A module for the NGINX web server that makes NGINX operate as an OAuth 2.0 Resource Server, validating OAuth 2.0 bearer access tokens and setting headers/environment variables based on the validation results.
OAuth2TokenVerify [ introspect | jwk_uri | metadata | jwk | plain | base64 | base64url | hex | pem | pubkey | eckey_uri ] <value> <options>
# obtain the access token from the authorization header
map $http_authorization $source_token {
default "";
"~*^Bearer\s+(?<token>[\S]+)$" $token;
map $pfc_introspect_sub $valid_sub {
"joe" 1;
"alice" 1;
"bob" 1;
"~admin_.+" 1; #allow
"~student_.+" 0; # deny
default 0; # default to deny
server {
listen 7070;
server_name nginx;
# introspection with a sample "require sub=joe" authorization expression
location /oauth2/pingfed/introspect {
OAuth2TokenVerify $source_token introspect
OAuth2Claim sub $pfc_introspect_sub;
OAuth2Claim username $pfc_introspect_username;
OAuth2Claim active $pfc_introspect_active;
OAuth2Require $valid_sub;
proxy_set_header OAUTH2_CLAIM_sub $pfc_introspect_sub;
proxy_set_header OAUTH2_CLAIM_username $pfc_introspect_username;
proxy_set_header OAUTH2_CLAIM_active $pfc_introspect_active;
proxy_pass http://echo:8080/headers$is_args$args;
# local validation from a provided jwks_uri
location /oauth2/pingfed/jwks_uri {
OAuth2TokenVerify $source_token jwks_uri
OAuth2Claim sub $pfc_jwks_uri_sub;
OAuth2Claim username $pfc_jwks_uri_username;
OAuth2Claim active $pfc_jwks_uri_active;
proxy_set_header OAUTH2_CLAIM_sub $pfc_jwks_uri_sub;
proxy_set_header OAUTH2_CLAIM_username $pfc_jwks_uri_username;
proxy_set_header OAUTH2_CLAIM_active $pfc_jwks_uri_active;
proxy_pass http://echo:8080/headers$is_args$args;
# local validation from a provided jwk
# when using RFC 8705 OAuth 2.0 Mutual-TLS Certificate-Bound Access Tokens with liboauth2 >= 1.6.1
ssl_verify_client optional_no_ca;
location /oauth2/pingfed/jwk {
OAuth2TokenVerify $source_token jwk
"{ \"kty\":\"RSA\",
}" type=mtls&mtls.policy=optional;
OAuth2Claim sub $pfc_jwk_sub;
OAuth2Claim username $pfc_jwk_username;
OAuth2Claim active $pfc_jwk_active;
proxy_set_header OAUTH2_CLAIM_sub $pfc_jwk_sub;
proxy_set_header OAUTH2_CLAIM_username $pfc_jwk_username;
proxy_set_header OAUTH2_CLAIM_active $pfc_jwk_active;
proxy_pass http://echo:8080/headers$is_args$args;
For generic questions, see the Wiki pages with Frequently Asked Questions at:
Any questions/issues should go to issues tracker.
For commercial Support contracts, Professional Services, Training and use-case specific support you can contact:
[email protected]
This software is open sourced by OpenIDC. For commercial support you can contact OpenIDC as described above in the Support section.