I'm working on a VOD platform in terms of a white-label product.
Most stuff is already done but for the moment I'm not able to solve one problem, how to deliver content in HLS format to the client securely? And with secure, I mean authorization.

All HLS content is stored on a S3 storage (non-AWS) and all m3u8 playlist and all segments must be available to the client as soon as the player (VideoJS) requests an individual segment referenced by a m3u8 playlist. In other words, this means that the Bucket itself must run as public from a bucket policy perspective, otherwise VideoJS will fail to load segments.

My Idea now is that I place NGINX or OpenResty in front of the S3 Storage to handle
authorization of a client request. I have never done something like this, so I would like to get some useful references before I start implementing.

The VOD service itself is basically a combination of a Backend, Django API using DRF, and a Frontend App (AngularJS). The Backend uses JWT to authenticate clients. So it would be awesome if I can simply create some kind of token I can pass to the client, maybe another JWT or the same JWT the Client gets after log in at the frontend.

I'm not sure what exactly I need here, but it seems that I need to make NGINX/OpenResty open a subrequest as soon as a client wants data from the S3 storage if I understood the docs right.

At my Django backend, I have the following 3 endpoints:

re_path(r'^api/v1/token/obtain$', obtain_jwt_token),       # Returns a new Token
re_path(r'^api/v1/token/refresh$', refresh_jwt_token),     # Returns a new Token in exchange for an old one
re_path(r'^api/v1/token/verify$', verify_jwt_token),       # Returns the Token if Valid else Bad Request

What do I need to do in order to make DRF and NGINX marriage?
What kind of key does NGINX expect to validate the JWT?

please also see:

https://jpadilla.github.io/django-rest-framework-jwt/

Thanks in advance, and sorry for the long reading.

I try to use this module. when I explicitly set the value for auth_jwt_key it works just fine. But if I set it as: auth_jwt_key $public_key; which is set by a js module beforehand, I get the error: nginx: [error] failed to open public key file
is there a way to solve this issue?

Hello,

I followed the post post https://mostafa-asg.github.io/post/nginx-authentication-with-jwt/
I think it went successful, but...

I got stuck on the last stage. I think I make just some noobie mistake, but I keep receiving: 401 Authorisation required. Giving an example location:

location /test/{
auth_jwt_enabled on;
auth_jwt_algorithm HS256;
auth_jwt_validate_email off;
auth_jwt_key "secret";
try_files /test.html /test.html;
}

I assume that to get to the www.mysite.com/test/ I need to add header with JWT. So I go to jwt.io, generate the token using "secret" as the secret key to get JWT (like https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o).

So I authorise by adding the header and calling:

curl -H "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o" https://www.mysite.com/test/

If you give me a hint what I am doing wrong, I would be very grateful.

Thank you very much!

Best regards
Tomasz Wojtas

The README needs some structure, cleanup, and better documentation regarding the available options. Also should expand on how to actually obtain the built module, etc.

Am I correct in stating that this module currently supports only symmetric keys, but not asymmetric RSA private key-signed tokens? If so, I would like to make a feature request to support tokens signed by RSA keys.

I'm specifically looking for RS256.

Thank you!

Instead of reading the key from file or config, allow getting the key via http
Similar to see auth_jwt_key_request in nginx plus docs

Hi!

First off, nice plugin, saves a lot of trouble! 👏

We deploy this image on our K8s cluster using Helm charts, where the PEM encoded key is a generated on deployment and is a K8s secret. Helm can't work with keys generated on install and paste the content in the Nginx configuration (because it's being generated in the same operation). One solution would be to map the secret onto a file and use that path as a mounted volume.

Would reading the PEM file from a file be a new feature in this plugin?

I've already forked the repo and added two attributes that load the key, it serves us well. If it's cool for you I can make a PR to include it officially?

Custom proprietary headers can be added using the 'X-' prefix, but this convention was deprecated in June 2012, because of the inconveniences it caused when non-standard fields became standard in RFC-6648

Proposal

Add auth_jwt_header_prefix to allow users to specify custom header prefix.

e.g.,

auth_jwt_header_prefix "clarakm"

Then x-email and x-userid would be renamed to clarakm-email and clarakm-userid.

No package nginx-1.16.1 available.

Hi,

This may be a newbie question but does this module support JWT Claim retrieval from incoming request header as mentionned here ? : https://www.nginx.com/blog/authenticating-api-clients-jwt-nginx-plus/#auth_jwt
You can see on the link above that some variables (such as $jwt_header_xxxx and $jwt_claim_xxxx) representing JWT header and payload fields are available and can be sent to the forwarded API server for request processing per user.
The readme doesn't mention such variables.
More generally, does this module offer the same functionalities as the one coming natively with NGINX Plus which is called "ngx_http_auth_jwt_module".

Thanks in advance for your help

I'm trying to using the Dockerfile to run nginx

My configuration is

        auth_jwt_enabled on;
        auth_jwt_key superSecretSharedSigningKey; 
        auth_jwt_algorithm HS256;    #  using HMAC for signing 
        auth_jwt_validate_email off;

I'm using the jwt builder from: http://jwtbuilder.jamiekurtz.com/

On request I'm getting the below error

[error] 7#0: *6 failed to turn hex key into binary, client: 10.255.0.2, server: , request: "GET /api/platform/tool/userauth/user/add HTTP/1.1", host: "localhost:8080"

As indicated in the README:

Please note that number, boolean, array, and object claims are not supported at this time -- only string claims are supported. An error will be thrown if you attempt to extract a non-string claim.

We should support at least number and boolean claims. Supporting object and array claims is more difficult, but we should support extracting a claim from an array or object e.g. my_claim_array[0] or my_claim_obj[some_key][some_other_key].

Hi guys, I am using your module and I'm wonder if we can made the sub claim optional?

This is the output in nginx error log when sending our JWT token:

2021/11/26 06:44:30 [error] 9#9: *14 the jwt does not contain a subject, client: 8.8.8.8, server: , request: "GET /secure-auth-header/ HTTP/1.1", host: "3.3.3.3:8000"

Would be awesome if any time that there are changes at the code, a new release build gets triggered.

Hi,
since this module is solving an crucial gap specifically for the nginx community I was thinking it might make sense to add a simplistic example configuration somewhere how to configure it open source kubernetes community projects like for
example https://github.com/kubernetes/ingress-nginx

Maybe with snippet:

nginx.ingress.kubernetes.io/configuration-snippet: |

or:
https://kubernetes.github.io/ingress-nginx/examples/customization/custom-configuration/ or differently?

I am a total beginner here.

If I would try to configure INGRESS-NGINX today I would be kind of lost how to start.

My IDP exposes

"jwks_uri": "https://<IDP>/oauth2/certs",

uri content:

{
  "keys": [
    {
      "kty": "RSA",
      "x5t#S256": "xxxxxx",
      "e": "AQAB",
      "use": "sig",
      "kid": "xxxxxxx",
      "x5c": [
        "xxxxxxxxxxxxxx"
      ],
      "alg": "RS256",
      "n": "xxxxxxxxxxxxxx"
    }
  ]
}

Hi,

I keep receiving weird looking error:

Any ideas how to solve?

Best regards
Tomasz

In our project we submit the JWT in the Authorization header in the format: 'Bearer <token>'. We do not use any cookies.

We would like to use your module in our project, but I see that in e42d2a0 you removed the Authorization header check. Do you have any plans to support getting the token from the Authorization header or would you accept a pull request which adds this feature?

I've noticed that the Dockerfile uses libjwt 1.8.0, so I've taken that to mean that that's what's officially supported. Would any work be needed to support 1.9.0?

I asked because I've undertaken the work to implement this in MacPorts (still waiting on PR macports/macports-ports#1925 to be merged) but this also meant adding libjwt to MacPorts (macports/macports-ports#1924). Because of the whole version 1.8.0 thing, that's what I implemented in MacPorts, but their team is pressing me to implement the latest. And because MacPorts doesn't implement versioned dependencies, I'm resisting until this project blesses libjwt 1.9.0.

Cheers, gents.

Hello there,

When trying to install nginx 1.22 with ngx-http-auth-jwt-module...

./configure --prefix=/var/www/html --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --add-dynamic-module=../ngx-http-auth-jwt-module --with-http_ssl_module --with-http_image_filter_module=dynamic --modules-path=/etc/nginx/modules --with-http_v2_module --with-stream=dynamic --with-http_addition_module --with-http_mp4_module

make modules

../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c: In function ‘loadAuthKey’:
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c:446:2: error: ignoring return value of ‘fread’ declared with attribute ‘warn_unused_result’ [-Werror=unused-result]
446 | fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [objs/Makefile:1407: objs/addon/src/ngx_http_auth_jwt_module.o] Error 1

Makefiles can be cumbersome. This is just for consideration.

Hi,
Thanks for sharing! I don't see the open source license terms specified anywhere. Which license are you using for this project?

As i am the jwt signer, how can I add my JWK to the plugin.

A Makefile might help productivity, so you don't have to grep history or go searching for past commands you've run.

You'd run make stop remove build to stop the running containers, remove the images, and build and test.

.PHONY: stop
    docker stop $(shell docker ps -aqf "name=jwt-nginx-cont")

.PHONY: remove
    @$(MAKE) stop
    docker rmi -f $(shell docker ps -aqf "name=jwt-nginx")

.PHONY: build
    ./build.sh

Note: Makefiles don't like spaces, so you gotta convert them to tabs.

Hi, I am trying to implement HS256 based validation. But Iam getting 401 and
failed to parse JWT, error code 22, client: 192.168.1.10, server: , request: "GET /api/1 HTTP/1.1", host: "192.168.1.17" in error logs.

My conf looks like this

server {
    listen       80;
        error_log /var/log/nginx/error-1.log debug;
        access_log /var/log/nginx/access-1.log main_ext;
        auth_jwt_enabled on;
        auth_jwt_key "jXnZr4u7x!A%D*G-KaPdSgVkYp3s5v8y";
        auth_jwt_algorithm HS256;

location / {
    proxy_pass http://localhost:808/dev;
}}

Any help would be really appreciated.

@craigpell @fitzyjoe GOTO statements can lead to spaghetti code.

Hi ..

I downloaded the prebuilt:
https://github.com/TeslaGov/ngx-http-auth-jwt-module/releases/download/2.0.1/ngx_http_auth_jwt_module_2.0.1_nginx_1.24.0.tgz

and tried to use this with nginx 1.24
from https://nginx.org/packages/debian/pool/nginx/n/nginx/nginx_1.24.0-1~bullseye_amd64.deb

when trying to load the module .. I get:

nginx: [emerg] module "/etc/nginx/modules/ngx_http_auth_jwt_module.so" version 1022001 instead of 1024000 in /etc/nginx/nginx.conf:5

Invalid "Authorization" header may lead to segmentation fault:

2018/06/06 22:03:26 [emerg] 8#8: *10 malloc(18446744073709551611) failed (12: Out of memory), client: 172.17.0.1, server: localhost, request: "GET /secure-auth-header/ HTTP/1.1", host: "localhost:8000"
2018/06/06 22:03:27 [notice] 1#1: signal 17 (SIGCHLD) received from 8
2018/06/06 22:03:27 [alert] 1#1: worker process 8 exited on signal 11 (core dumped)
2018/06/06 22:03:27 [notice] 1#1: start worker process 9

How to reproduce:

• In your nginx.conf file: change error_log /var/log/nginx/error.log info to error_log /dev/stderr info (you wont see anything otherwise).

• Add this test:

TEST_INVALID_AUTH_HEADER=`curl -X GET -o /dev/null --silent --head --write-out '%{http_code}\n' http://${MACHINE_IP}:8000/secure-auth-header/index.html -H 'cache-control: no-cache' --header "Authorization: X"`
if [ "TEST_INVALID_AUTH_HEADER" -eq "302" ];then
  echo -e "${GREEN}Secure test with jwt auth header pass ${TEST_INVALID_AUTH_HEADER}${NONE}";
else
  echo -e "${RED}Secure test with jwt auth header fail ${TEST_INVALID_AUTH_HEADER}${NONE}";
fi

Cause:

Line 422:
authorizationHeaderStr.len = authorizationHeader->value.len - (sizeof("Bearer ") - 1);
-> "len" can be negative and it will fail in the ngx_str_t_to_char_ptr function on memory allocation.

It would be great to support additional algorithms as changing them out in production can be difficult if you have a lot of consumers of the public keys.

Specifically supporting the ones from this list: HS384, HS512, RS384, RS512, ES256, ES384 and ES512

As far as I can see from the code, you can only load the JWT from either the Authorization header or from a cookie. Would be nice if you could also configure this module to load it from another header like the Proxy-Authorization header for example.

@fitzyjoe @max-lt @KensingtonTech @kevinmichaelchen @penumbra23
I just wanted to say thank you for your nice work onto this nginx module, we're using it with great success.
It really solves a lot of issues for us. I basically didn't saw many posts like this one here on GitHub, so I wanted to start
as a good example. So again, thank you guys very much for your great work :D

Thumbs up : +1:

I need to be able to blacklist user accounts. This is almost never used, but it is a security requirement for some projects. This could be as simple as a delimited file of "sub" claims that should be denied.

I'm trying to combine two parts to make the JWT key:
set $key "${firstPart}SecoundPart";
auth_jwt_key $key;

Not too sure if its the module that needs to interpolation the ${variable}, or the module is not able to use the referanse to $key. Or perhaps I completely missed something else.

Scenario:: I need ${firstPart} to actually be the regex'ed out part/folder(in binHex) of the url, and combine it with a secret key to use nginx to verify if client with JWT can access files in a folder. As then backend can generate JWT (with expiration of 1day) for that folder, thus giving front-end access to all needed files, without having to check complex user->group->project->file auth every time.

Thanks for making a great module!

From version 1.23.0 Nginx changed internal API: header lines are represented as linked lists.

r->headers_in.cookies has been renamed to r->headers_in.cookie

As described in this commit:
nginx/nginx@3aef1d6

Hi, TeslaGov, I use it in a project, It works well. thanks for your awesome jwt module.
But I found a problem while testing by using the http header segment(empty jwt string):
"Authorization: Bearer "

line: 429 authorizationHeaderStr.len = authorizationHeader->value.len - (sizeof("Bearer ") - 1);
authorizationHeaderStr.len may be nagative and would lead to a crash

suggest fix:
ngx-http-auth-jwt-module.c line 424
if (authorizationHeader != NULL) -> if (authorizationHeader != NULL && authorizationHeader->value.len > 1)

Hi

What is the best practice to validate multiple JWT?

I've a lot of users and each user have a personal JWT; each user can access to one o more 'location'/'route'.
Should I create, for example, a test-jwt-nginx.conf for each user?

Thank you,
Valentino

sorry for that. Just a huge my own mistake started yesterday

I'd like to request the addition of version tags for module releases. The reason is I'd like to add this module to MacPorts but the portfiles require file hashes for each source file, so they must be calculated against a specific version.

master_sites https://github.com/TeslaGov/ngx-http-auth-jwt-module/archive/:jwt_module
...
...

variant jwt description {Add JWT (Javascript Web Token) support to server} {
    set jwt_filename     ngx-http-auth-jwt-module
    set jwt_version      master
    set jwt_distname     ${jwt_filename}-${jwt_version}
    distfiles-append        ${jwt_version}.tar.gz:jwt_module
    # curl -OL https://github.com/KensingtonTech/ngx-http-auth-jwt-module/archive/master.tar.gz && shasum -a256 master.tar.gz && openssl rmd160 master.tar.gz
    checksums-append        ${jwt_version}.tar.gz \
                            rmd160  6c4e41f34ed807ce0df345582f6d3efc940bcb05 \
                            sha256  b91c081a16873264f3a0175ca65786197b2bb8fb824bce3e0f509800075ef939
    configure.args-append   --add-dynamic-module=${workpath}/${jwt_distname}
    depends_lib-append      port:libjwt
}

Without a tag, it will always fetch the latest master from the GitGub archive (i.e. https://github.com/TeslaGov/ngx-http-auth-jwt-module/archive/master.tar.gz ), which can change at any time and thus break MacPorts because the file hashes won't match. By adding a version tag, I can pull specific versions from the GitHub archive, like https://github.com/TeslaGov/ngx-http-auth-jwt-module/archive/v1.0.tar.gz .

Thank you!

Sorry for a newbie question but I am not too good with compilers.
I tried to compile your project on Ubuntu 16.04. To be "binary compatible" the module must be compiled with the same flags, so I've taken these from Ubuntu nginx:

--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'

The compilations fails with:

/usr/bin/ld: objs/addon/src/ngx_http_auth_jwt_module.o: relocation R_X86_64_PC32 against undefined symbol `ngx_http_core_module' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value

As far as I figure this is related to those "position-independent executable" flags (-fPIE, -pie) used by Ubuntu. So my question is if it's even possible to compile your module with such flags?

Here you can see, I used the secret and the token from test.sh.. it is just not valid, even if the key base64 encoded.

Since PR #56, I'm not able to compile Nginx with this module.

I got this compilation error:

cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g   -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules \
	-o objs/addon/src/ngx_http_auth_jwt_module.o \
	../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c: In function ‘loadAuthKey’:
../ngx-http-auth-jwt-module/src/ngx_http_auth_jwt_module.c:438:2: error: ignoring return value of ‘fread’ declared with attribute ‘warn_unused_result’ [-Werror=unused-result]
  438 |  fread(conf->_auth_jwt_keyfile.data, 1, keySize, keyFile);
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [objs/Makefile:1250: objs/addon/src/ngx_http_auth_jwt_module.o] Error 1
make: *** [Makefile:10: build] Error 2

I tried different Nginx versions without success, which leads me to try the previous commit of this module which was a success.

Trying to make a docker container in ubuntu, I get:

/usr/bin/ld: objs/addon/src/ngx_http_auth_jwt_module.o: relocation R_X86_64_PC32 against undefined symbol `ngx_http_core_module' can not be used when making a shared object; recompile with -fPIC

Any idea why?

Add Dockerfile, preferably based on Alpine Linux (5MB), that can build this module.

I think I have overlooked freeing the memory from the jwt_decode in ngx_http_auth_jwt_module.c

The auth_jwt_redirect directive makes the code overly complicated and can be easily replaced by the nginx's error_page directive:

from:

location ~ ^/secure/ {
    auth_jwt_enabled on;
    auth_jwt_validation_type COOKIE=rampartjwt;
    auth_jwt_redirect on;
    auth_jwt_loginurl "https://teslagov.com";
}

to:

location @login_err_redirect {
    return 302 https://teslagov.com?redirect=$request_uri&$args;
}

location ~ ^/secure/ {
    auth_jwt_enabled on;
    auth_jwt_validation_type COOKIE=rampartjwt;
    error_page 401 = @login_err_redirect;
}

I'm maintaining a branch that had this simplification (around 130 less lines (~25%) for the module.c file, and no more gotos (#13), diff here) and can make a PR if you are interested.

I would like to support shorter life for tokens. Typically, this is done with 2 tokens. A refresh-token that is used to obtain a short lived bearer token. However, I'd like to keep it simple for my partner apps that are under the umbrella of this single sign on.

I'm considering adding a feature to issue a new token as a Set-Cookie for requests that

• contain a valid token
• contain a token that is older than some short period (like a minute - to prevent issuing on every request)
• contains an authenticated-on JWT claim that has happened within a period (like a day - to prevent chaining these tokens forever)

Missing sub or emailAddress leads to segmentation fault

When checking a token that have no "emailAddress" or/and "sub" field, nginx worker process get killed for segfault.

without emailAddress:

 [error] 12#0: *9 auth_jwt_validation_type.len 17, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [error] 12#0: *9 the jwt does not contain an email address, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [notice] 1#0: signal 17 (SIGCHLD) received
 [alert] 1#0: worker process 12 exited on signal 11 (core dumped)
 [notice] 1#0: start worker process 13

without sub:

 [error] 10#0: *7 auth_jwt_validation_type.len 17, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [error] 10#0: *7 the jwt does not contain a subject, client: 172.17.0.1, server: localhost, request: "GET /secure/index.html HTTP/1.1", host: "127.0.0.1:8000"
 [notice] 1#0: signal 17 (SIGCHLD) received
 [alert] 1#0: worker process 10 exited on signal 11 (core dumped)
 [notice] 1#0: start worker process 11

Workaround:

Adding goto redirect; at the end of the two blocks that make these verifications does the trick BUT as we face a JWT that have been correctly signed but does not meets requirements I suggest not to redirect to the authentication server (if redirect set) to avoid redirection loop nor returning with a 401 status (because it could be handled with the nginx's error_page directive (like error_page 401 = /go_to_login;) and lead to a redirection loop too.
Adding a else block with the custom headers affectation works as well.. but headers will be unset.

For now, i'm returning a 403 (NGX_HTTP_FORBIDDEN) code because a 403 response should prevent the request to be repeated (https://tools.ietf.org/html/rfc2616#section-10.4.2).

How to reproduce:

In your nginx.conf file: change your error_log to error_log /dev/stderr info; (you wont see anything otherwise).

Run tests with:

# Missing "sub"
VALIDJWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmaXJzdE5hbWUiOiJoZWxsbyIsImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwicm9sZXMiOlsidGhpcyIsInRoYXQiLCJ0aGVvdGhlciJdLCJpc3MiOiJpc3N1ZXIiLCJwZXJzb25JZCI6Ijc1YmIzY2M3LWI5MzMtNDRmMC05M2M2LTE0N2IwODJmYWRiNSIsImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.lD6jUsazVtzeGhRTNeP_b2Zs6O798V2FQql11QOEI1Q

# Missing "email"
VALIDJWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwibGFzdE5hbWUiOiJ3b3JsZCIsInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwiaXNzIjoiaXNzdWVyIiwicGVyc29uSWQiOiI3NWJiM2NjNy1iOTMzLTQ0ZjAtOTNjNi0xNDdiMDgyZmFkYjUiLCJleHAiOjE5MDg4MzUyMDAsImlhdCI6MTQ4ODgxOTYwMCwidXNlcm5hbWUiOiJoZWxsby53b3JsZCJ9.tJoAl_pvq95hK7GKqsp5TU462pLTbmSYZc1fAHzcqWM

I'll have to check the Docker Engine and Docker Compose version, but I tried to build the module on a server using the syntax in your sample Docker file. On on my installation it threw an error regarding "BUILD_FLAGS=''". I changed the syntax of that and it built successfully, but it builds fine with the syntax shown below on other systems. To 'fix' it on that other system I explicitly use v. 1.24.0 and basically get rid of the logic:

RUN ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module --with-cc-opt=-DNGX_LINKED_LIST_COOKIES=1

and it seems to build and function OK.

I'll have to refactor my Docker File if I want to use the module though because I simply compile it now and then use it for another build of the same version of NGINX.

RUN <<`
BUILD_FLAGS=''
MAJ=$(echo ${NGINX_VERSION} | cut -f1 -d.)
MIN=$(echo ${NGINX_VERSION} | cut -f2 -d.)
REV=$(echo ${NGINX_VERSION} | cut -f3 -d.)

# NGINX 1.23.0+ changes cookies to use a linked list, and renames `cookies` to `cookie`
if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
	BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
fi

./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module ${BUILD_FLAGS}
make modules
`

As seen here: https://github.com/TeslaGov/ngx-http-auth-jwt-module/blob/master/src/ngx_http_auth_jwt_module.c#L164

The key should be in hex format, a bit confusing.. some documentation + examples in other languages would be perfect