apisix/doc/plugins/jwt-auth.md

<!--
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
-->

[中文](jwt-auth-cn.md)

# Summary
- [**Name**](#name)
- [**Attributes**](#attributes)
- [**How To Enable**](#how-to-enable)
- [**Test Plugin**](#test-plugin)
- [**Disable Plugin**](#disable-plugin)


## Name

`jwt-auth` is an authentication plugin that need to work with `consumer`. Add JWT Authentication to a `service` or `route`.

The `consumer` then adds its key to the query string parameter, request header, or `cookie` to verify its request.

For more information on JWT, refer to [JWT](https://jwt.io/) for more information.

## Attributes

* `key`: different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception.
* `secret`: optional, encryption key. if you do not specify, the value is auto-generated in the background.
* `algorithm`: optional, encryption algorithm .support`HS256`, `HS384`, `HS512`, `RS256` and `ES256`,`HS256` is default.
* `exp`: optional, token's expire time, the unit is second. for example, 5 minutes, need to set the value of 300.( 5 * 60 = 300 ).

## How To Enable

1. set a consumer and config the value of the `jwt-auth` option

```shell
curl http://127.0.0.1:9080/apisix/admin/consumers -X PUT -d '
{
    "username": "jack",
    "plugins": {
        "jwt-auth": {
            "key": "user-key",
            "secret": "my-secret-key"
        }
    }
}'
```

you can visit Dashboard `http://127.0.0.1:9080/apisix/dashboard/` and add a Consumer through the web console:

![](../images/plugin/jwt-auth-1.png)

then add jwt-auth plugin in the Consumer page:
![](../images/plugin/jwt-auth-2.png)

2. add a Route or add a Service , and enable the `jwt-auth` plugin

```shell
curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
{
    "methods": ["GET"],
    "uri": "/index.html",
    "plugins": {
        "jwt-auth": {}
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "39.97.63.215:80": 1
        }
    }
}'
```

## Test Plugin

#### get the token in `jwt-auth` plugin:

```shell
$ curl http://127.0.0.2:9080/apisix/plugin/jwt/sign?key=user-key -i
HTTP/1.1 200 OK
Date: Wed, 24 Jul 2019 10:33:31 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX web server

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI
```

#### try request with token

* without token:

```shell
$ curl http://127.0.0.2:9080/index.html -i
HTTP/1.1 401 Unauthorized
...
{"message":"Missing JWT token in request"}
```

* request header with token:

```shell
$ curl http://127.0.0.2:9080/index.html -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI' -i
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 13175
...
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="cn">
...
```

* request params with token:

```shell
$ curl http://127.0.0.2:9080/index.html?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI -i
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 13175
...
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="cn">
...
```

* request cookie with token:

```shell
$ curl http://127.0.0.2:9080/index.html --cookie jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI -i
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 13175
...
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="cn">
...
```

## *Disable Plugin

When you want to disable the `jwt-auth` plugin, it is very simple,
 you can delete the corresponding json configuration in the plugin configuration,
  no need to restart the service, it will take effect immediately:

```shell
$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value='
{
    "methods": ["GET"],
    "uri": "/index.html",
    "id": 1,
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "39.97.63.215:80": 1
        }
    }
}'
```
license: add ASF header. (#743) 2019-10-31 09:27:28 +08:00			`<!--`
			`#`
			`# Licensed to the Apache Software Foundation (ASF) under one or more`
			`# contributor license agreements. See the NOTICE file distributed with`
			`# this work for additional information regarding copyright ownership.`
			`# The ASF licenses this file to You under the Apache License, Version 2.0`
			`# (the "License"); you may not use this file except in compliance with`
			`# the License. You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`#`
			`-->`

doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00			`[中文](jwt-auth-cn.md)`

			`# Summary`
			`- [Name](#name)`
			`- [Attributes](#attributes)`
			`- [How To Enable](#how-to-enable)`
			`- [Test Plugin](#test-plugin)`
			`- [Disable Plugin](#disable-plugin)`


			`## Name`

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			`jwt-auth` is an authentication plugin that need to work with `consumer`. Add JWT Authentication to a `service` or `route`.
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			The `consumer` then adds its key to the query string parameter, request header, or `cookie` to verify its request.
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			`For more information on JWT, refer to [JWT](https://jwt.io/) for more information.`
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			`## Attributes`

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			* `key`: different `consumer` have different value, it's unique. different `consumer` use the same `key`, and there will be a request matching exception.
			* `secret`: optional, encryption key. if you do not specify, the value is auto-generated in the background.
			* `algorithm`: optional, encryption algorithm .support`HS256`, `HS384`, `HS512`, `RS256` and `ES256`,`HS256` is default.
			* `exp`: optional, token's expire time, the unit is second. for example, 5 minutes, need to set the value of 300.( 5 * 60 = 300 ).
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			`## How To Enable`

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			1. set a consumer and config the value of the `jwt-auth` option
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			```shell
			`curl http://127.0.0.1:9080/apisix/admin/consumers -X PUT -d '`
			`{`
			`"username": "jack",`
			`"plugins": {`
			`"jwt-auth": {`
			`"key": "user-key",`
			`"secret": "my-secret-key"`
			`}`
			`}`
			`}'`
			```

			you can visit Dashboard `http://127.0.0.1:9080/apisix/dashboard/` and add a Consumer through the web console:

			`![](../images/plugin/jwt-auth-1.png)`

			`then add jwt-auth plugin in the Consumer page:`
			`![](../images/plugin/jwt-auth-2.png)`

			2. add a Route or add a Service , and enable the `jwt-auth` plugin

			```shell
			`curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '`
			`{`
			`"methods": ["GET"],`
			`"uri": "/index.html",`
			`"plugins": {`
			`"jwt-auth": {}`
			`},`
			`"upstream": {`
			`"type": "roundrobin",`
			`"nodes": {`
			`"39.97.63.215:80": 1`
			`}`
			`}`
			`}'`
			```

			`## Test Plugin`

			#### get the token in `jwt-auth` plugin:

			```shell
doc(jwt-auth): fixed wrong arguments. (#661) 2019-10-10 16:00:48 +08:00			`$ curl http://127.0.0.2:9080/apisix/plugin/jwt/sign?key=user-key -i`
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00			`HTTP/1.1 200 OK`
			`Date: Wed, 24 Jul 2019 10:33:31 GMT`
			`Content-Type: text/plain`
			`Transfer-Encoding: chunked`
			`Connection: keep-alive`
			`Server: APISIX web server`

			`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI`
			```

			`#### try request with token`

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			`* without token:`
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			```shell
			`$ curl http://127.0.0.2:9080/index.html -i`
			`HTTP/1.1 401 Unauthorized`
			`...`
			`{"message":"Missing JWT token in request"}`
			```

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			`* request header with token:`
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			```shell
			`$ curl http://127.0.0.2:9080/index.html -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI' -i`
			`HTTP/1.1 200 OK`
			`Content-Type: text/html`
			`Content-Length: 13175`
			`...`
			`Accept-Ranges: bytes`

			`<!DOCTYPE html>`
			`<html lang="cn">`
			`...`
			```

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			`* request params with token:`
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			```shell
			`$ curl http://127.0.0.2:9080/index.html?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI -i`
			`HTTP/1.1 200 OK`
			`Content-Type: text/html`
			`Content-Length: 13175`
			`...`
			`Accept-Ranges: bytes`

			`<!DOCTYPE html>`
			`<html lang="cn">`
			`...`
			```

doc: Update jwt-auth.md (#704) 2019-10-30 10:33:33 +08:00			`* request cookie with token:`
doc: added english doc for jwt plugin. 2019-09-26 15:06:17 +08:00
			```shell
			`$ curl http://127.0.0.2:9080/index.html --cookie jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI -i`
			`HTTP/1.1 200 OK`
			`Content-Type: text/html`
			`Content-Length: 13175`
			`...`
			`Accept-Ranges: bytes`

			`<!DOCTYPE html>`
			`<html lang="cn">`
			`...`
			```

			`## *Disable Plugin`

			When you want to disable the `jwt-auth` plugin, it is very simple,
			`you can delete the corresponding json configuration in the plugin configuration,`
			`no need to restart the service, it will take effect immediately:`

			```shell
			`$ curl http://127.0.0.1:2379/v2/keys/apisix/routes/1 -X PUT -d value='`
			`{`
			`"methods": ["GET"],`
			`"uri": "/index.html",`
			`"id": 1,`
			`"plugins": {},`
			`"upstream": {`
			`"type": "roundrobin",`
			`"nodes": {`
			`"39.97.63.215:80": 1`
			`}`
			`}`
			`}'`
			```