag-desc>
+the <literal>exp</literal> (expiration time) claim
+</tag-desc>
+
+<tag-name id="var_jwt_claim_iat"><var>$jwt_claim_iat</var></tag-name>
+<tag-desc>
+the <literal>iat</literal> (issued at) claim
+</tag-desc>
+
+<tag-name id="var_jwt_claim_iss"><var>$jwt_claim_iss</var></tag-name>
+<tag-desc>
+the issuer of the claim
+</tag-desc>
+
+<tag-name id="var_jwt_claim_jti"><var>$jwt_claim_jti</var></tag-name>
+<tag-desc>
+the JWT ID
+</tag-desc>
+
+<tag-name id="var_jwt_claim_nbf"><var>$jwt_claim_nbf</var></tag-name>
+<tag-desc>
+the <literal>nbf</literal> (not-before time) claim
+</tag-desc>
+
+<tag-name id="var_jwt_claim_sub"><var>$jwt_claim_sub</var></tag-name>
+<tag-desc>
+the subject of the JWT
+</tag-desc>
+</list>
+</para>
+
+<para>
+Variables that return parameters of
+<link url="https://tools.ietf.org/html/rfc7515#section-4">JOSE header</link>:
+
+<list type="tag" compact="no">
+<tag-name id="var_jwt_header_alg"><var>$jwt_header_alg</var></tag-name>
+<tag-desc>
+the <literal>alg</literal> (algorithm) header parameter
+</tag-desc>
+
+<tag-name id="var_jwt_header_cty"><var>$jwt_header_cty</var></tag-name>
+<tag-desc>
+the <literal>cty</literal> (content type) header parameter
+</tag-desc>
+
+<tag-name id="var_jwt_header_enc"><var>$jwt_header_enc</var></tag-name>
+<tag-desc>
+the <literal>enc</literal> (encryption algorithm) header parameter
+</tag-desc>
+
+<tag-name id="var_jwt_header_kid"><var>$jwt_header_kid</var></tag-name>
+<tag-desc>
+the <literal>kid</literal> (key ID) header parameter
+</tag-desc>
+
+<tag-name id="var_jwt_header_typ"><var>$jwt_header_typ</var></tag-name>
+<tag-desc>
+the <literal>typ</literal> (type) header parameter
+</tag-desc>
+
+</list>
+</para>
+
+</section>
+
+</module>
--- a/xml/en/docs/http/ngx_http_auth_request_module.xml
+++ b/xml/en/docs/http/ngx_http_auth_request_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_auth_request_module"
         link="/en/docs/http/ngx_http_auth_request_module.html"
         lang="en"
-        rev="3">
+        rev="4">
 
 <section id="summary">
 
@@ -37,8 +37,10 @@ configuration parameter.
 <para>
 The module may be combined with
 other access modules, such as
-<link doc="ngx_http_access_module.xml">ngx_http_access_module</link> and
+<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>,
 <link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>,
+and
+<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link>,
 via the <link doc="ngx_http_core_module.xml" id="satisfy"/> directive.
 <note>
 Before version 1.7.3, responses to authorization subrequests could not be cached
--- a/xml/en/docs/http/ngx_http_core_module.xml
+++ b/xml/en/docs/http/ngx_http_core_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_core_module"
         link="/en/docs/http/ngx_http_core_module.html"
         lang="en"
-        rev="59">
+        rev="60">
 
 <section id="directives" name="Directives">
 
@@ -2142,8 +2142,10 @@ If a URI has to be modified, the
 Allows access if all (<literal>all</literal>) or at least one
 (<literal>any</literal>) of the
 <link doc="ngx_http_access_module.xml">ngx_http_access_module</link>,
-<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link> or
-<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>
+<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>,
+<link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>,
+or
+<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link>
 modules allow access.
 </para>
 
--- a/xml/en/docs/index.xml
+++ b/xml/en/docs/index.xml
@@ -8,7 +8,7 @@
 <article name="nginx documentation"
          link="/en/docs/"
          lang="en"
-         rev="29"
+         rev="30"
          toc="no">
 
 
@@ -200,6 +200,11 @@ ngx_http_auth_basic_module</link>
 </listitem>
 
 <listitem>
+<link doc="http/ngx_http_auth_jwt_module.xml">
+ngx_http_auth_jwt_module</link>
+</listitem>
+
+<listitem>
 <link doc="http/ngx_http_auth_request_module.xml">
 ngx_http_auth_request_module</link>
 </listitem>
--- a/xml/ru/docs/http/ngx_http_access_module.xml
+++ b/xml/ru/docs/http/ngx_http_access_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_access_module"
         link="/ru/docs/http/ngx_http_access_module.html"
         lang="ru"
-        rev="3">
+        rev="4">
 
 <section id="summary">
 
@@ -21,8 +21,9 @@
 
 <para>
 Ограничить доступ можно также по
-<link doc="ngx_http_auth_basic_module.xml">паролю</link> или по
-<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link>.
+<link doc="ngx_http_auth_basic_module.xml">паролю</link>, по
+<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link>
+или по <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.
 Одновременное ограничение доступа по адресу и паролю управляется
 директивой <link doc="ngx_http_core_module.xml" id="satisfy"/>.
 </para>
--- a/xml/ru/docs/http/ngx_http_auth_basic_module.xml
+++ b/xml/ru/docs/http/ngx_http_auth_basic_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_auth_basic_module"
         link="/ru/docs/http/ngx_http_auth_basic_module.html"
         lang="ru"
-        rev="7">
+        rev="8">
 
 <section id="summary">
 
@@ -22,8 +22,9 @@
 
 <para>
 Ограничить доступ можно также по
-<link doc="ngx_http_access_module.xml">адресу</link> или по
-<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link>.
+<link doc="ngx_http_access_module.xml">адресу</link>, по
+<link doc="ngx_http_auth_request_module.xml">результату подзапроса</link>
+или по <link doc="ngx_http_auth_jwt_module.xml">JWT</link>.
 Одновременное ограничение доступа по адресу и паролю управляется
 директивой <link doc="ngx_http_core_module.xml" id="satisfy"/>.
 </para>
--- a/xml/ru/docs/http/ngx_http_auth_request_module.xml
+++ b/xml/ru/docs/http/ngx_http_auth_request_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_auth_request_module"
         link="/ru/docs/http/ngx_http_auth_request_module.html"
         lang="ru"
-        rev="3">
+        rev="4">
 
 <section id="summary">
 
@@ -36,8 +36,10 @@
 <para>
 Модуль может быть
 скомбинирован с другими модулями доступа, такими как
-<link doc="ngx_http_access_module.xml">ngx_http_access_module</link> и
-<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>,
+<link doc="ngx_http_access_module.xml">ngx_http_access_module</link>,
+<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>

+<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link>,
 с помощью директивы <link doc="ngx_http_core_module.xml" id="satisfy"/>.
 <note>
 До версии 1.7.3 ответы на авторизационные подзапросы не могли быть закэшированы
--- a/xml/ru/docs/http/ngx_http_core_module.xml
+++ b/xml/ru/docs/http/ngx_http_core_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_core_module"
         link="/ru/docs/http/ngx_http_core_module.html"
         lang="ru"
-        rev="59">
+        rev="60">
 
 <section id="directives" name="Директивы">
 
@@ -2143,8 +2143,10 @@ location /i/ {
 Разрешает доступ, если все (<literal>all</literal>)
 или хотя бы один (<literal>any</literal>) из модулей
 <link doc="ngx_http_access_module.xml">ngx_http_access_module</link>,
-<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link> или
+<link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>,
 <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link>
+или
+<link doc="ngx_http_auth_jwt_module.xml">ngx_http_auth_jwt_module</link>
 разрешают доступ.
 </para>
 
--- a/xml/ru/docs/index.xml
+++ b/xml/ru/docs/index.xml
@@ -8,7 +8,7 @@
 <article name="nginx: документация"
          link="/ru/docs/"
          lang="ru"
-         rev="29"
+         rev="30"
          toc="no">
 
 
@@ -204,6 +204,11 @@ ngx_http_auth_basic_module</link>
 </listitem>
 
 <listitem>
+<link doc="http/ngx_http_auth_jwt_module.xml">
+ngx_http_auth_jwt_module</link> [en]
+</listitem>
+
+<listitem>
 <link doc="http/ngx_http_auth_request_module.xml">
 ngx_http_auth_request_module</link>
 </listitem>