Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.5

<-
Apache > HTTP Server > Documentation > Version 2.5 > Modules

Apache Module mod_autht_jwt

Available Languages:  en  |  fr 

Description:Token authentication using JWT tokens
Status:Base
Module Identifier:autht_jwt_module
Source File:mod_autht_jwt.c

Summary

This module provides token parsing front-ends such as mod_auth_bearer the ability to authenticate users by verifying a JWT token as described in RFC 7519.

A JWT token is read from the Authorization header with an auth-scheme of Bearer.

When using mod_auth_bearer this module is invoked via the AuthBearerProvider with the jwt value.

This module can also be used standalone to generate JWT tokens for passing to a backend server or service. Claims are embedded within a token, which is then optionally signed, and passed using the Authorization header as a Bearer token.

Directives

Bugfix checklist

See also

top

AuthtJwtClaim Directive

Description:Set a claim with the given name and expression, or unset the claim with the given name
Syntax:AuthtJwtVerify [set|unset] name [value]
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_autht_jwt

The AuthtJwtClaim directive adds and/or removes claims from token being passed to the backend server or service.

When a claim is set, the value of the claim is the result of an expression. The expression may include parameters from a digital certificate, or the name of the user that has been authenticated to Apache httpd.

Pass Remote User Example

<Location "/secure">
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign hs256 file "/www/conf/jwt.secret"
</Location>

When a claim is unset, the claim previously set is removed from the token.

Unset Claim Example

AuthtJwtClaim set my-claim present
<Location "/secure">
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtClaim unset my-claim
  AuthtJwtSign hs256 file "/www/conf/jwt.secret"
</Location>
top

AuthtJwtDriver Directive

Description:Sets the name of the underlying crypto driver to use
Syntax:AuthtJwtDriver name [param[=value]]
Context:server config, virtual host
Status:Base
Module:mod_autht_jwt

The AuthtJwtDriver directive specifies the name of the crypto driver to be used for signing and verification. If not specified, the driver defaults to the recommended driver compiled into APR-util.

Follow the instructions in the SessionCryptoDriver to set up the driver.

top

AuthtJwtSign Directive

Description:The JWS signing algorithm and passphrase/key to sign an outgoing JWT token
Syntax:AuthtJwtSign algorithm [type param]
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_autht_jwt

The AuthtJwtSign directive specifies the algorithm and secret used to sign outgoing bearer tokens passed to a server or service.

If the algorithm type none is selected, the token is not protected. Use only when the client is trusted, and the channel is protected through other means, such as mutually authenticated TLS, or unix domain sockets.

Set the claims to be sent in the token using the AuthtJwtClaim directive. The sub claim is used to pass the remote user.

No Verification Example

<Location "/mutual-tls-secured">
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign none
</Location>

If the algorithm type HS256 is used, the algorithm is set to HMAC-SHA256, and the secret is set within the file specified as the third parameter. The contents of the bearer token is still visible, and so the channel must still be protected from evesdropping through TLS.

Verification Example

<Location "/secure">
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign hs256 file "/www/conf/jwt.secret"
</Location>
top

AuthtJwtVerify Directive

Description:The JWS signing algorithm and passphrase/key to verify an incoming JWT token
Syntax:AuthtJwtVerify algorithm [type param]
Context:directory, .htaccess
Override:AuthConfig
Status:Base
Module:mod_autht_jwt

The AuthtJwtVerify directive specifies the algorithm and secret used to verify incoming bearer tokens.

If the algorithm type none is selected, the token is not protected, and will be accepted as is. Use only when the client is trusted, and the channel is protected through other means, such as mutually authenticated TLS, or unix domain sockets.

If present, the sub claim is assigned to REMOTE_USER.

No Verification Example

<Location "/mutual-tls-secured">
  AuthType bearer
  AuthName example-name
  AuthBearerProvider jwt
  AuthtJwtVerify none
  Require valid-user
</Location>

If the algorithm type HS256 is used, the algorithm is set to HMAC-SHA256, and the secret is set within the file specified as the third parameter. The contents of the bearer token is still visible, and so the channel must still be protected from evesdropping through TLS.

If the signature is verified, and if present, the sub claim is assigned to REMOTE_USER.

Verification Example

<Location "/secure">
  AuthType bearer
  AuthName example-name
  AuthBearerProvider jwt
  AuthtJwtVerify hs256 file "/www/conf/jwt.secret"
  Require valid-user
</Location>

Available Languages:  en  |  fr 

top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.