nginxjwtopenrestynginx-plus

ngx_http_auth_jwt_module. Is that only available with NGINX Plus?

I'd like to use and implement that module (ngx-http-auth-jwt-module) in some applications that I have. That is apparently only officially available as part of their commercial subscription ?

ngx_http_auth_jwt_module

NGINX Products

Can I get similar functionality from an Open Source module for NGINX, or possibly use OpenResty OpenResty instead with a similar module ? I would really like to process the JWT's directly within NGINX, or maybe use something like KeyCloak as well.

I noticed that there is a GitHub repo to build that module or a similar module ?

ngx-http-auth-jwt-module

Any Suggestions ?

Solution

  • I was able to compile the ngx-http-auth-jwt-module from the GitHub repo that I mentioned:

    ngx-http-auth-jwt-module

    and then added it as a dynamically loaded module to my NGINX build within Docker. A little messy, so it might be better to use something like OpenResty really, but it does seem to work. It will validate the token, and then optionally redirect to a url if the token is not valid, among quite a few other features.

    It requires a little bit of setting up, but the nice thing there is that you can set headers for specific claims in the JWT:

    e.g. The following Headers get set in the request headers, so they can be used in a subrequest, or elsewhere, and I think they are accessible as $http_jwt_xxx.

    "HTTP_JWT_PID": ""

    "HTTP_JWT_SID": ""

    "HTTP_JWT_SUB" ""

    You can do the same for response headers, accessible as $sent_http_jwt_xxx. I am not sure if you can also use if statements or more advanced routing within the the location blocks and proxies, but probably. Seems like basically a replacement or alternative to the one that comes with NGINX plus ? It seems like it would be faster and maybe a bit more elegant to do all of that within the NGINX server itself rather than having to necessarily make a sub-request always.

    You can also put the JWT in the Header or a COOKIE (not sure about the query string), which is also a nice feature:

    auth_jwt_location HEADER=auth-token;  # get the JWT from the "auth-token" header
auth_jwt_location COOKIE=auth-token;  # get the JWT from the "auth-token" cookie

    load_module modules/ngx_http_auth_jwt_module.so;
http {

server {

    auth_jwt_key "binhex of key if you use that method";
    auth_jwt_enabled off;

...

    location  /proxy/  {
    
        auth_jwt_enabled on;
        auth_jwt_redirect on;
        auth_jwt_location COOKIE=JWTVIEWER;
        auth_jwt_extract_request_claims sub sid pid;
        auth_jwt_loginurl "some url";