auth_jwt_extract_var_claims
The `auth_jwt_extract_var_claims` directive extracts specified claims from a JWT and makes them available as NGINX variables.
Description
The auth_jwt_extract_var_claims directive is used to extract specific claims from a JWT (JSON Web Token) and store them as NGINX variables that can be used within the NGINX configuration. This directive requires a space-delimited list of claim names as arguments, and those claims will be processed when a JWT is validated. For example, if you set this directive to extract the sub and exp claims, you can later access them in your configuration as $jwt_claim_sub and $jwt_claim_exp, respectively.
This directive can be used in the http, server, or location contexts, providing flexibility in how you deploy JWT-based authentication and claim extraction across your service architecture. When used in conjunction with other directives, such as auth_jwt_enabled, it enables a highly configurable JWT handling mechanism, allowing NGINX to dynamically evaluate and incorporate security flexible user claims directly into the request processing workflow.
Config Example
location /secure {
auth_jwt_enabled on;
auth_jwt_key /path/to/your.key;
auth_jwt_extract_var_claims sub exp;
proxy_pass http://backend;
}Ensure that the claim names are properly spelled and match those expected in the JWT token.
Extracted claims become available only after successful JWT validation; invalid tokens will not result in claim extraction.
Be cautious about extracting sensitive claims as NGINX variables; ensure they are adequately protected.