Skip to content

Instantly share code, notes, and snippets.

@abbaspour
Last active August 28, 2024 02:52
Show Gist options
  • Save abbaspour/af8dff3b297b0fcc6ba7c625c2d7c0a3 to your computer and use it in GitHub Desktop.
Save abbaspour/af8dff3b297b0fcc6ba7c625c2d7c0a3 to your computer and use it in GitHub Desktop.
Guide how to enable JWT validation on open source nginx server using ngx-http-auth-jwt-module
brew install openssl jansson libjwt

wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxvf nginx-1.18.0.tar.gz

git clone https://github.com/TeslaGov/ngx-http-auth-jwt-module

cd nginx-1.18.0/

brew link openssl # if running on Darwin, check for LDFLAGS and CPPFLAGS 

./configure --add-module=../ngx-http-auth-jwt-module \
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-ld-opt="-L/usr/local/opt/openssl/lib" \
    --with-cc-opt="-I/usr/local/opt/openssl/include"

make

Use jwks-to-pem.sh to extrat x509 public key.

daemon off;
worker_processes 1;
error_log logs/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
# use https://github.com/abbaspour/auth0-bash/blob/master/discovery/jwks-to-pem.sh to convert jwks.json to x509 PEM
auth_jwt_key "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6b54f+d2tINbpTwi1Hxw
1DlNagPwgfKsqBnCdqlXt40s5hyu/8SJieAiw2wlxLyX+nrxIV510ED1vyTr/ctC
nak8ZvtBfEYPRCfqT9kRYHaVA8MlRGLNURR/nk5u75LebEdtvcS4nu817xjaG2dO
rMZ5urlKQhgRzct1+IEmLMRhdBy6PfQCxXgbxh42Q2YxIXcIXK8UkQLZQ1MLG5Ji
EowVwp64dJuC7NF8IkywtbJoOfGVxRuRHqXxKOXEs9kthODNaMqVIgEqsSfFXlFN
GI6wKjEAcbXPCSEA+h50kz08aNIVvgNhPKK0+C/VKnYiYSV8HAo05XOOdbCo71dj
NQIDAQAB
-----END PUBLIC KEY-----";
auth_jwt_loginurl "https://app.localtest.me/login";
auth_jwt_enabled off;
auth_jwt_redirect on;
listen 3443 ssl http2;
server_name app.localtest.me;
access_log logs/access.log;
ssl_certificate cert.pem;
ssl_certificate_key key.pem;
location / {
proxy_pass http://127.0.0.1:3000;
}
location /api {
auth_jwt_enabled on;
auth_jwt_validation_type AUTHORIZATION;
#auth_jwt_validation_type COOKIE=x_auth_token;
auth_jwt_algorithm RS256;
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
#proxy_set_header Authorization "Bearer $cookie_x_auth_token";
}
}
}
@dangolbeeker
Copy link

jwks.sh is giving page not found.

I want authenticate many users to a stream each with there own token per user for example a live musical artist with 1000 guests.
Each guest needs to be authorized to view the show.

How would you go about with this approach ?

Thanks!

@abbaspour
Copy link
Author

fixed @dangolbeeker . tnx for raising

@JagadishNM
Copy link

JagadishNM commented Sep 13, 2022

I am getting below error in ubuntu after ./configure running "make".
Can you please suggest any solution.

My actual plan is to validate JWT token before serving static content.

modules -I src/http/v2
-o objs/addon/src/ngx_http_auth_jwt_module.o
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c: In function ‘loadAuthKey’:
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c:445:2: error: ignoring return value of ‘fread’, declared with attribute warn_unused_result [-Werror=unused-result]
445 | fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);

@javadovjavad
Copy link

I am getting below error in ubuntu after ./configure running "make". Can you please suggest any solution.

My actual plan is to validate JWT token before serving static content.

modules -I src/http/v2 -o objs/addon/src/ngx_http_auth_jwt_module.o ../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c ../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c: In function ‘loadAuthKey’: ../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c:445:2: error: ignoring return value of ‘fread’, declared with attribute warn_unused_result [-Werror=unused-result] 445 | fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);

I'm too....

@dangolbeeker
Copy link

I haven't had anytime to play with it so I'm still working towards a solution please update us if you find it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment