=encoding utf-8

=head1 NAME

ngx_http_auth_jwt_module - Module ngx_http_auth_jwt_module




=head1



The C<ngx_http_auth_jwt_module> module (1.11.3)
implements client authorization by validating the provided
L<JSON Web Token|https://tools.ietf.org/html/rfc7519> (JWT)
using the specified keys.
JWT claims must be encoded in a
L<JSON Web Signature|https://tools.ietf.org/html/rfc7515> (JWS)
structure.
The module can be used for
L<OpenID Connect|http://openid.net/specs/openid-connect-core-1_0.html>
authentication.





The module may be combined with
other access modules, such as
L<ngx_http_access_module|ngx_http_access_module>,
L<ngx_http_auth_basic_module|ngx_http_auth_basic_module>,
and
L<ngx_http_auth_request_module|ngx_http_auth_request_module>,
via the L<ngx_http_core_module> directive.






B<NOTE>

This module is available as part of our
commercial subscription.





=head1 Example Configuration




    
    location / {
        auth_jwt          "closed site";
        auth_jwt_key_file conf/keys.json;
    }






=head1 Directives

=head2 auth_jwt


B<syntax:> auth_jwt I<I<C<string>> [I<C<token=$variable>>] E<verbar>
C<off>>


B<default:> I<off>


B<context:> I<http>


B<context:> I<server>


B<context:> I<location>





Enables validation of JSON Web Token.
The specified I<C<string>> is used as a C<realm>.
Parameter value can contain variables.





The optional C<token> argument specifies a variable
that contains JSON Web Token.
By default, JWT is passed in the C<Authorization> header
as a
L<Bearer Token|https://tools.ietf.org/html/rfc6750>.
JWT may be also passed as a cookie or a part of a query string:

    
    auth_jwt "closed site" token=$cookie_auth_token;







The special value C<off> cancels the effect
of the C<auth_jwt> directive
inherited from the previous configuration level.







=head2 auth_jwt_key_file


B<syntax:> auth_jwt_key_file I<I<C<file>>>



B<context:> I<http>


B<context:> I<server>


B<context:> I<location>





Specifies a I<C<file>> in
L<JSON Web Key Set|https://tools.ietf.org/html/rfc7517#section-5>
format for validating JWT signature.
Parameter value can contain variables.







=head1 Embedded Variables



The C<ngx_http_auth_jwt_module> module
supports embedded variables.





Variables that return
L<JWT claims|https://tools.ietf.org/html/rfc7519#section-4>:


=over


=item C<$jwt_claim_aud>




the C<aud> (audience) claim



=item C<$jwt_claim_email>




the C<email> claim



=item C<$jwt_claim_exp>




the C<exp> (expiration time) claim



=item C<$jwt_claim_iat>




the C<iat> (issued at) claim



=item C<$jwt_claim_iss>




the issuer of the claim



=item C<$jwt_claim_jti>




the JWT ID



=item C<$jwt_claim_nbf>




the C<nbf> (not-before time) claim



=item C<$jwt_claim_sub>




the subject of the JWT



=back







Variables that return parameters of
L<JOSE header|https://tools.ietf.org/html/rfc7515#section-4>:


=over


=item C<$jwt_header_alg>




the C<alg> (algorithm) header parameter



=item C<$jwt_header_cty>




the C<cty> (content type) header parameter



=item C<$jwt_header_enc>




the C<enc> (encryption algorithm) header parameter



=item C<$jwt_header_kid>




the C<kid> (key ID) header parameter



=item C<$jwt_header_typ>




the C<typ> (type) header parameter




=back