Openresty's jwt token verification

        If this is the first time you read this article, you can read this introductory article about openresty first: Overview of Openresty

        When using a proxy, you may need to verify to access the requested token. The verification token code is also operated in the lua script file, and then intercepted through the access_by_lua_file process, and then obtain the token inside, conduct verification, and do some customization whether the verification passes or not. operate.

        Using openresty to implement jwt token verification requires the following steps:

• Write Lua script files to achieve token acquisition and verification
• Add dependent library source files to the lualib directory
• Copy the lua code file to the path
• Modify the nginx.conf file and obtain the verification code for token

1. Write lua script file

The script file implements the token acquisition of the request header, and then uses the function to verify the token. Our command is the lua file access.lua. The source code is as follows:

local jwt = require "resty.jwt"
local cjson = require "cjson"

local secret = "token secret key"

local retdata = {
    code=ngx.HTTP_UNAUTHORIZED,
    message="token验证失败",
    data={}
}

local auth_header = ngx.req.get_headers()["Auth"]
--ngx.log(ngx.INFO, "auth_header = ",auth_header)
if auth_header == nil then
    ngx.log(ngx.ERR, "No Auth header")
    ngx.status = ngx.HTTP_UNAUTHORIZED
    ngx.header["Content-type"] = 'application/json'
    local output = cjson.encode(retdata)
    ngx.say(output)
    return ngx.exit(0)
end

local jwt_obj = jwt:verify(secret, auth_header)
if jwt_obj.verified == false then
    ngx.log(ngx.ERR, "Invalid token: ".. jwt_obj.reason)
    ngx.status = ngx.HTTP_UNAUTHORIZED
    ngx.header.content_type = "application/json; charset=utf-8"
    ngx.header["Content-type"] = 'application/json'
    local output = cjson.encode(retdata)
    ngx.say(output)
    return ngx.exit(0)
end

It can be seen from the above code that we referenced the jwt module, and then first defined a secret variable in the code. This variable is the secret key for generating tokens using jwt. The secret keys for generating tokens and verifying tokens must be the same, otherwise the token will not be verified. ;Then the code obtains the token value with the key value Auth from the request header. You can modify this key value at will, as long as it is consistent. If the acquisition fails, it will directly return the authentication failure. If the acquisition is successful, the next step is to verify the validity of the token. , if verification fails, token authentication failure information will also be returned.

2. Add dependent library source files to the lualib directory

During the final execution, it may be reported that there is no jwt dependent library. You need to copy some dependent files to the /usr/local/openresty/lualib/resty directory. Copy the following files. There are four files and their names are

evp.lua
hmac.lua
jwt-validators.lua
jwt.lua

Since there is a lot of code, I packaged it into a compressed file, you can go here: resty.jwt dependency library download address

3. Copy the lua code file

Copy the written access.lua file to the path /usr/local/openresty/nginx/lua/. If the path does not exist, create a new path.

4. Modify the nginx.conf file

Modify the file content in the nginx.conf file as follows to achieve token acquisition and verification.

#user  nobody;
worker_processes  1;
 
error_log  logs/error.log  error;
error_log  logs/error.log  notice;
error_log  logs/error.log  info;
pid        logs/nginx.pid;
 
events {
    worker_connections  1024;
}
 
 
http {
    include       mime.types;
    default_type  application/octet-stream;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';
    # access_log  logs/access.log  main;
    # error_log   logs/error.log error; 
 
    lua_package_path "/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/lua/?.lua;";
    lua_package_cpath "/usr/local/openresty/lualib/?.so;;";
 
 
    sendfile        on;
    #tcp_nopush     on;
 
    #keepalive_timeout  0;
    keepalive_timeout  65;
    proxy_connect_timeout 3s;
 
    #gzip  on;
 
   
    # HTTPS server
    server {
       listen       80;
       server_name  localhost;
 
       location / {
            access_by_lua_file 	lua/access.lua;
            #设置代理目的url变量
            proxy_pass https://127.0.0.1;
       }
 
    }
 
}

lua_package_path "/usr/local/openresty/lualib/?.lua;/usr/local/openresty/nginx/lua/?.lua;";

and

access_by_lua_file     lua/access.lua;

The first sentence is to add the path of the Lua code. The second sentence of code specifies that all requests will go through the access.lua file, where the content implemented by the previous code is implemented, mainly to obtain the token in the header, and then verify the token to implement use. The lua code completes the token verification function of jwt.