apache/docs/manual/mod/mod_autht_jwt.html.en.utf8

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
<!--
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
              This file is generated from xml source: DO NOT EDIT
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      -->
<title>mod_autht_jwt - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>

<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.5</a> &gt; <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_autht_jwt</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_autht_jwt.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/mod/mod_autht_jwt.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Token authentication using JWT tokens</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>autht_jwt_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_autht_jwt.c</td></tr></table>
<h3>Summary</h3>

    <p>This module provides token parsing front-ends such as
    <code class="module"><a href="../mod/mod_auth_bearer.html">mod_auth_bearer</a></code> the ability to authenticate users
    by verifying a JWT token as described in
    <a href="http://www.ietf.org/rfc/rfc7519.txt">RFC 7519</a>.</p>

    <p>A JWT token is read from the <var>Authorization</var> header
    with an <var>auth-scheme</var> of <var>Bearer</var>.</p>

    <p>When using <code class="module"><a href="../mod/mod_auth_bearer.html">mod_auth_bearer</a></code> this module is invoked
    via the
    <code class="directive"><a href="../mod/mod_auth_bearer.html#authbearerprovider">AuthBearerProvider</a></code>
    with the <code>jwt</code> value.</p>

    <p>This module can also be used standalone to generate JWT tokens
    for passing to a backend server or service. Claims are embedded within
    a token, which is then optionally signed, and passed using the
    <var>Authorization</var> header as a <var>Bearer</var> token.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtclaim">AuthtJwtClaim</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtdriver">AuthtJwtDriver</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtsign">AuthtJwtSign</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authtjwtverify">AuthtJwtVerify</a></li>
</ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_autht_jwt">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_autht_jwt">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li>
  <code class="directive"><a href="../mod/mod_auth_bearer.html#authbearerprovider">AuthBearerProvider</a></code>
</li>
<li><a href="#comments_section">Comments</a></li></ul></div>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthtJwtClaim" id="AuthtJwtClaim">AuthtJwtClaim</a> <a name="authtjwtclaim" id="authtjwtclaim">Directive</a> <a title="Permanent link" href="#authtjwtclaim" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set a claim with the given name and expression, or unset the claim with the given name</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtVerify <var>[set|unset]</var> <var>name</var> [<var>value</var>]</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
</table>
    <p>The <code class="directive">AuthtJwtClaim</code> directive adds and/or removes
    claims from token being passed to the backend server or service.</p>

    <p>When a claim is set, the value of the claim is the result of an expression. The
    expression may include parameters from a digital certificate, or the name of the
    user that has been authenticated to Apache httpd.</p>

    <div class="example"><h3>Pass Remote User Example</h3><pre class="prettyprint lang-config">&lt;Location "/secure"&gt;
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign hs256 file "/www/conf/jwt.secret"
&lt;/Location&gt;</pre>
</div>

    <p>When a claim is unset, the claim previously set is removed from the token.</p>

    <div class="example"><h3>Unset Claim Example</h3><pre class="prettyprint lang-config">AuthtJwtClaim set my-claim present
&lt;Location "/secure"&gt;
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtClaim unset my-claim
  AuthtJwtSign hs256 file "/www/conf/jwt.secret"
&lt;/Location&gt;</pre>
</div>


</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthtJwtDriver" id="AuthtJwtDriver">AuthtJwtDriver</a> <a name="authtjwtdriver" id="authtjwtdriver">Directive</a> <a title="Permanent link" href="#authtjwtdriver" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the name of the underlying crypto driver to
use</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtDriver <var>name</var> <var>[param[=value]]</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
</table>
    <p>The <code class="directive">AuthtJwtDriver</code> directive specifies the name of
    the crypto driver to be used for signing and verification. If not specified,
    the driver defaults to the recommended driver compiled into APR-util.</p>

    <p>Follow the instructions in the
    <code class="directive"><a href="../mod/mod_session_crypto.html#sessioncryptodriver">SessionCryptoDriver</a></code> to
    set up the driver.</p>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthtJwtSign" id="AuthtJwtSign">AuthtJwtSign</a> <a name="authtjwtsign" id="authtjwtsign">Directive</a> <a title="Permanent link" href="#authtjwtsign" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The JWS signing algorithm and passphrase/key to sign an outgoing
JWT token</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtSign <var>algorithm</var> [<var>type</var> <var>param</var>]</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
</table>
    <p>The <code class="directive">AuthtJwtSign</code> directive specifies the algorithm
    and secret used to sign outgoing bearer tokens passed to a server or service.</p>

    <p>If the algorithm type <var>none</var> is selected, the token is not
    protected. Use only when the client is trusted, and the channel is protected
    through other means, such as mutually authenticated TLS, or unix domain sockets.</p>

    <p>Set the claims to be sent in the token using the
    <code class="directive"><a href="#authtjwtclaim">AuthtJwtClaim</a></code> directive. The
    <var>sub</var> claim is used to pass the remote user.</p>

    <div class="example"><h3>No Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/mutual-tls-secured"&gt;
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign none
&lt;/Location&gt;</pre>
</div>

    <p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
    <var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
    as the third parameter. The contents of the bearer token is still visible, and so
    the channel must still be protected from evesdropping through TLS.</p>

    <div class="example"><h3>Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/secure"&gt;
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign hs256 file "/www/conf/jwt.secret"
&lt;/Location&gt;</pre>
</div>


</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthtJwtVerify" id="AuthtJwtVerify">AuthtJwtVerify</a> <a name="authtjwtverify" id="authtjwtverify">Directive</a> <a title="Permanent link" href="#authtjwtverify" class="permalink">&para;</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The JWS signing algorithm and passphrase/key to verify an incoming
JWT token</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthtJwtVerify <var>algorithm</var> [<var>type</var> <var>param</var>]</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_autht_jwt</td></tr>
</table>
    <p>The <code class="directive">AuthtJwtVerify</code> directive specifies the algorithm
    and secret used to verify incoming bearer tokens.</p>

    <p>If the algorithm type <var>none</var> is selected, the token is not
    protected, and will be accepted as is. Use only when the client is trusted, and the
    channel is protected through other means, such as mutually authenticated TLS, or
    unix domain sockets.</p>

    <p>If present, the <var>sub</var> claim is assigned to REMOTE_USER.</p>

    <div class="example"><h3>No Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/mutual-tls-secured"&gt;
  AuthType bearer
  AuthName example-name
  AuthBearerProvider jwt
  AuthtJwtVerify none
  Require valid-user
&lt;/Location&gt;</pre>
</div>

    <p>If the algorithm type <var>HS256</var> is used, the algorithm is set to
    <var>HMAC-SHA256</var>, and the secret is set within the <var>file</var> specified
    as the third parameter. The contents of the bearer token is still visible, and so
    the channel must still be protected from evesdropping through TLS.</p>

    <p>If the signature is verified, and if present, the <var>sub</var> claim is
    assigned to REMOTE_USER.</p>

    <div class="example"><h3>Verification Example</h3><pre class="prettyprint lang-config">&lt;Location "/secure"&gt;
  AuthType bearer
  AuthName example-name
  AuthBearerProvider jwt
  AuthtJwtVerify hs256 file "/www/conf/jwt.secret"
  Require valid-user
&lt;/Location&gt;</pre>
</div>


</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_autht_jwt.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/mod/mod_autht_jwt.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_autht_jwt.html';
(function(w, d) {
    if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
        d.write('<div id="comments_thread"><\/div>');
        var s = d.createElement('script');
        s.type = 'text/javascript';
        s.async = true;
        s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
        (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
    }
    else {
        d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
    }
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
    prettyPrint();
}
//--><!]]></script>
</body></html>