=encoding utf-8 =head1 NAME ngx_http_auth_jwt_module - Module ngx_http_auth_jwt_module =head1 The C module (1.11.3) implements client authorization by validating the provided L (JWT) using the specified keys. The module supports L (JWS), L (JWE) (1.19.7), and Nested JWT (1.21.0). The module can be used for L authentication. The module may be combined with other access modules, such as L, L, and L, via the L directive. B This module is available as part of our commercial subscription. =head1 Supported Algorithms The module supports the following JSON Web L. JWS algorithms: =over =item * HS256, HS384, HS512 =item * RS256, RS384, RS512 =item * ES256, ES384, ES512 =item * EdDSA (Ed25519 and Ed448 signatures) (1.15.7) =back B Prior to version 1.13.7, only HS256, RS256, ES256 algorithms were supported. JWE content encryption algorithms (1.19.7): =over =item * A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 =item * A128GCM, A192GCM, A256GCM =back JWE key management algorithms (1.19.9): =over =item * A128KW, A192KW, A256KW =item * A128GCMKW, A192GCMKW, A256GCMKW =item * dirEdirect use of a shared symmetric key as the content encryption key =item * RSA-OAEP, RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512 (1.21.0) =back =head1 Example Configuration location / { auth_jwt "closed site"; auth_jwt_key_file conf/keys.json; } =head1 Directives =head2 auth_jwt B auth_jwt I< I> [CI>] E C> B I B I B I B I B I Enables validation of JSON Web Token. The specified I> is used as a C. Parameter value can contain variables. The optional C parameter specifies a variable that contains JSON Web Token. By default, JWT is passed in the C header as a L. JWT may be also passed as a cookie or a part of a query string: auth_jwt "closed site" token=$cookie_auth_token; The special value C cancels the effect of the C directive inherited from the previous configuration level. =head2 auth_jwt_claim_set B auth_jwt_claim_set I> I> ...> B I This directive appeared in version 1.11.10. Sets the I> to a JWT claim parameter identified by key names. Name matching starts from the top level of the JSON tree. For arrays, the variable keeps a list of array elements separated by commas. auth_jwt_claim_set $email info e-mail; auth_jwt_claim_set $job info "job title"; B Prior to version 1.13.7, only one key name could be specified, and the result was undefined for arrays. B Variable values for tokens encrypted with JWE are available only after decryption which occurs during the L phase. =head2 auth_jwt_header_set B auth_jwt_header_set I> I> ...> B I This directive appeared in version 1.11.10. Sets the I> to a JOSE header parameter identified by key names. Name matching starts from the top level of the JSON tree. For arrays, the variable keeps a list of array elements separated by commas. B Prior to version 1.13.7, only one key name could be specified, and the result was undefined for arrays. =head2 auth_jwt_key_cache B auth_jwt_key_cache I>> B I<0> B I B I B I This directive appeared in version 1.21.4. Enables or disables caching of keys obtained from a file or from a subrequest, and sets caching time for them. Caching of keys obtained from variables is not supported. By default, caching of keys is disabled. =head2 auth_jwt_key_file B auth_jwt_key_file I>> B I B I B I B I Specifies a I> in L format for validating JWT signature. Parameter value can contain variables. Several C directives can be specified on the same level (1.21.1): auth_jwt_key_file conf/keys.json; auth_jwt_key_file conf/key.jwk; If at least one of the specified keys cannot be loaded or processed, nginx will return the C<500> (C) error. =head2 auth_jwt_key_request B auth_jwt_key_request I>> B I B I B I B I This directive appeared in version 1.15.6. Allows retrieving a L file from a subrequest for validating JWT signature and sets the URI where the subrequest will be sent to. Parameter value can contain variables. To avoid validation overhead, it is recommended to cache the key file: proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m; server { ... location / { auth_jwt "closed site"; auth_jwt_key_request /jwks_uri; } location = /jwks_uri { internal; proxy_cache foo; proxy_pass http://idp.example.com/keys; } } Several C directives can be specified on the same level (1.21.1): auth_jwt_key_request /jwks_uri; auth_jwt_key_request /jwks2_uri; If at least one of the specified keys cannot be loaded or processed, nginx will return the C<500> (C) error. =head2 auth_jwt_leeway B auth_jwt_leeway I>> B I<0s> B I B I B I This directive appeared in version 1.13.10. Sets the maximum allowable leeway to compensate clock skew when verifying the L and L JWT claims. =head2 auth_jwt_type B auth_jwt_type I E C E C> B I B I B I B I B I This directive appeared in version 1.19.7. Specifies which type of JSON Web Token to expect: JWS (C), JWE (C), or signed and then encrypted Nested JWT (C) (1.21.0). =head2 auth_jwt_require B auth_jwt_require I< I> ... [C=C<401> E C<403>] > B I B I B I B I This directive appeared in version 1.21.2. Specifies additional checks for JWT validation. The value can contain text, variables, and their combination, and must start with a variable (1.21.7). The authentication will succeed only if all the values are not empty and are not equal to “0”. map $jwt_claim_iss $valid_jwt_iss { "good" 1; } ... auth_jwt_require $valid_jwt_iss; If any of the checks fails, the C<401> error code is returned. The optional C parameter (1.21.7) allows redefining the error code to C<403>. =head1 Embedded Variables The C module supports embedded variables: =over =item C<$jwt_header_>I> returns the value of a specified L =item C<$jwt_claim_>I> returns the value of a specified L For nested claims and claims including a dot (“.”), the value of the variable cannot be evaluated; the L directive should be used instead. Variable values for tokens encrypted with JWE are available only after decryption which occurs during the L phase. =item C<$jwt_payload> returns the decrypted top-level payload of C or C tokens (1.21.2). For nested tokens returns the enclosed JWS token. For encrypted tokens returns JSON with claims. =back