max-lt / nginx-jwt-module Goto Github PK
View Code? Open in Web Editor NEWNGINX module to check for a valid JWT.
License: MIT License
NGINX module to check for a valid JWT.
License: MIT License
I am using this dockerfile to build the image
FROM jwt-nginx
# Get nginx ready to run
COPY nginx /etc/nginx
EXPOSE 8000
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]
build: docker build -f Dockerfile -t jwt-custom .
run: docker container run -p 8080:8000 jwt-custom
Error
...
/docker-entrypoint.sh: Configuration complete; ready for start up
2022/12/29 08:24:24 [error] 1#1: No such file or directory (2: No such file or directory) in /etc/nginx/test-jwt-nginx.conf:41
nginx: [error] No such file or directory (2: No such file or directory) in /etc/nginx/test-jwt-nginx.conf:41
I have verified that the file is indeed present in /etc/nginx
folder
auth_jwt $variable
Is it possible for the $variable to be on
or off
? I tried it and it didn't work but I'm wondering if I can achieve this somehow.
to fix, change config
from
ngx_module_libs="-ljansson -ljwt"
to
ngx_module_libs="-ljwt -ljansson"
Hello @Maxx-T!
Thanks for sharing this repo. This is what I was looking for to do not need to buy a nginx plus or going for caddy.
I ran ./build
and started my container with the following:
docker run -d --rm --name proxy -v /html/:/var/www/html -v /etc/nginx:/etc/nginx -p "80:80" jwt-nginx
In the nginx.conf file I had a very basic settings, but when addind the auth_jwt option and reloading nginx I get the message:
unknown directive "auth_jwt" in /etc/nginx/nginx.conf
I just added this options to server block as in README file:
server {
auth_jwt_key "9e588fb43b6a1248531156e284c2bea7" hex;
auth_jwt off;
[...]
Could you please confirm if there is anything we must enable before using this directive?
Thanks!
I have been trying to use the cookie variant for authentication, but keep getting a JWT parse error. Using the default header option works as expected.
I couldn’t find a good reference how that cookie should look like and tried prefixing the JWT with Bearer e...
and also tried without, but neither worked. Could you please enlighten me if I need to encode the cookie value somehow?
Thank you!
Should there maybe be an explicit (optional) auth_jwt_alg
config setting to specify the expected algorithm for the JWT?
Including the module without setting directive blocks all requests.
Currently if no auth_jwt
directive is set the jwt_flag
variable stays set to -1
(which is an incorrect state) and all requests (whose context is not overwritten) are rejected.
A workaround is to set auth_jwt=off
on http
context.
Might be related to #28, but doing something like this causes an error:
if ($jwt_claim_p != "some_str") {
return 503;
}
This gives me an error in the nginx logs *1 invalid size ""
.
Similarly you can't use $jwt_claim_*
in rewrite
or proxy_pass
(they're empty), so you cannot use it to verify that the URI is actually allowed to be used, by adding the URI itself as a claim ($jwt_claim_allowed_uri
). That seems like an important use case of JWTs to me!
Could you please add another sentence to the README regarding auth_jwt_key_file
? I am assuming right that it is basically just a replacement for auth_jwt_key
, which reads the key from a file, but it's not immediately obvious if either or both can be provided.
Maybe it would be even better to get rid of auth_jwt_key_file
all together and just check if auth_jwt_key
could be a file path.
Suggested in #3:
Directives auth_jwt_key_file
and auth_jwt_key
may be merged since this are two conflicting options defining the same variable.
The syntax could be auth_jwt_key (value | file)=(value or file path) [encoding]
Hi there,
I am really confused, because I always get 401, because I receive an error that token algorithm is not valid. I found out, that it is always returning 0. My config looks like this
location = /jwt/secured {
auth_jwt on;
auth_jwt_alg any;
return 200;
}
It happens here:
https://github.com/max-lt/nginx-jwt-module/blob/master/src/ngx_http_auth_jwt_module.c#L162
If I comment this block out it works fine
It seems to be an error in jwtlib:
benmcollins/libjwt#156
so a workarround is necessary. Or do you have any other idea?
The auth_request directive sould not be triggered when the auth_jwt
one successfully authenticates the request:
auth_jwt
must be executed before auth_request
(because it is fastest).auth_request
must be called only if auth_jwt
is disabled or failed to authenticates the request.This behavior must be optional:
auth_jwt_options [handle_auth_request]
?)Hi,
I'm trying to configure the jwt check depending on the request method:
http {
...
map $request_method $jwt_validate {
POST on;
default off;
}
...
server {
auth_jwt off;
auth_jwt_key /etc/nginx/certs/jwt.pem file;
...
location /api/ {
auth_jwt $jwt_validate;
...
}
}
}
But I get a 401 response code with any request method
Would it be possible to add something like in https://github.com/TeslaGov/ngx-http-auth-jwt-module to have an optional auth_jwt_redirect
/ auth_jwt_loginurl
to redirect if no jwt is present?
Example: Without auth_jwt_redirect
/ auth_jwt_loginurl
(existing behavior / new configuration option but unconfigured by default)
Example: With auth_jwt_redirect "on"
+ auth_jwt_loginurl: "<url>"
(new behavior)
?returnUrl=<secured site>
)This would allow for a server configuration like:
auth_jwt_key "<secret hex string>";
auth_jwt_alg "HS256";
auth_jwt_loginurl "https://login.example.com/";
location / {
auth_jwt_redirect "on";
auth_jwt $cookie_jwt_token;
auth_jwt_require $jwt_has_status_permission error=403;
proxy_pass http://192.168.68.71:6000/;
# etc...
}
location /api {
auth_jwt_redirect "off"; #disable login redirect when accessing a programmatic endpoint
}
And when someone visits status.example.com
without a JWT, they're redirected to login at https://login.example.com/?returnUrl=https://status.example.com
. (I'm using https://github.com/qvest-digital/loginsrv as a simple authentication proxy)
After returning to status.example.com
, it'll then check to see if they have the status
permission/claim (implied by $jwt_has_status_permission
).
(Optionally have some sort of auth_jwt_loginurl_query_param_name
to configure the returnUrl
parameter if it needs to be something different, however Loginsrv supports changing what query param to look for, however other solutions might not be as flexible, so this would aid making this enhancement more widely useable)
I compile the module as static, and update the *.conf
location = /security {
auth_jwt_key *** file;
auth_jwt on;
}
But it doesn't work.
Hi,
I am looking for a way to verify jwt claims against a dynamic runtime nginx embedded variable, e.g. cookie or uri? is that a possibility? I have tried using map regex trick but nginx server crashes which leads me to believe it isn't a supported feature
Thanks
Hi,
I'm trying to get this working, but it isn't really clear to me as what format should be the auth_jwt_key.
Obviously I'm doing something wrong, cause I'm getting "JWT: failed to parse jwt" error.
let's say that my secret key is "HELLO WORLD". What should put into the auth_jwt_key?
just copy & paste the string? Or should I convert it into hex -> "48454c4c4f20574f524c44"
and then copy it and paste there?
Hi there,
I'm trying to set rate limits using jwt embedded variables. But it doesn't work.
Configuration example:
http {
...
limit_req_zone $jwt_claim_id zone=lreq_user:10m rate=1r/m;
...
server {
auth_jwt off;
auth_jwt_key /etc/nginx/certs/jwt.pem file;
...
location /api/ {
auth_jwt on;
limit_req zone=lreq_user;
...
}
}
}
It looks like $jwt_claim_id is defined as an empty value in the limit_req_zone directive, because with this configuration, the rate limit worked:
http {
...
map $jwt_claim_id $test {
\"100172\" 0;
"" 1;
}
limit_req_zone $test zone=lreq_user:10m rate=1r/m;
...
server {
auth_jwt off;
auth_jwt_key /etc/nginx/certs/jwt.pem file;
...
location /api/ {
auth_jwt on;
limit_req zone=lreq_user;
...
}
}
}
Also strange behavior when using the auth_jwt_require directive, with this configuration nginx responds with a 403 code:
http {
...
limit_req_zone $jwt_claim_id zone=lreq_user:10m rate=1r/m;
...
server {
auth_jwt off;
auth_jwt_key /etc/nginx/certs/jwt.pem file;
...
location /api/ {
auth_jwt on;
limit_req zone=lreq_user;
auth_jwt_require $jwt_claim_id error=403;
...
}
}
}
Without the line limit_req zone=lreq_user;
nginx works fine
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.