max-lt / nginx-jwt-module Goto Github PK

The auth_request directive sould not be triggered when the auth_jwt one successfully authenticates the request:

• auth_jwt must be executed before auth_request (because it is fastest).
• auth_request must be called only if auth_jwt is disabled or failed to authenticates the request.

This behavior must be optional:

• add a directive to enable it (auth_jwt_options [handle_auth_request]?)

I am using this dockerfile to build the image

FROM jwt-nginx

# Get nginx ready to run
COPY nginx /etc/nginx

EXPOSE 8000

STOPSIGNAL SIGTERM

CMD ["nginx", "-g", "daemon off;"]

build: docker build -f Dockerfile -t jwt-custom .
run: docker container run -p 8080:8000 jwt-custom

Error

...
/docker-entrypoint.sh: Configuration complete; ready for start up
2022/12/29 08:24:24 [error] 1#1: No such file or directory (2: No such file or directory) in /etc/nginx/test-jwt-nginx.conf:41
nginx: [error] No such file or directory (2: No such file or directory) in /etc/nginx/test-jwt-nginx.conf:41

I have verified that the file is indeed present in /etc/nginx folder

Hello @Maxx-T!

Thanks for sharing this repo. This is what I was looking for to do not need to buy a nginx plus or going for caddy.

I ran ./build and started my container with the following:

docker run -d --rm --name proxy -v /html/:/var/www/html -v /etc/nginx:/etc/nginx -p "80:80" jwt-nginx

In the nginx.conf file I had a very basic settings, but when addind the auth_jwt option and reloading nginx I get the message:

unknown directive "auth_jwt" in /etc/nginx/nginx.conf

I just added this options to server block as in README file:

server {

       auth_jwt_key "9e588fb43b6a1248531156e284c2bea7" hex;
       auth_jwt off;
[...]

Could you please confirm if there is anything we must enable before using this directive?

Thanks!

to fix, change config from

ngx_module_libs="-ljansson -ljwt"

to

ngx_module_libs="-ljwt -ljansson"

Might be related to #28, but doing something like this causes an error:

if ($jwt_claim_p != "some_str") {
  return 503;
}

This gives me an error in the nginx logs *1 invalid size "".

Similarly you can't use $jwt_claim_* in rewrite or proxy_pass (they're empty), so you cannot use it to verify that the URI is actually allowed to be used, by adding the URI itself as a claim ($jwt_claim_allowed_uri). That seems like an important use case of JWTs to me!

Suggested in #3:

Directives auth_jwt_key_file and auth_jwt_key may be merged since this are two conflicting options defining the same variable.

The syntax could be auth_jwt_key (value | file)=(value or file path) [encoding]

Hi,

 I am looking for a way to verify jwt claims against a dynamic runtime nginx embedded variable, e.g. cookie or uri? is that a possibility? I have tried using map regex trick but nginx server crashes which leads me to believe it isn't a supported feature

Thanks

Would it be possible to add something like in https://github.com/TeslaGov/ngx-http-auth-jwt-module to have an optional auth_jwt_redirect / auth_jwt_loginurl to redirect if no jwt is present?

Example: Without auth_jwt_redirect / auth_jwt_loginurl (existing behavior / new configuration option but unconfigured by default)

• User navigates to secured site without a jwt = 401

Example: With auth_jwt_redirect "on" + auth_jwt_loginurl: "<url>" (new behavior)

• User navigates to secured site without a jwt = redirects to the login page/site to login with some query string for returning back to the site (e.g. ?returnUrl=<secured site>)

This would allow for a server configuration like:

auth_jwt_key "<secret hex string>";
auth_jwt_alg "HS256";
auth_jwt_loginurl "https://login.example.com/";

location / {
    auth_jwt_redirect "on";
    auth_jwt $cookie_jwt_token;
    auth_jwt_require $jwt_has_status_permission error=403;

    proxy_pass                          http://192.168.68.71:6000/;
    # etc...
}

location /api {
    auth_jwt_redirect "off"; #disable login redirect when accessing a programmatic endpoint
}

And when someone visits status.example.com without a JWT, they're redirected to login at https://login.example.com/?returnUrl=https://status.example.com. (I'm using https://github.com/qvest-digital/loginsrv as a simple authentication proxy)

After returning to status.example.com, it'll then check to see if they have the status permission/claim (implied by $jwt_has_status_permission).

(Optionally have some sort of auth_jwt_loginurl_query_param_name to configure the returnUrl parameter if it needs to be something different, however Loginsrv supports changing what query param to look for, however other solutions might not be as flexible, so this would aid making this enhancement more widely useable)

I have been trying to use the cookie variant for authentication, but keep getting a JWT parse error. Using the default header option works as expected.

I couldn’t find a good reference how that cookie should look like and tried prefixing the JWT with Bearer e... and also tried without, but neither worked. Could you please enlighten me if I need to encode the cookie value somehow?

Thank you!

Hi there,

I'm trying to set rate limits using jwt embedded variables. But it doesn't work.
Configuration example:

http {
...

  limit_req_zone $jwt_claim_id zone=lreq_user:10m rate=1r/m;
  ...
  server {
    auth_jwt off;
    auth_jwt_key /etc/nginx/certs/jwt.pem file;
    ...
    location /api/ {
      auth_jwt on;
      limit_req zone=lreq_user;
      ...
    }
  }
}

It looks like $jwt_claim_id is defined as an empty value in the limit_req_zone directive, because with this configuration, the rate limit worked:

http {
...
  map $jwt_claim_id $test {
     \"100172\" 0;
     "" 1;
    }

  limit_req_zone $test zone=lreq_user:10m rate=1r/m;
  ...
  server {
    auth_jwt off;
    auth_jwt_key /etc/nginx/certs/jwt.pem file;
    ...
    location /api/ {
      auth_jwt on;
      limit_req zone=lreq_user;
      ...
    }
  }
}

Also strange behavior when using the auth_jwt_require directive, with this configuration nginx responds with a 403 code:

http {
...

  limit_req_zone $jwt_claim_id zone=lreq_user:10m rate=1r/m;
  ...
  server {
    auth_jwt off;
    auth_jwt_key /etc/nginx/certs/jwt.pem file;
    ...
    location /api/ {
      auth_jwt on;
      limit_req zone=lreq_user;
      auth_jwt_require $jwt_claim_id error=403;
      ...
    }
  }
}

Without the line limit_req zone=lreq_user; nginx works fine

Could you please add another sentence to the README regarding auth_jwt_key_file? I am assuming right that it is basically just a replacement for auth_jwt_key, which reads the key from a file, but it's not immediately obvious if either or both can be provided.

Maybe it would be even better to get rid of auth_jwt_key_file all together and just check if auth_jwt_key could be a file path.

Hi,
I'm trying to get this working, but it isn't really clear to me as what format should be the auth_jwt_key.
Obviously I'm doing something wrong, cause I'm getting "JWT: failed to parse jwt" error.

let's say that my secret key is "HELLO WORLD". What should put into the auth_jwt_key?
just copy & paste the string? Or should I convert it into hex -> "48454c4c4f20574f524c44"
and then copy it and paste there?

auth_jwt $variable

Is it possible for the $variable to be on or off? I tried it and it didn't work but I'm wondering if I can achieve this somehow.

Should there maybe be an explicit (optional) auth_jwt_alg config setting to specify the expected algorithm for the JWT?

Hi there,

I am really confused, because I always get 401, because I receive an error that token algorithm is not valid. I found out, that it is always returning 0. My config looks like this

location = /jwt/secured {
    auth_jwt on;
    auth_jwt_alg any;
    return 200;
}

It happens here:
https://github.com/max-lt/nginx-jwt-module/blob/master/src/ngx_http_auth_jwt_module.c#L162

If I comment this block out it works fine

It seems to be an error in jwtlib:
benmcollins/libjwt#156
so a workarround is necessary. Or do you have any other idea?

Including the module without setting directive blocks all requests.

Currently if no auth_jwt directive is set the jwt_flag variable stays set to -1 (which is an incorrect state) and all requests (whose context is not overwritten) are rejected.

A workaround is to set auth_jwt=off on http context.

Hi,
I'm trying to configure the jwt check depending on the request method:

http {
...
  map $request_method $jwt_validate {
          POST  on;
          default    off;
  }

  ...
  server {
    auth_jwt off;
    auth_jwt_key /etc/nginx/certs/jwt.pem file;
    ...
    location /api/ {
      auth_jwt $jwt_validate;
      ...
    }
  }
}

But I get a 401 response code with any request method

I compile the module as static, and update the *.conf
location = /security {
auth_jwt_key *** file;
auth_jwt on;
}

But it doesn't work.