Apache HTTP Server Version 2.5
Description: | Token authentication using JWT tokens |
---|---|
Status: | Base |
Module Identifier: | autht_jwt_module |
Source File: | mod_autht_jwt.c |
This module provides token parsing front-ends such as
mod_auth_bearer
the ability to authenticate users
by verifying a JWT token as described in
RFC 7519.
A JWT token is read from the Authorization header with an auth-scheme of Bearer.
When using mod_auth_bearer
this module is invoked
via the
AuthBearerProvider
with the jwt
value.
This module can also be used standalone to generate JWT tokens for passing to a backend server or service. Claims are embedded within a token, which is then optionally signed, and passed using the Authorization header as a Bearer token.
Description: | Set a claim with the given name and expression, or unset the claim with the given name |
---|---|
Syntax: | AuthtJwtVerify [set|unset] name [value] |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_autht_jwt |
The AuthtJwtClaim
directive adds and/or removes
claims from token being passed to the backend server or service.
When a claim is set, the value of the claim is the result of an expression. The expression may include parameters from a digital certificate, or the name of the user that has been authenticated to Apache httpd.
<Location "/secure"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign hs256 file "/www/conf/jwt.secret" </Location>
When a claim is unset, the claim previously set is removed from the token.
AuthtJwtClaim set my-claim present <Location "/secure"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtClaim unset my-claim AuthtJwtSign hs256 file "/www/conf/jwt.secret" </Location>
Description: | Sets the name of the underlying crypto driver to use |
---|---|
Syntax: | AuthtJwtDriver name [param[=value]] |
Context: | server config, virtual host |
Status: | Base |
Module: | mod_autht_jwt |
The AuthtJwtDriver
directive specifies the name of
the crypto driver to be used for signing and verification. If not specified,
the driver defaults to the recommended driver compiled into APR-util.
Follow the instructions in the
SessionCryptoDriver
to
set up the driver.
Description: | The JWS signing algorithm and passphrase/key to sign an outgoing JWT token |
---|---|
Syntax: | AuthtJwtSign algorithm [type param] |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_autht_jwt |
The AuthtJwtSign
directive specifies the algorithm
and secret used to sign outgoing bearer tokens passed to a server or service.
If the algorithm type none is selected, the token is not protected. Use only when the client is trusted, and the channel is protected through other means, such as mutually authenticated TLS, or unix domain sockets.
Set the claims to be sent in the token using the
AuthtJwtClaim
directive. The
sub claim is used to pass the remote user.
<Location "/mutual-tls-secured"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign none </Location>
If the algorithm type HS256 is used, the algorithm is set to HMAC-SHA256, and the secret is set within the file specified as the third parameter. The contents of the bearer token is still visible, and so the channel must still be protected from evesdropping through TLS.
<Location "/secure"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign hs256 file "/www/conf/jwt.secret" </Location>
Description: | The JWS signing algorithm and passphrase/key to verify an incoming JWT token |
---|---|
Syntax: | AuthtJwtVerify algorithm [type param] |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Base |
Module: | mod_autht_jwt |
The AuthtJwtVerify
directive specifies the algorithm
and secret used to verify incoming bearer tokens.
If the algorithm type none is selected, the token is not protected, and will be accepted as is. Use only when the client is trusted, and the channel is protected through other means, such as mutually authenticated TLS, or unix domain sockets.
If present, the sub claim is assigned to REMOTE_USER.
<Location "/mutual-tls-secured"> AuthType bearer AuthName example-name AuthBearerProvider jwt AuthtJwtVerify none Require valid-user </Location>
If the algorithm type HS256 is used, the algorithm is set to HMAC-SHA256, and the secret is set within the file specified as the third parameter. The contents of the bearer token is still visible, and so the channel must still be protected from evesdropping through TLS.
If the signature is verified, and if present, the sub claim is assigned to REMOTE_USER.
<Location "/secure"> AuthType bearer AuthName example-name AuthBearerProvider jwt AuthtJwtVerify hs256 file "/www/conf/jwt.secret" Require valid-user </Location>