This work is based on lua-resty-jwt plugins so all credits.. should go those guys. The intention of this repo is to provide an "out of the box" solution for authenticating against keys stored in Redis cache. If you need a more versatile solution you should really turn look at the upstream project.
0.1
The intention of this repo is to provide an "out of the box" solution for authenticating against keys stored in Redis cache. To run it in a docker container:
docker run --name redis redis
docker run --link redis -v nginx.conf:/usr/nginx/conf/nginx.conf svyatogor/resty-lua-jwt
Sample nginx.conf (minimal config with only relevant sections)
worker_processes 1;
daemon off;
error_log stderr;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
lua_package_path "/lua-resty-jwt/lib/?.lua;;";
lua_shared_dict jwt_key_dict 10m;
resolver 127.0.0.1;
server {
listen 80;
server_name localhost;
set $redhost "redis";
set $redport 6379;
location ~ ^/api/(.*)$ {
access_by_lua_file /lua-resty-jwt/jwt.lua;
proxy_pass http://upstream/api/$1;
}
}
}
The token should be passed in "Authorization" header as:
Authorization: Bearer TOKEN
It must contain the payload hash of format
{kid: SESSION_ID}
During authorization process your API should set the following keys in redis:
HSET SESSION_ID secret SESSION_SECRET
HSET SESSION_ID data OPTIONAL_DATA
If you set the data (which is not required) it will be passed to the upstream API in the X-Data header. A typical use case would be to serialize relevant user data (such as user id) in the JSON hash, so that upstream API is able to identify the user.