Merge branch 'feature/rs256-key-file' of github.com:penumbra23/ngx-http-auth-jwt-module into feature/rs256-key-file

branimirbamfan · branimirbamfan · commit 35e0953716c4 · 2020-08-18T10:28:40.000+02:00
diff --git a/README.md b/README.md
@@ -45,11 +45,13 @@ auth_jwt_loginurl "https://yourdomain.com/loginpage";
 auth_jwt_enabled on;
 auth_jwt_algorithm HS256; # or RS256
 auth_jwt_validate_email on;  # or off
+auth_jwt_use_keyfile off; # or on
+auth_jwt_keyfile_path "/app/pub_key";
 ```
 
 The default algorithm is 'HS256', for symmetric key validation.  When using HS256, the value for `auth_jwt_key` should be specified in binhex format.  It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above.  Note that using more than 512 bits will not increase the security.  For key guidelines please see NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms, Section 5.3.2 The HMAC Key.
 
-The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key.
+The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key **OR** `auth_jwt_use_keyfile` should be set to `on` with the `auth_jwt_keyfile_path` set to the public key path (which defaults to `"/app/pub_key"`).
 That is the public key, rather than a PEM certificate.  I.e.:
 
 ```
@@ -64,6 +66,13 @@ oQIDAQAB
 -----END PUBLIC KEY-----";
 ```
 
+**OR**
+
+```
+auth_jwt_use_keyfile on;
+auth_jwt_keyfile_path "/etc/nginx/pub_key.pem";
+```
+
 A typical use would be to specify the key and loginurl on the main level
 and then only turn on the locations that you want to secure (not the login page).
 Unauthorized requests are given 302 "Moved Temporarily" responses with a ___location of the specified loginurl.
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -29,8 +29,8 @@ typedef struct {
 	ngx_flag_t   auth_jwt_redirect;
 	ngx_str_t    auth_jwt_validation_type;
 	ngx_str_t    auth_jwt_algorithm;
-	ngx_flag_t	 auth_jwt_use_keyfile;
-	ngx_str_t	 auth_jwt_keyfile_path;
+	ngx_flag_t   auth_jwt_use_keyfile;
+	ngx_str_t    auth_jwt_keyfile_path;
 	ngx_flag_t   auth_jwt_validate_email;
 
 } ngx_http_auth_jwt_loc_conf_t;
