このページは、まだ日本語ではご利用いただけません。翻訳中です。
古いプラグインバージョンのドキュメントを閲覧しています。
構成
このプラグインはDBレスモードに対応しています。
互換性のあるプロトコル
OpenID Connectプラグインは以下のプロトコルに対応しています:
grpc
, grpcs
, http
, https
パラメータ
このプラグインの設定で使用できるすべてのパラメータのリストは次のとおりです。
-
name or plugin
string requiredプラグイン名。この場合は
openid-connect
。- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
name
です。 - Kubernetes で KongPlugin オブジェクトを使用する場合、フィールドは
plugin
です。
- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
-
instance_name
stringプラグインのインスタンスを識別するための任意のカスタム名 (例:
openid-connect_my-service
。インスタンス名はKong ManagerとKonnectに表示されるので、 例えば複数のサービスで同じプラグインを複数のコンテキストで実行する場合に便利です。また、Kong Admin API経由で特定のプラグインインスタンスに アクセスするためにも使用できます。
インスタンス名は、次のコンテキスト内で一意である必要があります。
- Kong Gateway Enterpriseのワークスペース内
- Konnectのコントロールプレーン(CP)またはコントロールプレーン(CP)グループ内
- Kong Gateway (OSS)の全世界
-
service.name or service.id
stringプラグインが対象とするサービス名または ID。最上位の
/plugins
エンドポイント. からプラグインをサービスに追加する場合は、これらのパラメータのいずれかを設定してください/services/{serviceName|Id}/plugins
を使用する場合は必要ありません。 -
route.name or route.id
stringプラグインがターゲットとするルート名または ID。最上位の
/plugins
エンドポイント. を通るルートにプラグインを追加する場合は、これらのパラメータのいずれかを設定してください/routes/{routeName|Id}/plugins
を使用する場合は必要ありません。 -
enabled
boolean default:true
このプラグインが適用されるかどうか。
-
config
record required-
issuer
string requiredA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
discovery_headers_names
array of typestring
Extra header names passed to the discovery endpoint.
-
discovery_headers_values
array of typestring
Extra header values passed to the discovery endpoint.
-
extra_jwks_uris
set of typestring
JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
-
rediscovery_lifetime
number default:30
Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
-
auth_methods
array of typestring
default:password, client_credentials, authorization_code, bearer, introspection, userinfo, kong_oauth2, refresh_token, session
Must be one of:password
,client_credentials
,authorization_code
,bearer
,introspection
,userinfo
,kong_oauth2
,refresh_token
,session
Types of credentials/grants to enable.
-
client_id
array of typestring
referenceable encryptedThe client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
-
client_secret
array of typestring
referenceable encryptedThe client secret.
-
client_auth
array of typestring
Must be one of:client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The authentication method used by the client (plugin) when calling the endpoint.
-
client_jwk
array of typerecord
-
issuer
string
-
kty
string
-
use
string
-
key_ops
array of typestring
-
alg
string
-
kid
string
-
x5u
string
-
x5c
array of typestring
-
x5t
string
-
x5t#S256
string
-
k
string referenceable encrypted
-
x
string
-
y
string
-
crv
string
-
n
string
-
e
string
-
d
string referenceable encrypted
-
p
string referenceable encrypted
-
q
string referenceable encrypted
-
dp
string referenceable encrypted
-
dq
string referenceable encrypted
-
qi
string referenceable encrypted
-
oth
string referenceable encrypted
-
r
string referenceable encrypted
-
t
string referenceable encrypted
-
-
client_alg
array of typestring
Must be one of:HS256
,HS384
,HS512
,RS256
,RS384
,RS512
,ES256
,ES384
,ES512
,PS256
,PS384
,PS512
,EdDSA
-
client_arg
string default:client_id
The client to use for this request (the selection is made with a request parameter with the same name).
-
redirect_uri
array of typestring
The redirect URI passed to the authorization and token endpoints.
-
login_redirect_uri
array of typestring
referenceableWhere to redirect the client when
login_action
is set toredirect
.
-
logout_redirect_uri
array of typestring
referenceableWhere to redirect the client after the logout.
-
forbidden_redirect_uri
array of typestring
Where to redirect the client on forbidden requests.
-
forbidden_error_message
string default:Forbidden
The error message for the forbidden requests (when not using the redirection).
-
forbidden_destroy_session
boolean default:true
Destroy any active session for the forbidden requests.
-
unauthorized_destroy_session
boolean default:true
Destroy any active session for the unauthorized requests.
-
unauthorized_redirect_uri
array of typestring
Where to redirect the client on unauthorized requests.
-
unauthorized_error_message
string default:Unauthorized
The error message for the unauthorized requests (when not using the redirection).
-
unexpected_redirect_uri
array of typestring
Where to redirect the client when unexpected errors happen with the requests.
-
response_mode
string default:query
Must be one of:query
,form_post
,fragment
The response mode passed to the authorization endpoint: -
query
: Instructs the identity provider to pass parameters in query string -form_post
: Instructs the identity provider to pass parameters in request body -fragment
: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)
-
response_type
array of typestring
default:code
The response type passed to the authorization endpoint.
-
scopes
array of typestring
referenceable default:openid
The scopes passed to the authorization and token endpoints.
-
audience
array of typestring
The audience passed to the authorization endpoint.
-
issuers_allowed
array of typestring
The issuers allowed to be present in the tokens (
iss
claim).
-
scopes_required
array of typestring
The scopes (
scopes_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
-
scopes_claim
array of typestring
default:scope
The claim that contains the scopes.
-
audience_required
array of typestring
The audiences (
audience_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
-
audience_claim
array of typestring
default:aud
The claim that contains the audience.
-
groups_required
array of typestring
The groups (
groups_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
-
groups_claim
array of typestring
default:groups
The claim that contains the groups.
-
roles_required
array of typestring
The roles (
roles_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
-
roles_claim
array of typestring
default:roles
The claim that contains the roles.
-
domains
array of typestring
The allowed values for the
hd
claim.
-
max_age
numberThe maximum age (in seconds) compared to the
auth_time
claim.
-
authenticated_groups_claim
array of typestring
The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.
-
authorization_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
authorization_query_args_names
array of typestring
Extra query argument names passed to the authorization endpoint.
-
authorization_query_args_values
array of typestring
Extra query argument values passed to the authorization endpoint.
-
authorization_query_args_client
array of typestring
Extra query arguments passed from the client to the authorization endpoint.
-
authorization_rolling_timeout
number default:600
Network IO timeout in milliseconds.
-
authorization_cookie_name
string default:authorization
The authorization cookie name.
-
authorization_cookie_path
string default:/
starts_with:/
A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).
-
authorization_cookie_domain
stringThe authorization cookie Domain flag.
-
authorization_cookie_same_site
string default:Default
Must be one of:Strict
,Lax
,None
,Default
Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
-
authorization_cookie_http_only
boolean default:true
Forbids JavaScript from accessing the cookie, for example, through the
Document.cookie
property.
-
authorization_cookie_secure
booleanCookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
-
preserve_query_args
boolean default:false
With this parameter, you can preserve request query arguments even when doing authorization code flow.
-
token_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
token_endpoint_auth_method
string Must be one of:client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The token endpoint authentication method: -
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -client_secret_post
: sendclient_id
andclient_secret
as part of the body -client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -private_key_jwt
: send client assertion signed with theprivate key
as part of the body -none
: do not authenticate
-
token_headers_names
array of typestring
Extra header names passed to the token endpoint.
-
token_headers_values
array of typestring
Extra header values passed to the token endpoint.
-
token_headers_client
array of typestring
Extra headers passed from the client to the token endpoint.
-
token_headers_replay
array of typestring
The names of token endpoint response headers to forward to the downstream client.
-
token_headers_prefix
stringAdd a prefix to the token endpoint response headers before forwarding them to the downstream client.
-
token_headers_grants
array of typestring
Must be one of:password
,client_credentials
,authorization_code
,refresh_token
Enable the sending of the token endpoint response headers only with certain grants: -
password
: with OAuth password grant -client_credentials
: with OAuth client credentials grant -authorization_code
: with authorization code flow -refresh_token
with refresh token grant
-
token_post_args_names
array of typestring
Extra post argument names passed to the token endpoint.
-
token_post_args_values
array of typestring
Extra post argument values passed to the token endpoint.
-
token_post_args_client
array of typestring
Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scope
values, like this:config.token_post_args_client=scope
In this case, the token would take thescope
value from the query parameter or from the request body or from the header and send it to the token endpoint.
-
introspection_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
introspection_endpoint_auth_method
string Must be one of:client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The introspection endpoint authentication method: -
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -client_secret_post
: sendclient_id
andclient_secret
as part of the body -client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -private_key_jwt
: send client assertion signed with theprivate key
as part of the body -none
: do not authenticate
-
introspection_hint
string default:access_token
Introspection hint parameter value passed to the introspection endpoint.
-
introspection_check_active
boolean default:true
Check that the introspection response has an
active
claim with a value oftrue
.
-
introspection_accept
string default:application/json
Must be one of:application/json
,application/token-introspection+jwt
,application/jwt
The value of
Accept
header for introspection requests: -application/json
: introspection response as JSON -application/token-introspection+jwt
: introspection response as JWT (from the current IETF draft document) -application/jwt
: introspection response as JWT (from the obsolete IETF draft document)
-
introspection_headers_names
array of typestring
Extra header names passed to the introspection endpoint.
-
introspection_headers_values
array of typestring
referenceable encryptedExtra header values passed to the introspection endpoint.
-
introspection_headers_client
array of typestring
Extra headers passed from the client to the introspection endpoint.
-
introspection_post_args_names
array of typestring
Extra post argument names passed to the introspection endpoint.
-
introspection_post_args_values
array of typestring
Extra post argument values passed to the introspection endpoint.
-
introspection_post_args_client
array of typestring
Extra post arguments passed from the client to the introspection endpoint.
-
introspect_jwt_tokens
boolean default:false
Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
-
revocation_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
revocation_endpoint_auth_method
string Must be one of:client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The revocation endpoint authentication method: -
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -client_secret_post
: sendclient_id
andclient_secret
as part of the body -client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -private_key_jwt
: send client assertion signed with theprivate key
as part of the body -none
: do not authenticate
-
end_session_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
userinfo_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
userinfo_accept
string default:application/json
Must be one of:application/json
,application/jwt
The value of
Accept
header for user info requests: -application/json
: user info response as JSON -application/jwt
: user info response as JWT (from the obsolete IETF draft document)
-
userinfo_headers_names
array of typestring
Extra header names passed to the user info endpoint.
-
userinfo_headers_values
array of typestring
Extra header values passed to the user info endpoint.
-
userinfo_headers_client
array of typestring
Extra headers passed from the client to the user info endpoint.
-
userinfo_query_args_names
array of typestring
Extra query argument names passed to the user info endpoint.
-
userinfo_query_args_values
array of typestring
Extra query argument values passed to the user info endpoint.
-
userinfo_query_args_client
array of typestring
Extra query arguments passed from the client to the user info endpoint.
-
token_exchange_endpoint
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
session_secret
string referenceable encryptedThe session secret.
-
session_audience
string default:default
The session audience, which is the intended target application. For example
"my-application"
.
-
session_cookie_name
string default:session
The session cookie name.
-
session_remember
boolean default:false
Enables or disables persistent sessions.
-
session_remember_cookie_name
string default:remember
Persistent session cookie name. Use with the
remember
configuration parameter.
-
session_remember_rolling_timeout
number default:604800
Network IO timeout in milliseconds.
-
session_remember_absolute_timeout
number default:2592000
Network IO timeout in milliseconds.
-
session_idling_timeout
number default:900
Network IO timeout in milliseconds.
-
session_rolling_timeout
number default:3600
Network IO timeout in milliseconds.
-
session_absolute_timeout
number default:86400
Network IO timeout in milliseconds.
-
session_cookie_path
string default:/
starts_with:/
A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).
-
session_cookie_domain
stringThe session cookie Domain flag.
-
session_cookie_same_site
string default:Lax
Must be one of:Strict
,Lax
,None
,Default
Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
-
session_cookie_http_only
boolean default:true
Forbids JavaScript from accessing the cookie, for example, through the
Document.cookie
property.
-
session_cookie_secure
booleanCookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
-
session_request_headers
set of typestring
Must be one of:id
,audience
,subject
,timeout
,idling-timeout
,rolling-timeout
,absolute-timeout
-
session_response_headers
set of typestring
Must be one of:id
,audience
,subject
,timeout
,idling-timeout
,rolling-timeout
,absolute-timeout
-
session_storage
string default:cookie
Must be one of:cookie
,memcache
,memcached
,redis
The session storage for session data: -
cookie
: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn’t require a database) -memcache
: stores session data in memcached -redis
: stores session data in Redis
-
session_store_metadata
boolean default:false
Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
-
session_enforce_same_subject
boolean default:false
When set to
true
, audiences are forced to share the same subject.
-
session_hash_subject
boolean default:false
When set to
true
, the value of subject is hashed before being stored. Only applies whensession_store_metadata
is enabled.
-
session_hash_storage_key
boolean default:false
When set to
true
, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
-
session_memcached_prefix
stringThe memcached session key prefix.
-
session_memcached_socket
stringThe memcached unix socket path.
-
session_memcached_host
string default:127.0.0.1
The memcached host.
-
session_memcached_port
integer default:11211
between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
session_redis_prefix
stringThe Redis session key prefix.
-
session_redis_socket
stringThe Redis unix socket path.
-
session_redis_host
string default:127.0.0.1
The Redis host
-
session_redis_port
integer default:6379
between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
session_redis_username
string referenceableUsername to use for Redis connection when the
redis
session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username cannot be set todefault
.
-
session_redis_password
string referenceable encryptedPassword to use for Redis connection when the
redis
session storage is defined. If undefined, no AUTH commands are sent to Redis.
-
session_redis_connect_timeout
integerNetwork IO timeout in milliseconds.
-
session_redis_read_timeout
integerNetwork IO timeout in milliseconds.
-
session_redis_send_timeout
integerNetwork IO timeout in milliseconds.
-
session_redis_ssl
boolean default:false
Use SSL/TLS for Redis connection.
-
session_redis_ssl_verify
boolean default:false
Verify identity provider server certificate.
-
session_redis_server_name
stringThe SNI used for connecting the Redis server.
-
session_redis_cluster_nodes
array of typerecord
The Redis cluster node host. Takes an array of host records, with either
ip
orhost
, andport
values.-
ip
string required default:127.0.0.1
A string representing a host name, such as example.com.
-
port
integer default:6379
between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
-
session_redis_cluster_max_redirections
integerThe Redis cluster maximum redirects.
-
reverify
boolean default:false
Specifies whether to always verify tokens stored in the session.
-
jwt_session_claim
string default:sid
The claim to match against the JWT session cookie.
-
jwt_session_cookie
stringThe name of the JWT session cookie.
-
bearer_token_param_type
array of typestring
default:header, query, body
Must be one of:header
,cookie
,query
,body
Where to look for the bearer token: -
header
: search the HTTP headers -query
: search the URL’s query string -body
: search the HTTP request body -cookie
: search the HTTP request cookies specified withconfig.bearer_token_cookie_name
-
bearer_token_cookie_name
stringThe name of the cookie in which the bearer token is passed.
-
client_credentials_param_type
array of typestring
default:header, query, body
Must be one of:header
,query
,body
Where to look for the client credentials: -
header
: search the HTTP headers -query
: search the URL’s query string -body
: search from the HTTP request body
-
password_param_type
array of typestring
default:header, query, body
Must be one of:header
,query
,body
Where to look for the username and password: -
header
: search the HTTP headers -query
: search the URL’s query string -body
: search the HTTP request body
-
id_token_param_type
array of typestring
default:header, query, body
Must be one of:header
,query
,body
Where to look for the id token: -
header
: search the HTTP headers -query
: search the URL’s query string -body
: search the HTTP request body
-
id_token_param_name
stringThe name of the parameter used to pass the id token.
-
refresh_token_param_type
array of typestring
default:header, query, body
Must be one of:header
,query
,body
Where to look for the refresh token: -
header
: search the HTTP headers -query
: search the URL’s query string -body
: search the HTTP request body
-
refresh_token_param_name
stringThe name of the parameter used to pass the refresh token.
-
refresh_tokens
boolean default:true
Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_token
available.
-
upstream_headers_claims
array of typestring
The upstream header claims.
-
upstream_headers_names
array of typestring
The upstream header names for the claim values.
-
upstream_access_token_header
string default:authorization:bearer
The upstream access token header.
-
upstream_access_token_jwk_header
stringThe upstream access token JWK header.
-
upstream_id_token_header
stringThe upstream id token header.
-
upstream_id_token_jwk_header
stringThe upstream id token JWK header.
-
upstream_refresh_token_header
stringThe upstream refresh token header.
-
upstream_user_info_header
stringThe upstream user info header.
-
upstream_user_info_jwt_header
stringThe upstream user info JWT header (in case the user info returns a JWT response).
-
upstream_introspection_header
stringThe upstream introspection header.
-
upstream_introspection_jwt_header
string
-
upstream_session_id_header
stringThe upstream session id header.
-
downstream_headers_claims
array of typestring
The downstream header claims.
-
downstream_headers_names
array of typestring
The downstream header names for the claim values.
-
downstream_access_token_header
stringThe downstream access token header.
-
downstream_access_token_jwk_header
stringThe downstream access token JWK header.
-
downstream_id_token_header
stringThe downstream id token header.
-
downstream_id_token_jwk_header
stringThe downstream id token JWK header.
-
downstream_refresh_token_header
stringThe downstream refresh token header.
-
downstream_user_info_header
stringThe downstream user info header.
-
downstream_user_info_jwt_header
stringThe downstream user info JWT header (in case the user info returns a JWT response).
-
downstream_introspection_header
stringThe downstream introspection header.
-
downstream_introspection_jwt_header
string
-
downstream_session_id_header
stringThe downstream session id header.
-
login_methods
array of typestring
default:authorization_code
Must be one of:password
,client_credentials
,authorization_code
,bearer
,introspection
,userinfo
,kong_oauth2
,refresh_token
,session
Enable login functionality with specified grants.
-
login_action
string default:upstream
Must be one of:upstream
,response
,redirect
What to do after successful login: -
upstream
: proxy request to upstream service -response
: terminate request with a response -redirect
: redirect to a different location
-
login_tokens
array of typestring
default:id_token
Must be one of:id_token
,access_token
,refresh_token
,tokens
,introspection
What tokens to include in
response
body orredirect
query string or fragment: -id_token
: include id token -access_token
: include access token -refresh_token
: include refresh token -tokens
: include the full token endpoint response -introspection
: include introspection response
-
login_redirect_mode
string default:fragment
Must be one of:query
,fragment
Where to place
login_tokens
when usingredirect
login_action
: -query
: place tokens in query string -fragment
: place tokens in url fragment (not readable by servers)
-
logout_query_arg
stringThe request query argument that activates the logout.
-
logout_post_arg
stringThe request body argument that activates the logout.
-
logout_uri_suffix
stringThe request URI suffix that activates the logout.
-
logout_methods
array of typestring
default:POST, DELETE
Must be one of:POST
,GET
,DELETE
The request methods that can activate the logout: -
POST
: HTTP POST method -GET
: HTTP GET method -DELETE
: HTTP DELETE method
-
logout_revoke
boolean default:false
Revoke tokens as part of the logout.
-
logout_revoke_access_token
boolean default:true
Revoke the access token as part of the logout.
-
logout_revoke_refresh_token
boolean default:true
Revoke the refresh token as part of the logout.
-
consumer_claim
array of typestring
The claim used for consumer mapping.
-
consumer_by
array of typestring
default:username, custom_id
Must be one of:id
,username
,custom_id
Consumer fields used for mapping: -
id
: try to find the matching Consumer byid
-username
: try to find the matching Consumer byusername
-custom_id
: try to find the matching Consumer bycustom_id
-
consumer_optional
boolean default:false
Do not terminate the request if consumer mapping fails.
-
credential_claim
array of typestring
default:sub
The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.
-
anonymous
stringAn optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xx
HTTP status code. This value must refer to the consumerid
orusername
attribute, and not itscustom_id
.
-
run_on_preflight
boolean default:true
Specifies whether to run this plugin on pre-flight (
OPTIONS
) requests.
-
leeway
number default:0
Allow some leeway (in seconds) on the ttl / expiry verification.
-
verify_parameters
boolean default:false
Verify plugin configuration against discovery.
-
verify_nonce
boolean default:true
Verify nonce on authorization code flow.
-
verify_claims
boolean default:true
Verify tokens for standard claims.
-
verify_signature
boolean default:true
Verify signature of tokens.
-
ignore_signature
array of typestring
Must be one of:password
,client_credentials
,authorization_code
,refresh_token
,session
,introspection
,userinfo
Skip the token signature verification on certain grants: -
password
: OAuth password grant -client_credentials
: OAuth client credentials grant -authorization_code
: authorization code flow -refresh_token
: OAuth refresh token grant -session
: session cookie authentication -introspection
: OAuth introspection -userinfo
: OpenID Connect user info endpoint authentication
-
enable_hs_signatures
boolean default:false
Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
-
disable_session
array of typestring
Must be one of:password
,client_credentials
,authorization_code
,bearer
,introspection
,userinfo
,kong_oauth2
,refresh_token
,session
Disable issuing the session cookie with the specified grants.
-
cache_ttl
number default:3600
The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
-
cache_ttl_max
numberThe maximum cache ttl in seconds (enforced).
-
cache_ttl_min
numberThe minimum cache ttl in seconds (enforced).
-
cache_ttl_neg
numberThe negative cache ttl in seconds.
-
cache_ttl_resurrect
numberThe resurrection ttl in seconds.
-
cache_tokens
boolean default:true
Cache the token endpoint requests.
-
cache_tokens_salt
stringSalt used for generating the cache key that is used for caching the token endpoint requests.
-
cache_introspection
boolean default:true
Cache the introspection endpoint requests.
-
cache_token_exchange
boolean default:true
Cache the token exchange endpoint requests.
-
cache_user_info
boolean default:true
Cache the user info requests.
-
search_user_info
boolean default:false
Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
-
hide_credentials
boolean default:false
Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
-
http_version
number default:1.1
The HTTP version used for the requests by this plugin: -
1.1
: HTTP 1.1 (the default) -1.0
: HTTP 1.0
-
http_proxy
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
http_proxy_authorization
stringThe HTTP proxy authorization.
-
https_proxy
stringA string representing a URL, such as https://example.com/path/to/resource?q=search.
-
https_proxy_authorization
stringThe HTTPS proxy authorization.
-
no_proxy
stringDo not use proxy with these hosts.
-
keepalive
boolean default:true
Use keepalive with the HTTP client.
-
ssl_verify
boolean default:false
Verify identity provider server certificate.
-
timeout
number default:10000
Network IO timeout in milliseconds.
-
display_errors
boolean default:false
Display errors on failure responses.
-
by_username_ignore_case
boolean default:false
If
consumer_by
is set tousername
, specify whetherusername
can match consumers case-insensitively.
-
resolve_distributed_claims
boolean default:false
Distributed claims are represented by the
_claim_names
and_claim_sources
members of the JSON object containing the claims. If this parameter is set totrue
, the plugin explicitly resolves these distributed claims.
-
expose_error_code
boolean default:true
-
token_cache_key_include_scope
boolean default:false
Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
-
using_pseudo_issuer
boolean default:false
If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.
-
-
authorization_cookie_lifetime
numberDeprecation notice:
-
authorization_cookie_samesite
stringDeprecation notice:
-
authorization_cookie_httponly
booleanDeprecation notice:
-
session_cookie_lifetime
numberDeprecation notice:
-
session_cookie_idletime
numberDeprecation notice:
-
session_cookie_samesite
stringDeprecation notice:
-
session_cookie_httponly
booleanDeprecation notice:
-
session_memcache_prefix
stringDeprecation notice:
-
session_memcache_socket
stringDeprecation notice:
-
session_memcache_host
stringDeprecation notice:
-
session_memcache_port
integerDeprecation notice:
-
session_redis_cluster_maxredirections
integerDeprecation notice:
-
session_cookie_renew
numberDeprecation notice:
-
session_cookie_maxsize
integerDeprecation notice:
-
session_strategy
stringDeprecation notice:
-
session_compressor
stringDeprecation notice: