TeslaGov/ngx-http-auth-jwt-module

Avoid JWT validation

ghunti opened this issue · 7 comments

Hi.
Thanks for your work :-)

We have a use case, that might sound strange but would like to know if this is something that might make sense to support.
Today, our application (PHP) adds special headers to the response, identifying the client that made the request. Nginx captures those headers and logs them, so it is easy for us to inspect the logs and know who made each request.

We have problems with requests canceled by the client (HTTP status 499), because in those cases, Nginx doesn't wait for the application to respond, and so we have no information about who made the request.

We started looking at this package as a solution, not to authenticate the JWT, but simply to extract the information that we need from it, for those specific cases. We know that we might be logging forged information, but we are ok with that.

The problem is that we don't see any way to use this package without validating the JWT token, which is an issue because we have some endpoints that don't require authentication and we have a "catch-all" location that handles all endpoints

location ~ \.php$ { ... }

At the end of the day, for us, it would be enough to simply be able to read the JWT claims, if there's a JWT token on the request, but I understand that this might be a case you don't want to give support to.

Thanks for your time

You can use auth_jwt_enabled off to disable JWT introspection for a specific server/location/etc. I'm not sure if this will help in your case, though.

@JoshMcCullough In our case, there's a single location that catches all requests:
location ~ \.php$ { ... }

This includes both authenticated and non-authenticated endpoints. If we use auth_jwt_enabled off inside that location it will turn the feature off for all endpoints, so we won't have access to JWT data anywhere, correct?

So what you're asking for a is a mode e.g. auth_jwt_mode [permissive|enforcing], and in permissive mode, it would essentially not throw an error if the JWT was not there or failed to validate, it would allow NGINX to continue it's normal work. (And enforcing mode would be what it does now -- the default.)

Yes exactly!

To be honest, it doesn't really "fit" with the goals of this module (enforcing security). Not to say that we wouldn't accept a PR adding this feature, but I'm not sure we (ourselves) would get to it in the short term.

I wonder if you could somehow use a map in NGINX to handle these two cases? I don't think you can but I'm not an expert there.

No problem @JoshMcCullough, I totally understand, and appreciate your responses :-)
I can't do what I need with a map.

Meanwhile, I went ahead, installed LUA, and solved it with a bit of code 😅

Okay, glad you got it working!