JoshMcCullough
commented
8 months ago You can use auth_jwt_enabled off to disable JWT introspection for a specific server/location/etc. I'm not sure if this will help in your case, though.
Closed ghunti closed 8 months ago
JoshMcCullough
commented
8 months ago You can use auth_jwt_enabled off to disable JWT introspection for a specific server/location/etc. I'm not sure if this will help in your case, though.
ghunti
commented
8 months ago @JoshMcCullough In our case, there's a single location that catches all requests:
location ~ \.php$ { ... }
This includes both authenticated and non-authenticated endpoints. If we use auth_jwt_enabled off inside that location it will turn the feature off for all endpoints, so we won't have access to JWT data anywhere, correct?
JoshMcCullough
commented
8 months ago So what you're asking for a is a mode e.g. auth_jwt_mode [permissive|enforcing], and in permissive mode, it would essentially not throw an error if the JWT was not there or failed to validate, it would allow NGINX to continue it's normal work. (And enforcing mode would be what it does now -- the default.)
ghunti
commented
8 months ago Yes exactly!
JoshMcCullough
commented
8 months ago To be honest, it doesn't really "fit" with the goals of this module (enforcing security). Not to say that we wouldn't accept a PR adding this feature, but I'm not sure we (ourselves) would get to it in the short term.
I wonder if you could somehow use a map in NGINX to handle these two cases? I don't think you can but I'm not an expert there.
ghunti
commented
8 months ago No problem @JoshMcCullough, I totally understand, and appreciate your responses :-) I can't do what I need with a map.
Meanwhile, I went ahead, installed LUA, and solved it with a bit of code 😅
JoshMcCullough
commented
8 months ago Okay, glad you got it working!
Hi. Thanks for your work :-)
We have a use case, that might sound strange but would like to know if this is something that might make sense to support. Today, our application (PHP) adds special headers to the response, identifying the client that made the request. Nginx captures those headers and logs them, so it is easy for us to inspect the logs and know who made each request.
We have problems with requests canceled by the client (HTTP status 499), because in those cases, Nginx doesn't wait for the application to respond, and so we have no information about who made the request.
We started looking at this package as a solution, not to authenticate the JWT, but simply to extract the information that we need from it, for those specific cases. We know that we might be logging forged information, but we are ok with that.
The problem is that we don't see any way to use this package without validating the JWT token, which is an issue because we have some endpoints that don't require authentication and we have a "catch-all" location that handles all endpoints
location ~ \.php$ { ... }At the end of the day, for us, it would be enough to simply be able to read the JWT claims, if there's a JWT token on the request, but I understand that this might be a case you don't want to give support to.
Thanks for your time