<-
Apache > HTTP Server > Documentation > Version 2.5 > Modules

Apache Module mod_auth_bearer

Available Languages:  en  |  fr 

Description:Bearer HTTP authentication
Status:Base
Module Identifier:auth_bearer_module
Source File:mod_auth_bearer.c

Summary

This module allows the use of HTTP Bearer Authentication to restrict access by passing the bearer token to the given providers. This module should be combined with at least one token module such as mod_autht_jwt and one authorization module such as mod_authz_user.

Directives

Bugfix checklist

See also

top

AuthBearerAuthoritative Directive

Description:Sets whether token verification is passed to lower level modules
Syntax:AuthBearerAuthoritative On|Off
Default:AuthBearerAuthoritative On
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_auth_bearer

Normally, each token verification module listed in AuthBearerProvider will attempt to verify the token, and if the token is not found to be valid, access will be denied. Setting the AuthBearerAuthoritative directive explicitly to Off allows for token verification to be passed on to other non-provider-based modules if the token is not recognised. This should only be necessary when combining mod_auth_bearer with third-party modules that are not configured with the AuthBearerProvider directive. When using such modules, the order of processing is determined in the modules' source code and is not configurable.

top

AuthBearerProvider Directive

Description:Sets the authentication provider(s) for this location
Syntax:AuthBearerProvider provider-name [provider-name] ...
Default:AuthBearerProvider file
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_auth_bearer

The AuthBearerProvider directive sets which provider is used to verify tokens for this location. The default jwt provider is implemented by the mod_autht_jwt module. Make sure that the chosen provider module is present in the server.

Example

<Location "/secure">
    AuthType bearer
    AuthName "private area"
    AuthBearerProvider jwt
    AuthtJwtVerify hs256 file "/www/etc/jwt.secret"
    Require            valid-user
</Location>

Providers are queried in order until a provider finds a match for the requested token. This usually means that the token has been correctly signed, or that the token has not expired.

The first implemented provider is mod_autht_jwt.

top

AuthBearerProxy Directive

Description:Pass a bearer authentication token over a proxy connection generated using the given expression
Syntax:AuthBearerProxy off|expression
Default:none
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_auth_bearer
Compatibility:Apache HTTP Server 2.5.1 and later

The expression specified is passed as a bearer token in the Authorization header, which is passed to the server or service behind the webserver. The expression is interpreted using the expression parser, which allows the token to be set based on request parameters.

The Authorization header added by this directive is not input into any authentication or authorization within the local server. It is designed to be passed along to upstream servers.

In this example, we pass a fixed token to a backend server.

Fixed Example

<Location "/demo">
    AuthBearerProxy my-fixed-token
</Location>

In this example, we pass the query string as the token to the backend server.

Query String Example

<Location "/secure">
    AuthBearerProxy "%{QUERY_STRING}"
</Location>

Exclusion Example

<Location "/public">
    AuthBearerProxy off
</Location>

Available Languages:  en  |  fr 

top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.