Debian jessie, Apache/2.4.10.

Error after installation:

apache2: Cannot load /usr/lib/apache2/modules/mod_authnz_jwt.so into server: libjwt.so.0: cannot open shared object file: No such file or directory

ldd:

ldd /usr/lib/apache2/modules/mod_authnz_jwt.so
libjwt.so.0 => not found

Fix:

cp /usr/local/lib/libjwt.* /lib/x86_64-linux-gnu/

ldd:

ldd /usr/lib/apache2/modules/mod_authnz_jwt.so
libjwt.so.0 => /usr/local/lib/libjwt.so.0

If a token does not contain the exp claim, then authorization is not completed (Check starts at line 1165 of mod_authnz_jwt.c. However, JWT RFC clearly states the exp claim is optional (https://tools.ietf.org/html/rfc7519#section-4.1.4)

Signature keys (e.g., the ones specified in httpd.conf with AuthJWTSignatureSharedSecret) are assumed to be null-terminated C-strings. This is a problem if the signature key contains a null byte as part of it, which is entirely legal and not uncommon for encryption keys.

This could be fixed by using functions like strncpy instead of strcpy and passing around the length of the keys.

Can't locate API module structure `authnz_jwt_module' in file /etc/httpd/modules/mod_authnz_jwt.so: /usr/lib64/httpd/modules/mod_authnz_jwt.so: undefined symbol: authnz_jwt_module.

some oidc providers like for example https://github.com/dexidp/dex produce jwt's with claim fields nested.

For example:

{
  "iss": "..."
  "federated_claims": {
    "connector_id": "ldap",
    "user_id": "userid"
  }
}

As far as I can tell this module does not support these claims for e.g. Require jwt-claim or AuthJWTAttributeUsername

Would it make sense to add support for these type of claims in this module?
E.g. via federated_claims.user_ud

We are currently using LDAP Basic Auth with group checking in a reverse proxy setup, which we'd like to switch to a JWT cookie setup, but are running into problems.

We are successful using the file auth provider, posting the credentials to the login-handler, receiving the JWT cookie in return.
But when we switch to AuthJWTProvider ldap, we are unable to use the "Require ldap-group" directive in the login configuration. Is this currently not supported?
Even better would be the possibility to check groups on each individual secured path, so you'd be able to have different requirements for each, but I assume that would require the assigned groups to be stored in the cookie and then checked on access, and I don't think that's possible.

    AuthJWTFormUsername user
    AuthJWTFormPassword password
    AuthJWTAttributeUsername user
    AuthJWTSignatureAlgorithm HS256
    AuthJWTSignatureSharedSecret sikrit
    AuthJWTCookieName ProxyJWT
    AuthJWTExpDelay 1800
    AuthJWTNbfDelay 0
    AuthJWTIss demo.company.com
    AuthJWTAud demo
    AuthJWTLeeway 10

    AuthJWTDeliveryType Cookie
    AuthJWTCookieAttr "Secure; HttpOnly; SameSite=Strict; Path=/"

    <Directory /var/www/html/demo/secured/>
        AllowOverride None
        AuthType jwt-cookie
        AuthName "jwt private area"
        Require valid-user
    </Directory>

    <Location /demo/login>
        SetHandler jwt-login-handler
        AuthJWTProvider ldap
        AuthLDAPURL    "ldap://ldaphost:389/ou=People,dc=company,dc=com?uid,cn,mail?sub?(objectClass=*)"
        AuthLDAPBindDN "cn=admin,dc=company,dc=com"
        AuthLDAPGroupAttribute "memberUid"
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPBindPassword "anotherSikrit"
        AuthLDAPRemoteUserAttribute "uid"
        Require ldap-group cn=mygroup,ou=Group,dc=company,dc=com
    </Location>

We are utilizing Apache HTTP server as a gateway in AWS for APIs and front-end web code in S3 buckets. We currently use mod_auth_mellon for authentication and pass user information in headers back to our API's when a client successfully authenticates.

We are looking to switch to AWS Cognito for authentication utilizing JWT.

I have been experimenting with your module. On it's own, I can utilize JWT to grant access to protected URI's. When I attempt to utilize it with Cognito, I am running into errors.

Steps used to recreate:

1. Harvest jwks.json for our specific user pool in Cognito.
   https://cognito-idp.us-east-1.amazonaws.com//.well-known/jwks.json
   I pull the one public key from it that our JWT tokens are signed with.
2. Run that public key through the following process: Convert it to pem: https://runkit.com/npm/jwk-to-pem
3. Trim out all unnecessary info from pem: openssl rsa -inform pem -in FILEPATH.pem -pubin -pubout -RSAPublicKey_in

When I put the JWT token I have and the fully processed pem into the debugger on https://jwt.io, the signature validates correctly. However, when I throw them into Apache utilizing mod_authz_jwt, I get an invalid token and/or invalid signature error.

The problem is 2-fold, Cognito exposes 2 keys through the jwks.json and this module claims invalid token/signature when converting one of the keys for static use. Can you modify this module so I can pass it the URL for the jwks.json file and have the module harvest and covert those keys?

HI,
I am using this module for test JWT with apache HTTPD, but I am getting this error during the test on http log

Apache conf for test

ScreenShot of the browser

 Could you help me with this problem?

Thanks,

Hi,

Thanks for your module.

I am trying to use your module for authentication. But when I try to post user and password to url. Its returning unauthenticated.

I am using same configuration from example
`<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog /var/www/example.com/error.log
CustomLog /var/www/example.com/requests.log combined

# default values
#AuthJWTFormUsername user
#AuthJWTFormPassword password
#AuthJWTAttributeUsername user

AuthJWTSignatureAlgorithm HS256
AuthJWTExpDelay 1800
AuthJWTNbfDelay 0
#AuthJWTIss example.com
#AuthJWTAud demo
#AuthJWTLeeway 10

  AuthJWTSignatureSharedSecret secret
  AllowOverride none

LogLevel auth_jwt:debug
RewriteEngine On

<Directory /var/www/example.com/public_html/demo/secured/>
	

    AuthType jwt
    AuthName "private area"
    Require valid-user
</Directory>


<Location /login>
	
    SetHandler jwt-login-handler
    AuthJWTProvider file ldap
    AuthUserFile /var/www/example.com/jwt.htpasswd

</Location>

`

Could you please help me out, why its not getting validated

Hi,

I have a scenario where I can't send the token as a header (javascript window.location).

It would be great if the module coudl fallback to a token cookie or query param.

I tried using mod_rewrite add an Authorization RequestHeader from a query param, but it looks like it's too late, because the error log always shows "auth_jwt authn: missing Authorization header" even when I explicitely add the Authorization header with mod_rewrite.

Could you either natively support falling back to reading token from cookie and/or query param when header not present (a lot of other jwt handlers do that)

Or, give me some clue as to how to add a header using mod_rewrite so that your module can see it, maybe I am not doing it right. I tried putting in the virtualhost and inside directory, but neither seem to work :(

thanks!

Hi
I try to use your extension for Single auth
My app actually create token Like that :

{
  "alg": "RS256"
}{
  "username": "alborq",
  "exp": 1488785031,
  "iat": 1488781431
}

i hope it's ok, but my problem is somewhere else.
I generate Key like that :

$ openssl genrsa -out var/jwt/private.pem -aes256 4096
$ openssl rsa -pubout -in var/jwt/private.pem -out var/jwt/public.pem

Add i add key pass phrase

I try to configure my Vhost like that :

        AuthJWTSignatureAlgorithm RS256
        AuthJWTSignaturePublicKeyFile var/jwt/public.pem  # Path is Ok, i just trucate it
        AuthJWTSignaturePrivateKeyFile var/jwt/private.pem # Path is Ok, i just trucate it

        <Location />
                AuthType jwt
                AuthName "private area"
                Require valid-user
        </Location>

But how can i pass my key pass phrase for .pem ?

Thanks for reply !
Alborq.

Hi,

Is it possible to implement authorization in the following way:

• Every user has his own folder
• User is allowed to access only his folder
• We will need to add users and folders not changing the apache config file
• The folder name with be same as the username

Thnx,
Istvan

In stock Debian it appears there may be a permissions issue with the openssl commands in debian_tests.sh under certain conditions. The generated keys are written to the newly created directory under /opt. The new directory inherits permissions from the parent which is set to rwxr-x-r-x. So, the user must be root to write to the directory. I suspect the same is true for Redhat. Adding sudo to the commands should fix the issue and also allow it to remain working.

Do you mind if I submit a pull request for this?

I guess this error is still alive. I have the following config:

AuthJWTSignatureAlgorithm RS256
AuthJWTSignaturePublicKeyFile /etc/pki/auth_pub.pem
AuthJWTSignaturePrivateKeyFile /etc/pki/auth_priv.pem

<Location "/test/">
AllowOverride None
AuthType jwt-bearer
AuthName "private area"
Require valid-user

in jwt.io the token will be accepted. token is not expired and after nbf.

OS: Rocky Linux 8

It occured twice in the last days that I issued a token which was valid and accepted by the server, and from the next day on it says "Decoding process has failed, token is either malformed or signature is invalid". Testing the tokens with other tools, they are still valid (expiring in one year).
I would like to know if anybody could think of an idea, how this could be theoretically possible. There were no changes made on the server.

The README links to https://anthony.deroche.me/demo/jwt.php, but the link doesn't exist.

When using cookie, I have a login html page with a username/password form, with the submit going to the configured login handler Location in apache "/authenticate". When I click the form's SUBMIT it works just fine to authenticate, but I don't see a way of forwarding anywhere, such as a returnURL or the secured page. Is there a directive I should be using, what's the correct approach given the context of this plugin?

Any help is greatly appreaciated.

Hey,
thanks for mod!

If in this config remove AuthJWTLeeway 10, auth fails with crash:
[Mon Dec 12 22:22:29.898372 2016] [core:notice] [pid 19793] AH00052: child pid 20078 exit signal Segmentation fault (11)

<VirtualHost *:80>
    ServerName testjwt.local
    DocumentRoot /var/www/testjwt/
    
    AuthJWTExpDelay 1800
    AuthJWTIss testjwt.local
    AuthJWTAud tests
    AuthJWTLeeway 10

    LogLevel auth_jwt:debug
    RewriteEngine On

    Alias "/hmac_secured" "/var/www/testjwt"
    Alias "/rsa_secured" "/var/www/testjwt"
    Alias "/ec_secured" "/var/www/testjwt"

    <Directory /var/www/testjwt/>
        AllowOverride None
        Options -Indexes
        Require all granted
    </Directory>

    <Location "/hmac_secured">
        AuthJWTSignatureSharedSecret secret
        AllowOverride None
        Options -Indexes
        AuthType jwt
        AuthName "private area"
        Require valid-user
    </Location>

    <Location "/jwt_login">
	AuthJWTSignatureAlgorithm HS256
	AuthJWTSignatureSharedSecret secret
        SetHandler jwt-login-handler
        AuthJWTProvider file
        AuthUserFile /var/www/jwt.htpasswd
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

We are already issuing JWT tokens for access to our API but would like to start protecting some semi-static websites (including images/static files) with the same auth scheme. We are imagining:

1. User goes to HTML/JS login page that sends credentials to our existing API which returns a JWT token
2. We somehow inform the browser (basic auth?, cookie, local storage) that we have a token
3. Now the browser automatically sends the Authorization header or cookie with each requests & mod_authnz_jwt validates

Is there a way I can coerce the browser to send custom Authorization headers?

I believe I am interested in what is happening here: #28

Do you have any example apache config you could add to the docs?

OpenSuSe uses it's own logic for module naming where the module name in the sysconfig variable ($APACHE_MODULES) has to match the installed apache module file under /usr/lib64/apache2/.

Module name is "auth_jwt", therefore apache module file has to be mod_auth_jwt.so.
Currently the file name is "mod_authnz_jwt.so" which leads to the effect that OpenSUSE does not add the module to the loadmodule.conf file generated at starting time of apache.

A simple rename of the apache module file from mod_authnz_jwt.so" to "mod_auth_jwt.so" solved the problem for us.

Installing the newest version from source and using e.g. the minimal configuration from the readme, the module accepts just any value given as AuthJWTIss and does not mind the expiration time. Access is only denied if the token is completely wrong.

For exp, nbf, and iat:

• token_add_claim should be replaced by token_add_claim_int when encoding the token.
• token_get_claim should be replaced by token_get_claim_int when decoding the token.

Hi Team,

I would like to reach out and ask if there is a version of mod_authnz_jwt that would be supported by your team for any issues/customizations ?

@AnthonyDeroche I see you support HS256 symmetric jwt. My use case is that I need to generate a token from a key(the jwt iss or issuer) + secret with a proper exp(say valid 15 minutes into the future or whatever) and then add that token as an Authorization: Bearer <jwt_token> Header OR if that is not available then to do like query parameter ?jwt= before I proxy. Does your lib expose any kind of environment variable or something I can reference in a conf file to access a token this module generates, and then attach it as a Bearer token header when Apache reverse proxies? Also curious if you have thought to add any cache logic so that same token can be referenced without taking a hit on cpu/crypto every tx request so the cache lives the life of the token?(not a big deal if not really, I don't expect the traffic to be so hard hitting that the extra crypto will kill me)

Thanks in advance if you have any insights, an example conf would be helpful as I am super new to httpd(I usually use nginx)!
-Jeremy

IP address should be atleast in the same country.

Hello

It does not look like it is possible but then I am not much of an Apache HTTPD person and not very experienced in reading module documentation.

Context - A JWT token is received containing claims that need to be 'converted' to headers so that downstream services can stay unaware of the JWT token details

Is it possible to extract claim values from the jwt token? Idea is to add the values to request headers when fwd'ing the request?

Tx!

Peter

The module is installed on apache2 cantos and following the configuration being used

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User "%{RU}e" env=RU

  AuthJWTSignatureSharedSecret "BASE 64 encoded secret"
  AuthJWTSignatureAlgorithm HS256
  AuthJWTIss <set to servername of this config file>
  AuthJWTAttributeUsername user
  <Location />
    AllowOverride None
    AuthType jwt-bearer
    AuthName "private area"
    Require valid-user
  </Location>

The token being generated elsewhere in a python

         iat = datetime.datetime.utcnow()
        exp = iat + datetime.timedelta(hours=8, minutes=0, seconds=0)
        payload = {'exp': exp, 'iat': iat,
                   'sub': user, 'user': user['username']}
        return jwt.encode(
            payload, 'same base 64 encoded SECRET_KEY', algorithm='HS256')

We have only setup mod_authnz_jwt to verify the token. Currently the module is detecting the presence of header token and also us using secret key setup to decode but keeps complaining with following logs

[Thu Jun 17 17:20:53.823078 2021] [auth_jwt:error] AH55512: Decoding process has failed, token is either malformed or signature is invalid

But decoding succeed without issue when tried through following python code without issue

try:
    payload = jwt.decode(
        auth_token, 'same base 64 encoded SECRET_KEY', algorithms='HS256')
    return payload['user']
except jwt.ExpiredSignatureError:
    raise RestException(RestException.TOKEN_EXPIRED)
except jwt.InvalidTokenError:
    raise RestException(RestException.TOKEN_INVALID)

Can you please as something seems to be broken at decoding process or library being used to decode in mod_authnz_jwt? Its seems to be almost there. Please help with our setup?

Module should not deliver token if the content-type of posted data is not www-application/x-www-form-urlencoded

Code Snippet:
<Location /gettoken>
SetHandler jwt-login-handler
AuthJWTProvider dbd
AuthDBDUserPWQuery "SELECT password, cn as SSL_CLIENT_S_DN_CN, ou as SSL_CLIENT_S_DN_OU, o as SSL_CLIENT_S_DN_O from dbo.USER_CERT_VIEW where userName = %s" --> as user name is not passing along with URL, not sure whether this query will help us to set required ENV variables

Tried to set the username explicitly with the below code. (Note: Sent user name as query param)
<Location /gettoken>
SetHandler jwt-login-handler
AuthJWTProvider dbd
Rewriteengine On
RewriteCond %{QUERY_STRING} ^(?:.&)?username=(.)$
RewriteRule ^ - [env=username:%1]
Header set TokenH %{username}e
AuthDBDUserPWQuery "SELECT password, cn as SSL_CLIENT_S_DN_CN, ou as SSL_CLIENT_S_DN_OU, o as SSL_CLIENT_S_DN_O from dbo.USER_CERT_VIEW where userName = %{username}e"

Getting error with above query. Could you please suggest me on the usage of query in case of AuthJWTProvider dbd as i didn't get any example to refer.
Declaimer: I doesn't have prior knowledge on Apache HttpD server.

I have an error when i use an image rebuilding with your dockerfile (thanks to that) with httpd:2.4.58 image.

root@apache-6657f4499c-nmz6h:/usr/local/apache2# httpd -t httpd: Syntax error on line 66 of /usr/local/apache2/conf/httpd.conf: Syntax error on line 21 of /usr/local/apache2/conf/modules.d/1.authentification.conf: Cannot load modules/mod_authnz_jwt.so into server: libssl.so.1.1: cannot open shared object file: No such file or directory root@apache-6657f4499c-nmz6h:/usr/local/apache2#

Is there any operation i miss ?

I'm trying to use this in docker, and trying to configure my docker-compose file, I'm struggling finding all the files I need. One by one I am finding the binaries, but I'm stuck trying to get libjwt.so. Do you have any instructions on how to extract the needed files for something like docker where I need to distribute the files?

Hi,

I have an issue with mod_authnz_jwt.
When using a JWT to authenticate, mod_authnz_jwt randomly answers :

• 200 OK
• 401 Unauthorized

for any apparent reason.

The JWT we are using for test :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ0ZXN0ZG9tYWluLmNvbSIsImlhdCI6MTUyMTY1NDgwMSwiZXhwIjoxNTUzMTkwODEwLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJ0ZXN0QGV4YW1wbGUuY29tIiwidXNlciI6ImFkbWluIn0.g6lHZQbv7H9dD3CXZpw3zZ7zfO4bTuGs3BI6mWndAeE
Secret is test

Sended to our test server with this curl command :
curl -X GET -k -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ0ZXN0ZG9tYWluLmNvbSIsImlhdCI6MTUyMTY1NDgwMSwiZXhwIjoxNTUzMTkwODEwLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJ0ZXN0QGV4YW1wbGUuY29tIiwidXNlciI6ImFkbWluIn0.g6lHZQbv7H9dD3CXZpw3zZ7zfO4bTuGs3BI6mWndAeE' -i 'https://testdomain.com'

We sometimes receive 200 OK answer
Apache logs :

[Thu Mar 22 10:15:40.702067 2018] [auth_jwt:debug] [pid 334] mod_authnz_jwt.c(975): [client 217.108.243.20:13728] AH55405: auth_jwt authn: checking signature and fields correctness...
[Thu Mar 22 10:15:40.702334 2018] [auth_jwt:debug] [pid 334] mod_authnz_jwt.c(980): [client 217.108.243.20:13728] AH55406: auth_jwt authn: signature is correct
[Thu Mar 22 10:15:40.702352 2018] [auth_jwt:debug] [pid 334] mod_authnz_jwt.c(983): [client 217.108.243.20:13728] AH55405: auth_jwt authn: algorithm found is HS256

And sometimes 401 Unauthorized a few seconds later
Apache logs :

[Thu Mar 22 10:15:37.096715 2018] [auth_jwt:debug] [pid 334] mod_authnz_jwt.c(975): [client 217.108.243.20:13728] AH55405: auth_jwt authn: checking signature and fields correctness...
[Thu Mar 22 10:15:37.096913 2018] [auth_jwt:error] [pid 334] [client 217.108.243.20:13728] AH55512: Decoding process has failed, token is either malformed or signature is invalid

Token and request method are strictly the same. Do you have any idea why the token is sometimes decoded and sometimes rejected as invalid/malformed ?

Thanks

I followed instructions on a fresh test box, and everything works great. Then when I tried to move it to production, I'm having some serious trouble! I've got it to the point where if I put:

https://myurl.com/subdir/index.php

It works, but if I just put:

https://myurl.com/subdir/

I get a 401 Unauthorized error.

The modules between the boxes are similar, the one where it's not working:
authz_core (enabled by maintainer script)
mpm_prefork (enabled by maintainer script)
deflate (enabled by maintainer script)
php7.0 (enabled by maintainer script)
autoindex (enabled by maintainer script)
alias (enabled by maintainer script)
mime (enabled by maintainer script)
headers (enabled by site administrator)
auth_basic (enabled by site administrator)
authz_user (enabled by maintainer script)
access_compat (enabled by maintainer script)
setenvif (enabled by maintainer script)
ssl (enabled by site administrator)
dir (enabled by maintainer script)
socache_shmcb (enabled by site administrator)
status (enabled by maintainer script)
rewrite (enabled by site administrator)
filter (enabled by maintainer script)
authz_groupfile (enabled by site administrator)
negotiation (enabled by maintainer script)
authz_host (enabled by maintainer script)
auth_jwt (enabled by site administrator)
authn_core (enabled by maintainer script)
env (enabled by maintainer script)
authn_file (enabled by maintainer script)

The modules where everything works fine, has:
access_compat (enabled by maintainer script)
ssl (enabled by site administrator)
setenvif (enabled by maintainer script)
autoindex (enabled by maintainer script)
socache_shmcb (enabled by site administrator)
env (enabled by maintainer script)
mpm_event (enabled by maintainer script)
auth_jwt (enabled by site administrator)
dir (enabled by maintainer script)
auth_basic (enabled by maintainer script)
alias (enabled by maintainer script)
authn_file (enabled by maintainer script)
filter (enabled by maintainer script)
deflate (enabled by maintainer script)
authz_host (enabled by maintainer script)
status (enabled by maintainer script)
mime (enabled by maintainer script)
authz_core (enabled by maintainer script)
authz_user (enabled by maintainer script)
reqtimeout (enabled by maintainer script)
negotiation (enabled by maintainer script)
authn_core (enabled by maintainer script)

The default-ssl.conf looks like this on both:

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/845782569bd11d43.crt
SSLCertificateKeyFile /etc/ssl/private/mysite.key
SSLCACertificatePath /etc/ssl/certs/
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars

AuthJWTFormUsername user
AuthJWTFormPassword password
AuthJWTAttributeUsername user
AuthJWTExpDelay 1800
AuthJWTNbfDelay 0
AuthJWTLeeway 10
AuthJWTSignatureSharedSecret 23md093jd8j3
AuthJWTIss ustaclubs.com
AuthJWTDeliveryType Cookie
AuthJWTCookieName AuthToken
<Location /authenticate>
SetHandler jwt-login-handler
AuthJWTProvider file
AuthUserFile /var/www/passwd/passwords
AuthGroupFile /var/www/passwd/groups

I am using .htaccess in a directory for access, this example is in /var/www/html/meets/meet_532
AuthType jwt-cookie
AuthName myauthname
AuthUserFile /var/www/passwd/passwords
AuthGroupFile /var/www/passwd/groups
Require group meet532

My User file:
myusername:$apr1$xO3YBihC$n.tALxCJ3QOsdfdsfKjyC/

My Group File:
meet532: myusername

My apache2.conf directory setup:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
DirectoryIndex index.php

My security.conf directory setup:
<Directory /var/www/html/meets>
AllowOverride all
DirectoryIndex index.php

What I find is strange, is I see duplicates in the error log and I go. I've been studing the code, and it looks like things maybe are getting mixed up:
[Tue Apr 12 04:28:12.778674 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token...
[Tue Apr 12 04:28:12.778680 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie
[Tue Apr 12 04:28:12.778682 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4
[Tue Apr 12 04:28:12.778705 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1170): [client 24.14.160.70:34742] AH55405: auth_jwt authn: checking signature and fields correctness...
[Tue Apr 12 04:28:12.778762 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1175): [client 24.14.160.70:34742] AH55406: auth_jwt authn: signature is correct
[Tue Apr 12 04:28:12.778765 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1178): [client 24.14.160.70:34742] AH55405: auth_jwt authn: algorithm found is HS256
[Tue Apr 12 04:28:12.778833 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token...
[Tue Apr 12 04:28:12.778836 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie
[Tue Apr 12 04:28:12.778838 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4
[Tue Apr 12 04:28:12.778844 2022] [auth_jwt:error] [pid 18237] [client 24.14.160.70:34742] AH55409: auth_jwt authn: missing authorization cookie

Like I said, if I put /index.php it loads, but if no index.php it gives me a 401:
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Apache/2.4.18 (Ubuntu) Server at ustaclubs.com Port 443

I know it's authenticating, because if I put the wrong password, it doesn't work and errors out during authenticate.

See below, on the following log, I can see that first it says ok, then it says denied for the group and the user:

[Tue Apr 12 04:28:12.778652 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of Require group meet532: denied (no authenticated user yet)
[Tue Apr 12 04:28:12.778663 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of : denied (no authenticated user yet)
[Tue Apr 12 04:28:12.778674 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token...
[Tue Apr 12 04:28:12.778680 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie
[Tue Apr 12 04:28:12.778682 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4
[Tue Apr 12 04:28:12.778705 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1170): [client 24.14.160.70:34742] AH55405: auth_jwt authn: checking signature and fields correctness...
[Tue Apr 12 04:28:12.778762 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1175): [client 24.14.160.70:34742] AH55406: auth_jwt authn: signature is correct
[Tue Apr 12 04:28:12.778765 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1178): [client 24.14.160.70:34742] AH55405: auth_jwt authn: algorithm found is HS256
[Tue Apr 12 04:28:12.778792 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of Require group meet532: granted
[Tue Apr 12 04:28:12.778794 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of : granted
[Tue Apr 12 04:28:12.778828 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of Require group meet532: denied (no authenticated user yet)
[Tue Apr 12 04:28:12.778830 2022] [authz_core:debug] [pid 18237] mod_authz_core.c(809): [client 24.14.160.70:34742] AH01626: authorization result of : denied (no authenticated user yet)
[Tue Apr 12 04:28:12.778833 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1083): [client 24.14.160.70:34742] AH55400: auth_jwt: checking authentication with token...
[Tue Apr 12 04:28:12.778836 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1099): [client 24.14.160.70:34742] AH55400: auth_jwt: authSubType -cookie
[Tue Apr 12 04:28:12.778838 2022] [auth_jwt:debug] [pid 18237] mod_authnz_jwt.c(1108): [client 24.14.160.70:34742] AH55400: auth_jwt: delivery_type 4
[Tue Apr 12 04:28:12.778844 2022] [auth_jwt:error] [pid 18237] [client 24.14.160.70:34742] AH55409: auth_jwt authn: missing authorization cookie

Notice at the bottom it complaints about missing the authorization cookie, but in the log above it, it found it and granted the group.

If anyone can help me, I'd be greatly appreciative, I've been staring at the source and tracing for days now.

I've modified some parts of the log such as the IP address and a couple of directories, so if you see a small difference go ahead and call it out, but it may just be something I forgot to update. I tried to be concise and provide all of the information possible.

Thank you!
Dan Chase

I'm trying to use this in docker, and trying to configure my docker-compose file, I'm struggling finding all the files I need. One by one I am finding the binaries, but I'm stuck trying to get libjwt.so. Do you have any instructions on how to extract the needed files for something like docker where I need to distribute the files?

If you make a request to a protected page but don't provide a token (through either the Authorization header or cookie), you get errors like the following in the logs;
[Fri Mar 05 21:52:36.960160 2021] [auth_jwt:error] [pid 9213:tid 140084577822464] [client 127.0.0.1:41868] AH55404:
So the error description is missing.

A check of the code shows the issue is caused y an incorrect call to ap_log_rerror():
1126: ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, logCode, logStr);

This should instead be:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s%s", logCode, logStr);

Would it be viable to add an option for the cookie variant ?

We would need to set a cookie (name configurable) at login and during access check for it instead of the Authorization header.

Would it be possible to add extra claim field and value when issuing JWT token in configuration?

Like giving each user a role to specify its privilege.

I'm using Ubuntu Server 20.04 and just installed mod_authnz_jwt from source...so far so good, I used the configuration example and recreated the same folder /var/www/html/demo/login and /var/www/html/demo/secured.

I have generated a jwt.htpasswd with a single user for testing, so far I get the Unauthorized warning on /var/www/html/demo/secured, but when I try to access /var/www/html/demo/login it shows the warning:

Method Not Allowed
The requested method GET is not allowed for this URL

Am I doing something wrong? Or do I need an extra step?

Kind regards,
carekaPT

Hello!

Using this module for a high-traffic web application, I've observed that the server gradually runs out of memory due to ever-increasing httpd worker process memory usage.

I've reproduced the issue with a very basic configuration, please see attached Dockerfile, it builds the module, enables JWT token auth, starts httpd and runs ab to generate requests.

Sample output of build:

 ---> Running in 99174bd2f0d0
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.5. Set the 'ServerName' directive globally to suppress this message
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  3.5  0.0   2392   752 ?        Ss   16:51   0:00 /bin/sh -c httpd && sleep 3 && ps aux && ab -q -n 1000000 -c 50 http://localhost/ >/dev/null && ps aux
root           7  0.0  0.0  11832  4016 ?        Ss   16:51   0:00 httpd
daemon         9  0.0  0.0 2002932 12252 ?       Sl   16:51   0:00 httpd
daemon        10  0.0  0.0 2002932 12252 ?       Sl   16:51   0:00 httpd
daemon        11  0.0  0.0 2002932 12252 ?       Sl   16:51   0:00 httpd
root          93  0.0  0.0   7644  2800 ?        R    16:51   0:00 ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.4  0.0   2392   752 ?        Ss   16:51   0:00 /bin/sh -c httpd && sleep 3 && ps aux && ab -q -n 1000000 -c 50 http://localhost/ >/dev/null && ps aux
root           7  0.0  0.0  11832  4016 ?        Ss   16:51   0:00 httpd
daemon         9 60.0  1.0 3067060 542372 ?      Sl   16:51   0:18 httpd
daemon        10  113  2.1 4144172 1082132 ?     Sl   16:51   0:34 httpd
daemon        11  108  2.1 4069540 1044720 ?     Sl   16:51   0:32 httpd
daemon        95  165  2.7 4735308 1378620 ?     Sl   16:51   0:42 httpd
root         123  0.0  0.0   7644  2724 ?        R    16:51   0:00 ps aux

As you can see, after 1M requests, RSS column adds up to almost 4GiB.
If Require valid-user is commented out, this does not happen.

Hello !

It have sense to add the possibility to provide the JWT via URL param ?

I want to generate and open in browser links type of
https://site.com/secured/?token=xxxxxx

where is "token" param is JWT
and grant an access exists user to site

thank you !

I tried the minimal configuration for just securing a folder on my apache2 webserver.
I am always getting:

I tried both http and https.

I set the Authorization Header like "Bearer eylskdvnsdlns...." and give apache the private key and here's my apache2 config:

<VirtualHost *:443>
	ServerName sub.domain.com

	ServerAdmin [email protected]
	DocumentRoot /var/www/test

	AuthJWTSignatureAlgorithm HS512
	AuthJWTSignatureSharedSecret r9yfFB8Bf......RKBv

	<Directory /var/www/test/secured/>
		AllowOverride None
		AuthType jwt
		AuthName "private"
		Require valid-user
	</Directory>
	...
</VirtualHost>

Please help me, I don't know why apache can't decode my json webtoken. on JWT.io it's valid if I enter my secret private key.

kind regads.
Rebar

Sent from my Pixel 2 XL using FastHub

Is there windows support for this?

Generate RSA keys
openssl genpkey -algorit RSA -out rsa-priv.pem -pkeyopt rsa_keygen_bits:4096

should be:
openssl genpkey -algorithm RSA -out rsa-priv.pem -pkeyopt rsa_keygen_bits:4096

Hi guys,

I am some having some issue with setting this part of my apache config? I am I missing something from apache set up.

"Invalid command 'AuthJWTDeliveryType', perhaps misspelled or defined by a module not included in the server configuration"

We are hosting a web application on Apache 2, which contains both secured resources and login handler under the same document root. The JWT token is generated by the login handler and will be passed to all subsequent UI request. Is there any configuration to whitelist few resources to by pass validation of JWT token as Login handler related UI resources won't be getting JWT token.

Hi Anthony,

I am trying to integrate your module into an Apache 2.4 server on Centos 7 running in a Docker container. This is to meet a requirement for the client to supply a valid JWT before allowing proxying of a request through Apache to a destination API.

The client supplies a header named X-Custom-Auth-Header (this is constrained by other components and the header name cannot be changed to be more standard); my idea is to turn it into an Authorization: Bearer ... header so that mod_authnz_jwt can validate the token before granting the access request.

Here is the configuration in the virtual host that contains the proxy:

RequestHeader set Authorization "Bearer %{X-Custom-Auth-Header}e"

<IfModule auth_jwt_module>
	AuthJWTSignatureAlgorithm HS512
	AuthJWTSignatureSharedSecret xxxx
</IfModule>

<LocationMatch "/gosomewhere">
	ProxyPass https://api.somewhere.com
	ProxyPassReverse https://api.somewhere.com
	RequestHeader set X-APIKey yyyy
	<IfModule auth_jwt_module>
		AllowOverride None
		AuthType jwt
		AuthName "private area"
		AuthJWTAttributeUsername username
		Require valid-user
	</IfModule>
</LocationMatch>

The error I get in the Apache logs is :

[authz_core:debug] mod_authz_core.c(818):  AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_jwt:debug] mod_authnz_jwt.c(1056):  AH55400: auth_jwt: checking authentication with token...
[auth_jwt:debug] mod_authnz_jwt.c(1072): AH55400: auth_jwt: authSubType
[auth_jwt:debug] mod_authnz_jwt.c(1081):  AH55400: auth_jwt: delivery_type 2
[auth_jwt:debug] mod_authnz_jwt.c(1094):  AH55402: auth_jwt authn: reading Authorization header...
[auth_jwt:error] AH55404: auth_jwt authn: missing Authorization header, responding with WWW-Authenticate header...

It seems that it is erroring at a stage before the RequestHeader set Authorization ... line. Is it possible to work around this, and if so, please can you advise what I need to do in order to get the Authorization header to be detected by mod_authnz_jwt?

Thank you.

Simon Payne