Comments (5)
max-lt
commented on August 28, 2024
No, actually it was one of the reasons why I moved from TeslaGov's module iirc TeslaGov/ngx-http-auth-jwt-module#37 and started this one.
You don't need auth_jwt_redirect and can use error_page directive and named locations instead :
location @login_err_redirect {
return 302 https://example.com?redirect=$request_uri&$args;
}
location ~ ^/secure/ {
auth_jwt on;
error_page 401 = @login_err_redirect;
}
Didn't try with this one tho, i'd be interested to know if you make it works (even more if you don't) so I can add it to the documentation.
from nginx-jwt-module.
max-lt
commented on August 28, 2024
Just tried, it does work as expected:
load_module /usr/lib/nginx/modules/ngx_http_auth_jwt_module.so;
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
server {
listen 7890;
server_name _;
auth_jwt_key "0123456789abcdef" hex; # Your key as hex string
auth_jwt off;
location @login_err_redirect {
return 302 $scheme://$host:$server_port/login?redirect=$request_uri;
}
location /secure/ {
auth_jwt on;
error_page 401 = @login_err_redirect;
}
location / {
return 200 "OK";
}
}
}docker run -v ./nginx.conf:/etc/nginx/nginx.conf -p 7890:7890 ghcr.io/max-lt/nginx-jwt-module:v3.4.1/secure/path?a=3&u=12 redirects to /login?redirect=/secure/path?a=3&u=12
from nginx-jwt-module.
bradleymize
commented on August 28, 2024
Confirmed that works:
location @login_err_redirect {
return 302 https://login.example.com/?return_url=https://$host$request_uri;
}
location / {
auth_jwt $cookie_jwt_token;
auth_jwt_require $jwt_has_status_permission error=403;
error_page 401 = @login_err_redirect;
#etc...
}(my use-case is an authentication + authorization reverse proxy, as a more user-friendly alternative to client certificates)
Something I'll have to double check after work now that I have this working is verify if the claims allowed for uppercase, but when I initially tested, it didn't like when one of the claims was AllowedSites, e.g.
AllowedSites: "status,other"
It would show up in add_header DBG-COOKIE-PAYLOAD $jwt_payload but everything would stop working when I tried $jwt_claim_AllowedSites
from nginx-jwt-module.
max-lt
commented on August 28, 2024
Indeed it won't work, when Nginx attempts to resolve a name it actually forces the name to lower case. Source can be found here.
But it seems to be standard in JWT to use snake case, see https://www.iana.org/assignments/jwt/jwt.xhtml#claims
from nginx-jwt-module.
bradleymize
commented on August 28, 2024
Didn't know about either of those, thanks for the links to the source/documentation, I appreciate it
Confirmed it worked with allowed_sites and using a regex comparison in the map block
# e.g. allowed_sites: "status,other"
map $jwt_claim_allowed_sites $jwt_has_status_permission {
"~.*status.*" 1;
}from nginx-jwt-module.
Related Issues (20)
- Handle auth_request directive double check
- Including the module without setting directive blocks all requests
- Small improvements to documentation HOT 1
- Add explicit auth_jwt_alg HOT 3
- Cookie description in documentation HOT 35
- Merge auth_jwt_key_file and auth_jwt_key
- Build is not compiling auth_jwt module HOT 2
- Call jwt_free after jwt_decode to avoid memory leak? HOT 2
- Do I must use the Dynamic module, or this support static nginx module too? HOT 1
- jwt parse error HOT 2
- build statically under musl fails because of wrong linking order HOT 1
- jwt_get_alg(jwt) returns 0 HOT 4
- (No such file or directory) in /etc/nginx/test-jwt-nginx.conf:41 HOT 2
- limit_req_zone with jwt embedded variables HOT 12
- $jwt_claim_* not set in `rewrite` or `if` HOT 3
- auth_jwt with variables does not work HOT 2
- Dynamically toggle `auth_jwt` HOT 2
- Build for arm64 architecture
- auth_jwt_require against nginx embedded variable? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-jwt-module.