auth_jwt_extract_request_claims
The `auth_jwt_extract_request_claims` directive extracts specific claims from a JWT and sets them as request headers.
Description
The auth_jwt_extract_request_claims directive is used in the context of http, server, and location blocks to specify which claims from a JSON Web Token (JWT) should be extracted and placed as headers in the incoming request. This allows downstream services to have access to the relevant information embedded in the JWT. The directive takes one or more arguments, each representing the name of a claim to be extracted. For instance, if your JWT contains claims like 'sub' or 'role', you can specify these to be included in the headers of the HTTP request.
This directive works in conjunction with the JWT verification process. Once the JWT is validated, the specified claims are parsed and added as headers. These headers can be accessed in further processing stages of request handling, allowing for enriched context or authentication information to be leveraged by web applications. Importantly, the behavior of this directive assumes that JWTs are being processed correctly; if the JWT verification fails, claims will not be extracted, and thus the corresponding headers will not be set.
Usage can be straightforward, simply include it in your configuration wherever you need to utilize JWT claims extracted to headers. It can be very useful for authorization tasks, such as role checking or user identification based on claims that are included in the JWT.
Config Example
location /protected {
auth_jwt_enabled on;
auth_jwt_key /path/to/your/jwt_key;
auth_jwt_location header;
auth_jwt_extract_request_claims sub role;
}Make sure the JWT is validated before extracting claims; otherwise, claims may not be available.
Specifying a claim that does not exist in the JWT will still create an empty header without any errors.
Be cautious of header name collisions with existing request headers. Claims extracted become headers.