mod_autht_jwt Token authentication using JWT tokens Base mod_autht_jwt.c autht_jwt_module

This module provides token parsing front-ends such as mod_auth_bearer the ability to authenticate users by verifying a JWT token as described in RFC 7519.

A JWT token is read from the Authorization header with an auth-scheme of Bearer.

When using mod_auth_bearer this module is invoked via the AuthBearerProvider with the jwt value.

This module can also be used standalone to generate JWT tokens for passing to a backend server or service. Claims are embedded within a token, which is then optionally signed, and passed using the Authorization header as a Bearer token.

 AuthBearerProvider AuthtJwtDriver Sets the name of the underlying crypto driver to use AuthtJwtDriver name [param[=value]] server config virtual host

The AuthtJwtDriver directive specifies the name of the crypto driver to be used for signing and verification. If not specified, the driver defaults to the recommended driver compiled into APR-util.

Follow the instructions in the SessionCryptoDriver to set up the driver.

 AuthtJwtVerify The JWS signing algorithm and passphrase/key to verify an incoming JWT token AuthtJwtVerify algorithm [type param] directory.htaccess AuthConfig

The AuthtJwtVerify directive specifies the algorithm and secret used to verify incoming bearer tokens.

If the algorithm type none is selected, the token is not protected, and will be accepted as is. Use only when the client is trusted, and the channel is protected through other means, such as mutually authenticated TLS, or unix domain sockets.

If present, the sub claim is assigned to REMOTE_USER.

No Verification Example <Location "/mutual-tls-secured"> AuthType bearer AuthName example-name AuthBearerProvider jwt AuthtJwtVerify none Require valid-user </Location>

If the algorithm type HS256 is used, the algorithm is set to HMAC-SHA256, and the secret is set within the file specified as the third parameter. The contents of the bearer token is still visible, and so the channel must still be protected from evesdropping through TLS.

If the signature is verified, and if present, the sub claim is assigned to REMOTE_USER.

Verification Example <Location "/secure"> AuthType bearer AuthName example-name AuthBearerProvider jwt AuthtJwtVerify hs256 file "/www/conf/jwt.secret" Require valid-user </Location> AuthtJwtSign The JWS signing algorithm and passphrase/key to sign an outgoing JWT token AuthtJwtSign algorithm [type param] directory.htaccess AuthConfig

The AuthtJwtSign directive specifies the algorithm and secret used to sign outgoing bearer tokens passed to a server or service.

If the algorithm type none is selected, the token is not protected. Use only when the client is trusted, and the channel is protected through other means, such as mutually authenticated TLS, or unix domain sockets.

Set the claims to be sent in the token using the AuthtJwtClaim directive. The sub claim is used to pass the remote user.

No Verification Example <Location "/mutual-tls-secured"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign none </Location>

If the algorithm type HS256 is used, the algorithm is set to HMAC-SHA256, and the secret is set within the file specified as the third parameter. The contents of the bearer token is still visible, and so the channel must still be protected from evesdropping through TLS.

Verification Example <Location "/secure"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign hs256 file "/www/conf/jwt.secret" </Location> AuthtJwtClaim Set a claim with the given name and expression, or unset the claim with the given name AuthtJwtVerify [set|unset] name [value] directory.htaccess AuthConfig

The AuthtJwtClaim directive adds and/or removes claims from token being passed to the backend server or service.

When a claim is set, the value of the claim is the result of an expression. The expression may include parameters from a digital certificate, or the name of the user that has been authenticated to Apache httpd.

Pass Remote User Example <Location "/secure"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtSign hs256 file "/www/conf/jwt.secret" </Location>

When a claim is unset, the claim previously set is removed from the token.

Unset Claim Example AuthtJwtClaim set my-claim present <Location "/secure"> AuthtJwtClaim set sub %{REMOTE_USER} AuthtJwtClaim unset my-claim AuthtJwtSign hs256 file "/www/conf/jwt.secret" </Location>