@@ -24,6 +24,7 @@ typedef struct {
2424 ngx_flag_t auth_jwt_enabled ;
2525 ngx_flag_t auth_jwt_redirect ;
2626 ngx_str_t auth_jwt_validation_type ;
27+ ngx_str_t auth_jwt_algorithm ;
2728
2829} ngx_http_auth_jwt_loc_conf_t ;
2930
@@ -70,6 +71,13 @@ static ngx_command_t ngx_http_auth_jwt_commands[] = {
7071 offsetof(ngx_http_auth_jwt_loc_conf_t , auth_jwt_validation_type ),
7172 NULL },
7273
74+ { ngx_string ("auth_jwt_algorithm" ),
75+ NGX_HTTP_MAIN_CONF |NGX_HTTP_SRV_CONF |NGX_HTTP_LOC_CONF |NGX_CONF_TAKE1 ,
76+ ngx_conf_set_str_slot ,
77+ NGX_HTTP_LOC_CONF_OFFSET ,
78+ offsetof(ngx_http_auth_jwt_loc_conf_t , auth_jwt_algorithm ),
79+ NULL },
80+
7381 ngx_null_command
7482};
7583
@@ -122,6 +130,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
122130 ngx_str_t email_t ;
123131 time_t exp ;
124132 time_t now ;
133+ ngx_str_t auth_jwt_algorithm ;
125134
126135 jwtcf = ngx_http_get_module_loc_conf (r , ngx_http_auth_jwt_module );
127136
@@ -137,15 +146,29 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
137146 goto redirect ;
138147 }
139148
140- // convert key from hex to binary
141- keyBinary = ngx_palloc (r -> pool , jwtcf -> auth_jwt_key .len / 2 );
142- if (0 != hex_to_binary ((char * )jwtcf -> auth_jwt_key .data , keyBinary , jwtcf -> auth_jwt_key .len ))
149+ // convert key from hex to binary, if a symmetric key
150+
151+ auth_jwt_algorithm = jwtcf -> auth_jwt_algorithm ;
152+ if (auth_jwt_algorithm .len == 0 || (auth_jwt_algorithm .len == sizeof ("HS256" ) - 1 && ngx_strncmp (auth_jwt_algorithm .data , "HS256" , sizeof ("HS256" ) - 1 )== 0 ))
143153 {
144- ngx_log_error (NGX_LOG_ERR , r -> connection -> log , 0 , "failed to turn hex key into binary" );
145- goto redirect ;
154+ ngx_log_debug (NGX_LOG_DEBUG , r -> connection -> log , 0 , "got to 0" );
155+ keyBinary = ngx_palloc (r -> pool , jwtcf -> auth_jwt_key .len / 2 );
156+ if (0 != hex_to_binary ((char * )jwtcf -> auth_jwt_key .data , keyBinary , jwtcf -> auth_jwt_key .len ))
157+ {
158+ ngx_log_error (NGX_LOG_ERR , r -> connection -> log , 0 , "failed to turn hex key into binary" );
159+ goto redirect ;
160+ }
161+ }
162+ else if ( auth_jwt_algorithm .len == sizeof ("RS256" ) - 1 && ngx_strncmp (auth_jwt_algorithm .data , "RS256" , sizeof ("RS256" ) - 1 ) == 0 ) )
163+ {
164+ // in this case, 'Binary' is a misnomer, as it is the private key string itself
165+ ngx_log_debug (NGX_LOG_DEBUG , r -> connection -> log , 0 , "got to 1" );
166+ keyBinary = ngx_palloc (r -> pool , jwtcf -> auth_jwt_key .len );
167+ ngx_str_set (keyBinary , auth_jwt_key .data );
146168 }
147169
148170 // validate the jwt
171+ ngx_log_debug (NGX_LOG_DEBUG , r -> connection -> log , 0 , "trying to decode JWT" );
149172 jwtParseReturnCode = jwt_decode (& jwt , jwtCookieValChrPtr , keyBinary , jwtcf -> auth_jwt_key .len / 2 );
150173 if (jwtParseReturnCode != 0 )
151174 {
@@ -155,7 +178,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
155178
156179 // validate the algorithm
157180 alg = jwt_get_alg (jwt );
158- if (alg != JWT_ALG_HS256 )
181+ if (alg != JWT_ALG_HS256 && alg != JWT_ALG_RS256 )
159182 {
160183 ngx_log_error (NGX_LOG_ERR , r -> connection -> log , 0 , "invalid algorithm in jwt %d" , alg );
161184 goto redirect ;
0 commit comments