auth_jwt_require

The 'auth_jwt_require' directive is used to define specific requirements that must be met for a JSON Web Token (JWT) to be considered valid during the authentication process. This directive takes one or more parameters which specify the claims that the JWT must possess in order to be accepted. The directive can also set a specific error code to return when the JWT does not meet the specified criteria, enhancing control over authorization responses.

Parameters can include claim names followed by expected values, and the directive can be combined with the 'auth_jwt' directive to require JWT validation alongside these additional checks. If a JWT is presented that does not satisfy the requirements outlined in 'auth_jwt_require', the server will respond with the configured error code (usually 401 or 403). This functionality allows for fine-grained authentication policies based on JWT content, such as roles, scopes, or other claims necessary for securing specific resources.

In practice, this directive is utilized within locations, server, or http contexts and can greatly enhance the security model by enforcing specific conditions that must be satisfied before allowing access. For instance, it can refuse access to users if they do not have the correct role assigned to their JWT claim, effectively managing access control for protected resources. It is important to configure it correctly to avoid unintended access denials or security loopholes as JWT contents are easily manipulated if not handled properly.