Guide how to enable JWT validation on open source nginx server using ngx-http-auth-jwt-module

readme.md

brew install openssl jansson libjwt

wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxvf nginx-1.18.0.tar.gz

git clone https://github.com/TeslaGov/ngx-http-auth-jwt-module

cd nginx-1.18.0/

brew link openssl # if running on Darwin, check for LDFLAGS and CPPFLAGS 

./configure --add-module=../ngx-http-auth-jwt-module \
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-ld-opt="-L/usr/local/opt/openssl/lib" \
    --with-cc-opt="-I/usr/local/opt/openssl/include"

make

Use jwks-to-pem.sh to extrat x509 public key.

nginx.conf

daemon off;
worker_processes  1;
error_log  logs/error.log;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

      server {
      # use https://github.com/abbaspour/auth0-bash/blob/master/discovery/jwks-to-pem.sh to convert jwks.json to x509 PEM
      auth_jwt_key                 "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6b54f+d2tINbpTwi1Hxw
1DlNagPwgfKsqBnCdqlXt40s5hyu/8SJieAiw2wlxLyX+nrxIV510ED1vyTr/ctC
nak8ZvtBfEYPRCfqT9kRYHaVA8MlRGLNURR/nk5u75LebEdtvcS4nu817xjaG2dO
rMZ5urlKQhgRzct1+IEmLMRhdBy6PfQCxXgbxh42Q2YxIXcIXK8UkQLZQ1MLG5Ji
EowVwp64dJuC7NF8IkywtbJoOfGVxRuRHqXxKOXEs9kthODNaMqVIgEqsSfFXlFN
GI6wKjEAcbXPCSEA+h50kz08aNIVvgNhPKK0+C/VKnYiYSV8HAo05XOOdbCo71dj
NQIDAQAB
-----END PUBLIC KEY-----";
      auth_jwt_loginurl            "https://app.localtest.me/login";
      auth_jwt_enabled             off;
      auth_jwt_redirect            on;

      listen 3443 ssl http2;
      server_name app.localtest.me;

      access_log  logs/access.log;

      ssl_certificate cert.pem;
      ssl_certificate_key key.pem;

      location / {
        proxy_pass http://127.0.0.1:3000;
      }
        
      location /api {
        auth_jwt_enabled on;
        auth_jwt_validation_type AUTHORIZATION;  
        #auth_jwt_validation_type COOKIE=x_auth_token;
        auth_jwt_algorithm RS256;

        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        #proxy_set_header Authorization "Bearer $cookie_x_auth_token";
      }
    }
}

jwks.sh is giving page not found.

I want authenticate many users to a stream each with there own token per user for example a live musical artist with 1000 guests.
Each guest needs to be authorized to view the show.

How would you go about with this approach ?

Thanks!

fixed @dangolbeeker . tnx for raising

I am getting below error in ubuntu after ./configure running "make".
Can you please suggest any solution.

My actual plan is to validate JWT token before serving static content.

modules -I src/http/v2
-o objs/addon/src/ngx_http_auth_jwt_module.o
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c: In function ‘loadAuthKey’:
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c:445:2: error: ignoring return value of ‘fread’, declared with attribute warn_unused_result [-Werror=unused-result]
445 | fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);

I am getting below error in ubuntu after ./configure running "make". Can you please suggest any solution.

My actual plan is to validate JWT token before serving static content.

modules -I src/http/v2 -o objs/addon/src/ngx_http_auth_jwt_module.o ../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c ../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c: In function ‘loadAuthKey’: ../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c:445:2: error: ignoring return value of ‘fread’, declared with attribute warn_unused_result [-Werror=unused-result] 445 | fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);

I'm too....

I haven't had anytime to play with it so I'm still working towards a solution please update us if you find it.