Skip to content

Latest commit

 

History

History
 
 

jwt

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

Support for JSON Web Tokens (JWTs)

NGINX Plus supports validating JWTs with ngx_http_auth_jwt_module.

The Ingress controller provides the following 4 annotations for configuring JWT validation:

  • Required: nginx.com/jwt-key: "secret" -- specifies a Secret resource with keys for validating JWTs. The keys must be stored in the jwk data field.
  • Optional: nginx.com/jwt-realm: "realm" -- specifies a realm.
  • Optional: nginx.com/jwt-token: "token" -- specifies a variable that contains JSON Web Token. By default, a JWT is expected in the Authorization header as a Bearer Token.
  • Optional: nginx.com/jwt-login-url: "url" -- specifies a URL to which a client is redirected in case of an invalid or missing JWT.

Example 1: the Same JWT Key for All Paths

In the following example we enable JWT validation for the cafe-ingress Ingress for all paths using the same key cafe-jwk:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    nginx.com/jwt-key: "cafe-jwk" 
    nginx.com/jwt-realm: "Cafe App"  
    nginx.com/jwt-token: "$cookie_auth_token"
    nginx.com/jwt-login-url: "https://login.example.com"
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80
  • The keys must be deployed separately in the Secret cafe-jwk.
  • The realm is Cafe App.
  • The token is extracted from the auth_token cookie.
  • The login URL is https://login.example.com.

Example 2: a Separate JWT Key Per Path

In the following example we enable JWT validation for the mergeable Ingresses with a separate JWT key per path:

  • Master:

    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-master
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "master"
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com

  • Tea minion:

    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-tea-minion
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "minion"
    nginx.com/jwt-key: "tea-jwk" 
    nginx.com/jwt-realm: "Tea"  
    nginx.com/jwt-token: "$cookie_auth_token"
    nginx.com/jwt-login-url: "https://login-tea.cafe.example.com"
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80

  • Coffee minion:

    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-coffee-minion
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "minion"
    nginx.com/jwt-key: "coffee-jwk" 
    nginx.com/jwt-realm: "Coffee"  
    nginx.com/jwt-token: "$cookie_auth_token"
    nginx.com/jwt-login-url: "https://login-coffee.cafe.example.com"
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80