Comments (35)
Ok, as you can see now, your server send back the two variables, and it's fine... Dbg-Cookie-Lt-Jwt
sends back the good value...
can you try to add auth_jwt off;
int the http
context ? I wonder if it may be related to #2.
from nginx-jwt-module.
#2 is fixed, closing this issue.
from nginx-jwt-module.
You should try to mark your configuration locations to be sure that it isn't the problem:
server {
add_header dbg-uri $uri;
add_header dbg-loc "server";
location = /application {
add_header dbg-loc "application";
}
location = /api {
add_header dbg-loc "api";
}
}
from nginx-jwt-module.
Ok I can reproduce it now, I will dig this soon !
from nginx-jwt-module.
Thanks a lot to contributing, I have seen your patch but there is a problem with it: two tests are failing.
I wanted to avoid a copy of the string, but as this leads to a bug, I will replace the char**token by a pointer on a ngx_str structure.
from nginx-jwt-module.
Well, it can be a cookie as it can be anything:
In the documentation $cookie_MyCookieName
refers to the nginx's dynamic cookie vairable.
So if you want to check a cookie named 'jwt' you'll have to set auth_jwt
to "$cookie_jwt".
There is some examples in the test file where the cookie is named "rampartjwt"
from nginx-jwt-module.
Thanks, yeah for some reason I can't get the cookie option to work in the browser. The weird thing is that it works via curl
. In my test setup I have two locations in nginx - something like this:
server {
auth_jwt off;
auth_jwt_key "AUTH0_CLIENT_SECRET";
[...]
location = /application {
auth_jwt $cookie_lt_jwt;
root /usr/src/static;
try_files /application.html =404;
}
location = /api {
# just turning it on will expect the JWT in the header
auth_jwt on;
root /usr/src/static;
try_files /application.html =404;
}
}
Using the same JWT, I was able to successfully access both with curl
, but can never get through to the /application
location in the browser. I tested this via:
curl https://some.page.com/api -H "Authorization: Bearer ey......."
✅
curl https://some.page.com/application --cookie "lt_jwt=ey......."
✅
But when I actually navigate to the page, I can confirm the same cookie is stored in the browser, but I am still getting 401 unauthorized
and an error in the nginx error.log
regarding parsing of the JWT.
Can you possibly think of any reason, why nginx
wouldn't be able to pickup / parse that cookie correctly in the browser, while it appears to be working fine with curl
?
from nginx-jwt-module.
I would look at the underscore.
try to debug it with something like:
location = /api {
return 200 "cookie is $cookie_lt_jwt";
}
Edit: nope, just tested it it works fine with underscores...
What is the URL you tried in the browser ?
from nginx-jwt-module.
You are welcome to try it out here: https://my.login-test.com [Update: this link won't work anymore]
There is a flask
(python
) server running underneath nginx
for the login part, which is roughly based on the auth0
python example (https://auth0.com/docs/quickstart/webapp/python).
from nginx-jwt-module.
Ok, I found the problem, the "session" cookie is parsed with the "lt_jwt" one...
I don't know why nginx is behaving like that, I will dig into it.
from nginx-jwt-module.
Thanks for looking into this! The auth0
example was putting that info into the session. Here is the code that is actually writing the cookies (and extends the session). I wouldn't expect that to interfere with the authentication, though:
@app.route('/callback')
def callback_handling():
# Handles response from token endpoint
token = auth0.authorize_access_token()
resp = auth0.get('userinfo')
userinfo = resp.json()
# Store the user information in flask session.
session[constants.JWT_PAYLOAD] = userinfo
session[constants.PROFILE_KEY] = {
'user_id': userinfo['sub'],
'name': userinfo['name'],
'picture': userinfo['picture']
}
# Store the token as a cookie
response = redirect('/dashboard')
response.set_cookie('lt_jwt',
value='{}'.format(token.get('id_token')),
max_age=token.get('expires_in'),
httponly=True,
secure=False)
return response
It's entirely possible that token.get('id_token')
isn't the correct thing to store in the lt_jwt
cookie here.
from nginx-jwt-module.
That's a strange issue because I cannot reproduce it locally.
I tried curl <SITE> --cookie 'lt_jwt=eyJ0eX...hn4TY; session=eJzNkMt...rA'
both on your site and localhost, it works on localhost, not on the remote site.
But changing it by curl <SITE> --cookie 'lt_jwt=eyJ0eX...hn4TY
makes it works...
The problem is not from nginx's way to parse $cookie_name.
Are you manipulating $http_cookie variable at some point ? or $cookie_lt_jwt ?
Edit:
Can you add add_header DBG-HTTP-COOKIE $http_cookie;
and add_header DBG-COOKIE-LT-JWT $cookie_lt_jwt;
in you server configuration to debug it ?
from nginx-jwt-module.
Are you manipulating $http_cookie variable at some point ? or $cookie_lt_jwt ?
Not intentionally and the python code above appears the only obvious place where any cookie is changes / created. Since I actually won't really need the flask session cookie in the end - I'll see if I can't just disable it.
PS: I can confirm that deleting the session
cookie (even just in the browser console) allows you to access /application
from nginx-jwt-module.
Maybe there is something checking for the "session" cookie before checking the "lt_jwt" one. Is your server behind a proxy ?
from nginx-jwt-module.
Yes, NGINX is being used as a reverse proxy:
location / {
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
The flask python server is then run on 127.0.0.1:3000
from nginx-jwt-module.
But since the 401
came from NGINX
directly, I didn't expect any of the other locations
to even reach that python code?
from nginx-jwt-module.
Please add add_header DBG-HTTP-COOKIE $http_cookie;
and add_header DBG-COOKIE-LT-JWT $cookie_lt_jwt
; in you server configuration to debug it.
from nginx-jwt-module.
Ok, I added those as part of the top-level server
NGINX config. Now the /application
link works - not sure why, though
PS: I since renamed the cookie to ltjwt
to avoid any potential issues with the underscore
from nginx-jwt-module.
In the server
context I had already specified auth_jwt off;
as the "default". I moved that up one layer and took out the add_header DBG-...
again. It appears to be working now. So it may indeed be related to #2 - I very much appreciate your help here!
from nginx-jwt-module.
Ok, I will fix #2 now, it's a simple inheritance issue.
from nginx-jwt-module.
Hi @Maxx-T it's me again ;) I tested the latest master
branch and the changes unfortunately didn't solve my problem. In addition, they actually "broke" the previous workaround. Now, putting the auth_jwt off;
statement in the http
context , no longer solves this issue for me.
Authentication works when there is only a single cookie present. Adding any (random) additional cookie breaks the authentication (as described before).
I added the header
Dbg-Http-Cookie
again and it certainly shows all cookies are part of $http_cookie
. Is there possibly a problem with getting the right cookie down the line?
from nginx-jwt-module.
The important header to set is the add_header DBG-COOKIE-FOO $cookie_your_cookie_name;
.
Also, it sould work without specifying auth_jwt off;
now.
from nginx-jwt-module.
Yes, I added both headers and the DBG-COOKIE-FOO
looks good to me. I'll add an additional debug output to the c
code to see what is going on...
from nginx-jwt-module.
You can use the dev branch, it is fastest to build and set to verbose mode:
git checkout dev
cd dev
./build
docker run -p 8000:8000 jwt-nginx-s4
then to test other configurations you just have to build with ./build s4
to update the nginx configuration.
I would suspect the location = /xxx
in your configuration: if your server is behind a proxy the equal matcher could not match any example.com//xxx or example.com/xxx/ instead of example.com/xxx
from nginx-jwt-module.
What I can't wrap my head around is if the location
config was a problem, why would it start to work when I delete any additional cookies?
from nginx-jwt-module.
It may be something due to a problem with location priority, because of your reverse proxy rule, something like:
server {
location / {
#matches first, see a session cookie, parse it, reject it -> 401
}
location = /xxx {
}
}
Also, try to replace, at least for now location = /xxx
by location ^~ /xxx
from nginx-jwt-module.
Yes thanks - I did those things. If location /
really sees a (valid) session cookie, why would it reject it?
I added this debug statement here #9 and looking at the jwt_data
.
If I have only a single cookie (containing the JWT) jwt_data
is correct:
2018/09/13 11:52:07 [debug] 63#63: *5 Found JWT: ey.....
However, if you add any random additional cookie - it ends up in that jwt_data
as well like this:
2018/09/13 11:52:30 [debug] 63#63: *5 Found JWT: ey.....; random=value
Are you sure there isn't a problem with how the cookie data is being read?
from nginx-jwt-module.
Yes I am: 1) it would imply that nginx cannot parse a cookie correctly, 2) I cannot reproduce.
The problem is either in the way you build your image, either in your nginx configuration.
- Can you reproduce it with
docker run -p 80:80 -v your-nginx-config-dir:/etc/nginx maxxt/nginx-jwt-module:2018-09-13T01-44
- Can you post your full configuration ?
from nginx-jwt-module.
Have you tested with more than one cookie with curl? Because curl and postman doesn't work for me with more than one cookie.
from nginx-jwt-module.
There is a comment here:
// the cookie data is not necessarily null terminated... we need a null terminated character pointer
from nginx-jwt-module.
It's not that, pcalloc set all bytes to 0.
from nginx-jwt-module.
Still, curl
doesn't work with more than one cookie
from nginx-jwt-module.
I agree that it's most likely my config, though!
from nginx-jwt-module.
Indeed. Can you post it somewhere ? a gist or something ?
from nginx-jwt-module.
Let me know if you still need the full config and I'll share it somewhere. Thanks!
from nginx-jwt-module.
Related Issues (17)
- Handle auth_request directive double check
- Build is not compiling auth_jwt module HOT 2
- Call jwt_free after jwt_decode to avoid memory leak? HOT 2
- Do I must use the Dynamic module, or this support static nginx module too? HOT 1
- Including the module without setting directive blocks all requests
- jwt parse error HOT 2
- build statically under musl fails because of wrong linking order HOT 1
- jwt_get_alg(jwt) returns 0 HOT 4
- (No such file or directory) in /etc/nginx/test-jwt-nginx.conf:41 HOT 2
- limit_req_zone with jwt embedded variables HOT 12
- Small improvements to documentation HOT 1
- $jwt_claim_* not set in `rewrite` or `if` HOT 3
- auth_jwt with variables does not work HOT 2
- Dynamically toggle `auth_jwt` HOT 2
- Add explicit auth_jwt_alg HOT 3
- Merge auth_jwt_key_file and auth_jwt_key
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-jwt-module.