Add org.matrix.login.jwt support.

Signed-off-by: Jason Volk <jason@zemos.net>
2025-06-18 09:29:06 +00:00
parent b5dc933880
commit 18b9d7bc1f
11 changed files with 434 additions and 15 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2096,6 +2096,21 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "jsonwebtoken"
+version = "9.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
+dependencies = [
+ "base64",
+ "js-sys",
+ "pem",
+ "ring",
+ "serde",
+ "serde_json",
+ "simple_asn1",
+]
+
 [[package]]
 name = "konst"
 version = "0.3.16"
@@ -2796,6 +2811,16 @@ dependencies = [
 "syn",
 ]

+[[package]]
+name = "pem"
+version = "3.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38af38e8470ac9dee3ce1bae1af9c1671fffc44ddfd8bd1d0a3445bf349a8ef3"
+dependencies = [
+ "base64",
+ "serde",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.1"
@@ -3384,7 +3409,7 @@ dependencies = [
 [[package]]
 name = "ruma"
 version = "0.10.1"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "assign",
 "js_int",
@@ -3404,7 +3429,7 @@ dependencies = [
 [[package]]
 name = "ruma-appservice-api"
 version = "0.10.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -3416,7 +3441,7 @@ dependencies = [
 [[package]]
 name = "ruma-client-api"
 version = "0.18.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "as_variant",
 "assign",
@@ -3439,7 +3464,7 @@ dependencies = [
 [[package]]
 name = "ruma-common"
 version = "0.13.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "as_variant",
 "base64",
@@ -3471,7 +3496,7 @@ dependencies = [
 [[package]]
 name = "ruma-events"
 version = "0.28.1"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "as_variant",
 "indexmap",
@@ -3496,7 +3521,7 @@ dependencies = [
 [[package]]
 name = "ruma-federation-api"
 version = "0.9.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "bytes",
 "headers",
@@ -3518,7 +3543,7 @@ dependencies = [
 [[package]]
 name = "ruma-identifiers-validation"
 version = "0.9.5"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "js_int",
 "thiserror 2.0.12",
@@ -3527,7 +3552,7 @@ dependencies = [
 [[package]]
 name = "ruma-identity-service-api"
 version = "0.9.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -3537,7 +3562,7 @@ dependencies = [
 [[package]]
 name = "ruma-macros"
 version = "0.13.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "cfg-if",
 "proc-macro-crate",
@@ -3552,7 +3577,7 @@ dependencies = [
 [[package]]
 name = "ruma-push-gateway-api"
 version = "0.9.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "js_int",
 "ruma-common",
@@ -3564,7 +3589,7 @@ dependencies = [
 [[package]]
 name = "ruma-signatures"
 version = "0.15.0"
-source = "git+https://github.com/matrix-construct/ruma?rev=3d082885f6532cc84ba65ebd2c3ff31b25a7022d#3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+source = "git+https://github.com/matrix-construct/ruma?rev=0155c2b33233bec9dece79d5134a9574b347f4c1#0155c2b33233bec9dece79d5134a9574b347f4c1"
 dependencies = [
 "base64",
 "ed25519-dalek",
@@ -4140,6 +4165,18 @@ dependencies = [
 "quote",
 ]

+[[package]]
+name = "simple_asn1"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
+dependencies = [
+ "num-bigint",
+ "num-traits",
+ "thiserror 2.0.12",
+ "time",
+]
+
 [[package]]
 name = "siphasher"
 version = "1.0.1"
@@ -4793,6 +4830,7 @@ dependencies = [
 "futures",
 "log",
 "ruma",
+ "serde",
 "serde_json",
 "serde_yaml",
 "tokio",
@@ -4864,6 +4902,7 @@ dependencies = [
 "http-body-util",
 "ipaddress",
 "itertools 0.14.0",
+ "jsonwebtoken",
 "ldap3",
 "libc",
 "libloading",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -225,6 +225,11 @@ version = "0.1.3"
 [workspace.dependencies.itertools]
 version = "0.14.0"

+[workspace.dependencies.jsonwebtoken]
+version = "9.3.1"
+default-features = false
+features = ["use_pem"]
+
 [workspace.dependencies.ldap3]
 git = "https://github.com/matrix-construct/ldap3"
 rev = "7d423314b9dbc66347284e38fc2b78c3d8f3d494"
@@ -306,7 +311,7 @@ default-features = false

 [workspace.dependencies.ruma]
 git = "https://github.com/matrix-construct/ruma"
-rev = "3d082885f6532cc84ba65ebd2c3ff31b25a7022d"
+rev = "0155c2b33233bec9dece79d5134a9574b347f4c1"
 features = [
    "compat",
    "rand",
--- a/src/admin/Cargo.toml
+++ b/src/admin/Cargo.toml
@@ -85,6 +85,7 @@ ctor.workspace = true
 futures.workspace = true
 log.workspace = true
 ruma.workspace = true
+serde.workspace = true
 serde_json.workspace = true
 serde_yaml.workspace = true
 tokio.workspace = true
--- a/src/admin/debug/commands.rs
+++ b/src/admin/debug/commands.rs
@@ -2,6 +2,7 @@ use std::{
 	collections::HashMap,
 	fmt::Write,
 	iter::once,
+	str::FromStr,
 	time::{Instant, SystemTime},
 };

@@ -11,9 +12,10 @@ use ruma::{
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
 	api::federation::event::get_room_state, events::AnyStateEvent, serde::Raw,
 };
+use serde::Serialize;
 use tracing_subscriber::EnvFilter;
 use tuwunel_core::{
-	Err, Result, debug_error, err, info,
+	Err, Result, debug_error, err, info, jwt,
 	matrix::{
 		Event,
 		pdu::{PduEvent, PduId, RawPduId},
@@ -22,6 +24,7 @@ use tuwunel_core::{
 	utils::{
 		stream::{IterStream, ReadyExt},
 		string::EMPTY,
+		time::now_secs,
 	},
 	warn,
 };
@@ -975,3 +978,60 @@ pub(super) async fn trim_memory(&self) -> Result {

 	writeln!(self, "done").await
 }
+
+#[admin_command]
+pub(super) async fn create_jwt(
+	&self,
+	user: String,
+	exp_from_now: Option<u64>,
+	nbf_from_now: Option<u64>,
+	issuer: Option<String>,
+	audience: Option<String>,
+) -> Result {
+	use jwt::{Algorithm, EncodingKey, Header, encode};
+
+	#[derive(Serialize)]
+	struct Claim {
+		sub: String,
+		iss: String,
+		aud: String,
+		exp: usize,
+		nbf: usize,
+	}
+
+	let config = &self.services.config.jwt;
+	if config.format.as_str() != "HMAC" {
+		return Err!("This command only supports HMAC key format, not {}.", config.format);
+	}
+
+	let key = EncodingKey::from_secret(config.key.as_ref());
+	let alg = Algorithm::from_str(config.algorithm.as_str()).map_err(|e| {
+		err!(Config("jwt.algorithm", "JWT algorithm is not recognized or configured {e}"))
+	})?;
+
+	let header = Header { alg, ..Default::default() };
+	let claim = Claim {
+		sub: user,
+
+		iss: issuer.unwrap_or_default(),
+
+		aud: audience.unwrap_or_default(),
+
+		exp: exp_from_now
+			.and_then(|val| now_secs().checked_add(val))
+			.map(TryInto::try_into)
+			.and_then(Result::ok)
+			.unwrap_or(usize::MAX),
+
+		nbf: nbf_from_now
+			.and_then(|val| now_secs().checked_add(val))
+			.map(TryInto::try_into)
+			.and_then(Result::ok)
+			.unwrap_or(0),
+	};
+
+	encode(&header, &claim, &key)
+		.map_err(|e| err!("Failed to encode JWT: {e}"))
+		.map(async |token| self.write_str(&token).await)?
+		.await
+}
--- a/src/admin/debug/mod.rs
+++ b/src/admin/debug/mod.rs
@@ -234,6 +234,28 @@ pub(super) enum DebugCommand {
 		level: Option<i32>,
 	},

+	/// - Create a JWT token for login
+	CreateJwt {
+		/// Localpart of the user's MXID
+		user: String,
+
+		/// Set expiration time in seconds from now.
+		#[arg(long)]
+		exp_from_now: Option<u64>,
+
+		/// Set not-before time in seconds from now.
+		#[arg(long)]
+		nbf_from_now: Option<u64>,
+
+		/// Claim an issuer.
+		#[arg(long)]
+		issuer: Option<String>,
+
+		/// Claim an audience.
+		#[arg(long)]
+		audience: Option<String>,
+	},
+
 	/// - Developer test stubs
 	#[command(subcommand)]
 	#[allow(non_snake_case)]
--- a/src/api/client/session/jwt.rs
+++ b/src/api/client/session/jwt.rs
@@ -0,0 +1,117 @@
+use std::str::FromStr;
+
+use jwt::{Algorithm, DecodingKey, Validation, decode};
+use ruma::{
+	OwnedUserId, UserId,
+	api::client::session::login::v3::{Request, Token},
+};
+use serde::Deserialize;
+use tuwunel_core::{Err, Result, at, config::JwtConfig, debug, err, jwt, warn};
+use tuwunel_service::Services;
+
+use crate::Ruma;
+
+#[derive(Debug, Deserialize)]
+struct Claim {
+	/// Subject is the localpart of the User MXID
+	sub: String,
+}
+
+pub(super) async fn handle_login(
+	services: &Services,
+	_body: &Ruma<Request>,
+	info: &Token,
+) -> Result<OwnedUserId> {
+	let config = &services.config.jwt;
+
+	if !config.enable {
+		return Err!(Request(Unknown("JWT login is not enabled.")));
+	}
+
+	let claim = validate(config, &info.token)?;
+	let local = claim.sub.to_lowercase();
+	let server = &services.server.name;
+	let user_id = UserId::parse_with_server_name(local, server).map_err(|e| {
+		err!(Request(InvalidUsername("JWT subject is not a valid user MXID: {e}")))
+	})?;
+
+	if !services.users.exists(&user_id).await {
+		if !config.register_user {
+			return Err!(Request(NotFound("User {user_id} is not registered on this server.")));
+		}
+
+		services
+			.users
+			.create(&user_id, Some("*"), Some("jwt"))
+			.await?;
+	}
+
+	Ok(user_id)
+}
+
+fn validate(config: &JwtConfig, token: &str) -> Result<Claim> {
+	let verifier = init_verifier(config)?;
+	let validator = init_validator(config)?;
+	decode::<Claim>(token, &verifier, &validator)
+		.map(|decoded| (decoded.header, decoded.claims))
+		.inspect(|(head, claim)| debug!(?head, ?claim, "JWT token decoded"))
+		.map_err(|e| err!(Request(Forbidden("Invalid JWT token: {e}"))))
+		.map(at!(1))
+}
+
+fn init_verifier(config: &JwtConfig) -> Result<DecodingKey> {
+	let key = &config.key;
+	let format = config.format.as_str();
+
+	Ok(match format {
+		| "HMAC" => DecodingKey::from_secret(key.as_bytes()),
+
+		| "HMACB64" => DecodingKey::from_base64_secret(key.as_str())
+			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid base64: {e}")))?,
+
+		| "ECDSA" => DecodingKey::from_ec_pem(key.as_bytes())
+			.map_err(|e| err!(Config("jwt.key", "JWT key is not valid PEM: {e}")))?,
+
+		| _ => return Err!(Config("jwt.format", "Key format {format:?} is not supported.")),
+	})
+}
+
+fn init_validator(config: &JwtConfig) -> Result<Validation> {
+	let alg = config.algorithm.as_str();
+	let alg = Algorithm::from_str(alg).map_err(|e| {
+		err!(Config("jwt.algorithm", "JWT algorithm is not recognized or configured {e}"))
+	})?;
+
+	let mut validator = Validation::new(alg);
+	let mut required_spec_claims: Vec<_> = ["sub"].into();
+
+	validator.validate_exp = config.validate_exp;
+	if config.require_exp {
+		required_spec_claims.push("exp");
+	}
+
+	validator.validate_nbf = config.validate_nbf;
+	if config.require_nbf {
+		required_spec_claims.push("nbf");
+	}
+
+	if !config.audience.is_empty() {
+		required_spec_claims.push("aud");
+		validator.set_audience(&config.audience);
+	}
+
+	if !config.issuer.is_empty() {
+		required_spec_claims.push("iss");
+		validator.set_issuer(&config.issuer);
+	}
+
+	if cfg!(debug_assertions) && !config.validate_signature {
+		warn!("JWT signature validation is disabled!");
+		validator.insecure_disable_signature_validation();
+	}
+
+	validator.set_required_spec_claims(&required_spec_claims);
+	debug!(?validator, "JWT configured");
+
+	Ok(validator)
+}
--- a/src/api/client/session/mod.rs
+++ b/src/api/client/session/mod.rs
@@ -1,4 +1,5 @@
 mod appservice;
+mod jwt;
 mod ldap;
 mod logout;
 mod password;
@@ -9,7 +10,10 @@ use axum_client_ip::InsecureClientIp;
 use ruma::api::client::session::{
 	get_login_types::{
 		self,
-		v3::{ApplicationServiceLoginType, LoginType, PasswordLoginType, TokenLoginType},
+		v3::{
+			ApplicationServiceLoginType, JwtLoginType, LoginType, PasswordLoginType,
+			TokenLoginType,
+		},
 	},
 	login::{
 		self,
@@ -39,6 +43,7 @@ pub(crate) async fn get_login_types_route(
 	Ok(get_login_types::v3::Response::new(vec![
 		LoginType::Password(PasswordLoginType::default()),
 		LoginType::ApplicationService(ApplicationServiceLoginType::default()),
+		LoginType::Jwt(JwtLoginType::default()),
 		LoginType::Token(TokenLoginType {
 			get_login_token: services.config.login_via_existing_session,
 		}),
@@ -69,6 +74,7 @@ pub(crate) async fn login_route(
 	let user_id = match &body.login_info {
 		| LoginInfo::Password(info) => password::handle_login(&services, &body, info).await?,
 		| LoginInfo::Token(info) => token::handle_login(&services, &body, info).await?,
+		| LoginInfo::Jwt(info) => jwt::handle_login(&services, &body, info).await?,
 		| LoginInfo::ApplicationService(info) =>
 			appservice::handle_login(&services, &body, info).await?,
 		| _ => {
--- a/src/core/Cargo.toml
+++ b/src/core/Cargo.toml
@@ -78,6 +78,7 @@ http-body-util.workspace = true
 http.workspace = true
 ipaddress.workspace = true
 itertools.workspace = true
+jsonwebtoken.workspace = true
 ldap3.workspace = true
 libc.workspace = true
 libloading.workspace = true
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -52,7 +52,7 @@ use crate::{Result, err, error::Error, utils::sys};
 ### For more information, see:
 ### https://tuwunel.chat/configuration.html
 "#,
-	ignore = "catchall well_known tls blurhashing allow_invalid_tls_certificates ldap"
+	ignore = "catchall well_known tls blurhashing allow_invalid_tls_certificates ldap jwt"
 )]
 pub struct Config {
 	/// The server_name is the pretty name of this server. It is used as a
@@ -1814,6 +1814,10 @@ pub struct Config {
 	#[serde(default)]
 	pub ldap: LdapConfig,

+	// external structure; separate section
+	#[serde(default)]
+	pub jwt: JwtConfig,
+
 	#[serde(flatten)]
 	#[allow(clippy::zero_sized_map_values)]
 	// this is a catchall, the map shouldn't be zero at runtime
@@ -1991,6 +1995,99 @@ pub struct LdapConfig {
 	pub admin_filter: String,
 }

+#[derive(Clone, Debug, Default, Deserialize)]
+#[config_example_generator(filename = "tuwunel-example.toml", section = "global.jwt")]
+pub struct JwtConfig {
+	/// Enable JWT logins
+	///
+	/// default: false
+	#[serde(default)]
+	pub enable: bool,
+
+	/// Validation key, also called 'secret' in Synapse config. The type of key
+	/// can be configured in 'format', but defaults to the common HMAC which
+	/// is a plaintext shared-secret, so you should keep this value private.
+	///
+	/// display: sensitive
+	/// default:
+	#[serde(default, alias = "secret")]
+	pub key: String,
+
+	/// Format of the 'key'. Only HMAC, ECDSA, and B64HMAC are supported
+	/// Binary keys cannot be pasted into this config, so B64HMAC is an
+	/// alternative to HMAC for properly random secret strings.
+	/// - HMAC is a plaintext shared-secret private-key.
+	/// - B64HMAC is a base64-encoded version of HMAC.
+	/// - ECDSA is a PEM-encoded public-key.
+	///
+	/// default: "HMAC"
+	#[serde(default = "default_jwt_format")]
+	pub format: String,
+
+	/// Automatically create new user from a valid claim, otherwise access is
+	/// denied for an unknown even with an authentic token.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub register_user: bool,
+
+	/// JWT algorithm
+	///
+	/// default: "HS256"
+	#[serde(default = "default_jwt_algorithm")]
+	pub algorithm: String,
+
+	/// Optional audience claim list. The token must claim one or more values
+	/// from this list when set.
+	///
+	/// default: []
+	#[serde(default)]
+	pub audience: Vec<String>,
+
+	/// Optional issuer claim list. The token must claim one or more values
+	/// from this list when set.
+	///
+	/// default: []
+	#[serde(default)]
+	pub issuer: Vec<String>,
+
+	/// Require expiration claim in the token. This defaults to false for
+	/// synapse migration compatibility.
+	///
+	/// default: false
+	#[serde(default)]
+	pub require_exp: bool,
+
+	/// Require not-before claim in the token. This defaults to false for
+	/// synapse migration compatibility.
+	///
+	/// default: false
+	#[serde(default)]
+	pub require_nbf: bool,
+
+	/// Validate expiration time of the token when present. Whether or not it is
+	/// required depends on require_exp, but when present this ensures the token
+	/// is not used after a time.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub validate_exp: bool,
+
+	/// Validate not-before time of the token when present. Whether or not it is
+	/// required depends on require_nbf, but when present this ensures the token
+	/// is not used before a time.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub validate_nbf: bool,
+
+	/// Bypass validation for diagnostic/debug use only.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub validate_signature: bool,
+}
+
 #[derive(Deserialize, Clone, Debug)]
 #[serde(transparent)]
 struct ListeningPort {
@@ -2392,3 +2489,7 @@ fn default_ldap_uid_attribute() -> String { String::from("uid") }
 fn default_ldap_mail_attribute() -> String { String::from("mail") }

 fn default_ldap_name_attribute() -> String { String::from("givenName") }
+
+fn default_jwt_algorithm() -> String { "HS256".to_owned() }
+
+fn default_jwt_format() -> String { "HMAC".to_owned() }
--- a/src/core/mod.rs
+++ b/src/core/mod.rs
@@ -14,6 +14,7 @@ pub mod utils;

 pub use ::arrayvec;
 pub use ::http;
+pub use ::jsonwebtoken as jwt;
 pub use ::ruma;
 pub use ::smallstr;
 pub use ::smallvec;
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -1712,3 +1712,69 @@
 # example: "(objectClass=tuwunelAdmin)" or "(uid={username})"
 #
 #admin_filter = false
+
+[global.jwt]
+
+# Enable JWT logins
+#
+#enable = false
+
+# Validation key, also called 'secret' in Synapse config. The type of key
+# can be configured in 'format', but defaults to the common HMAC which
+# is a plaintext shared-secret, so you should keep this value private.
+#
+#key =
+
+# Format of the 'key'. Only HMAC, ECDSA, and B64HMAC are supported
+# Binary keys cannot be pasted into this config, so B64HMAC is an
+# alternative to HMAC for properly random secret strings.
+# - HMAC is a plaintext shared-secret private-key.
+# - B64HMAC is a base64-encoded version of HMAC.
+# - ECDSA is a PEM-encoded public-key.
+#
+#format = "HMAC"
+
+# Automatically create new user from a valid claim, otherwise access is
+# denied for an unknown even with an authentic token.
+#
+#register_user = true
+
+# JWT algorithm
+#
+#algorithm = "HS256"
+
+# Optional audience claim list. The token must claim one or more values
+# from this list when set.
+#
+#audience = []
+
+# Optional issuer claim list. The token must claim one or more values
+# from this list when set.
+#
+#issuer = []
+
+# Require expiration claim in the token. This defaults to false for
+# synapse migration compatibility.
+#
+#require_exp = false
+
+# Require not-before claim in the token. This defaults to false for
+# synapse migration compatibility.
+#
+#require_nbf = false
+
+# Validate expiration time of the token when present. Whether or not it is
+# required depends on require_exp, but when present this ensures the token
+# is not used after a time.
+#
+#validate_exp = true
+
+# Validate not-before time of the token when present. Whether or not it is
+# required depends on require_nbf, but when present this ensures the token
+# is not used before a time.
+#
+#validate_nbf = true
+
+# Bypass validation for diagnostic/debug use only.
+#
+#validate_signature = true