このページは、まだ日本語ではご利用いただけません。翻訳中です。
構成
このプラグインはDBレスモードに対応しています。
互換性のあるプロトコル
Upstream OAuthプラグインは以下のプロトコルに対応しています:
grpc
, grpcs
, http
, https
パラメータ
このプラグインの設定で使用できるすべてのパラメータのリストは次のとおりです。
-
string required
プラグイン名。この場合は
upstream-oauth
。- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
name
です。 - Kubernetes で KongPlugin オブジェクトを使用する場合、フィールドは
plugin
です。
- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
-
string
プラグインのインスタンスを識別するための任意のカスタム名 (例:
upstream-oauth_my-service
。インスタンス名はKong ManagerとKonnectに表示されるので、 例えば複数のサービスで同じプラグインを複数のコンテキストで実行する場合に便利です。また、Kong Admin API経由で特定のプラグインインスタンスに アクセスするためにも使用できます。
インスタンス名は、次のコンテキスト内で一意である必要があります。
- Kong Gateway Enterpriseのワークスペース内
- Konnectのコントロールプレーン(CP)またはコントロールプレーン(CP)グループ内
- Kong Gateway (OSS)の全世界
-
string
プラグインが対象とするサービス名または ID。最上位の
/plugins
エンドポイント. からプラグインをサービスに追加する場合は、これらのパラメータのいずれかを設定してください/services/{serviceName|Id}/plugins
を使用する場合は必要ありません。 -
string
プラグインがターゲットとするルート名または ID。最上位の
/plugins
エンドポイント. を通るルートにプラグインを追加する場合は、これらのパラメータのいずれかを設定してください/routes/{routeName|Id}/plugins
を使用する場合は必要ありません。 -
string
プラグインがターゲットとするコンシューマーの名前または ID。 最上位の
/plugins
エンドポイント. からコンシューマーにプラグインを追加する場合は、これらのパラメーターのいずれかを設定してください/consumers/{consumerName|Id}/plugins
を使用する場合は必要ありません。 -
string
プラグインが対象とするコンシューマグループの名前または ID。 設定されている場合、プラグインは指定されたグループが認証されているリクエストに対してのみアクティブになります
/plugins
エンドポイント./consumer_groups/{consumerGroupName|Id}/plugins
を使用する場合は必要ありません。 -
boolean default:
true
このプラグインが適用されるかどうか。
-
record required
-
record required
-
string required default:
client_secret_post
Must be one of:client_secret_post
,client_secret_basic
,client_secret_jwt
,none
The authentication method used in client requests to the IdP. Supported values are:
client_secret_basic
to sendclient_id
andclient_secret
in theAuthorization: Basic
header,client_secret_post
to sendclient_id
andclient_secret
as part of the request body, orclient_secret_jwt
to send a JWT signed with theclient_secret
using the client assertion as part of the body.
-
string required default:
HS512
Must be one of:HS512
,HS256
The algorithm to use with JWT when using
client_secret_jwt
authentication.
-
number default:
1.1
The HTTP version used for requests made by this plugin. Supported values:
1.1
for HTTP 1.1 and1.0
for HTTP 1.0.
-
string
The proxy to use when making HTTP requests to the IdP.
-
string
The
Proxy-Authorization
header value to be used withhttp_proxy
.
-
string
The proxy to use when making HTTPS requests to the IdP.
-
string
The
Proxy-Authorization
header value to be used withhttps_proxy
.
-
string
A comma-separated list of hosts that should not be proxied.
-
integer required default:
10000
between:0
2147483646
Network I/O timeout for requests to the IdP in milliseconds.
-
boolean required default:
true
Whether to use keepalive connections to the IdP.
-
boolean default:
false
Whether to verify the certificate presented by the IdP when using HTTPS.
-
-
record required
-
string required
The token endpoint URI.
-
map
Extra headers to be passed in the token endpoint request.
-
map
Extra post arguments to be passed in the token endpoint request.
-
string required default:
client_credentials
Must be one of:client_credentials
,password
The OAuth grant type to be used.
-
string referenceable encrypted
The client ID for the application registration in the IdP.
-
string referenceable encrypted
The client secret for the application registration in the IdP.
-
string referenceable encrypted
The username to use if
config.oauth.grant_type
is set topassword
.
-
string referenceable encrypted
The password to use if
config.oauth.grant_type
is set topassword
.
-
array of type
string
default:openid
List of scopes to request from the IdP when obtaining a new token.
-
array of type
string
List of audiences passed to the IdP when obtaining a new token.
-
-
record required
-
string required default:
memory
Must be one of:memory
,redis
The method Kong should use to cache tokens issued by the IdP.
-
record required
-
record required
-
string default:
127.0.0.1
A string representing a host name, such as example.com.
-
integer default:
6379
between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
integer default:
2000
between:0
2147483646
An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
-
integer default:
2000
between:0
2147483646
An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
-
integer default:
2000
between:0
2147483646
An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
-
string referenceable
Username to use for Redis connections. If undefined, ACL authentication won’t be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default
.
-
string referenceable encrypted
Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
-
string referenceable
Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won’t be performed. This requires Redis v6.2.0+.
-
string referenceable encrypted
Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
-
integer default:
0
Database to use for the Redis connection when using the
redis
strategy
-
integer default:
256
between:1
2147483646
The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_size
norkeepalive_backlog
is specified, no pool is created. Ifkeepalive_pool_size
isn’t specified butkeepalive_backlog
is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
-
integer between:
0
2147483646
Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil
. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size
. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size
.
-
string
Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
-
string Must be one of:
master
,slave
,any
Sentinel role to use for Redis connections when the
redis
strategy is defined. Defining this value implies using Redis Sentinel.
-
array of type
record
len_min:1
Sentinel node addresses to use for Redis connections when the
redis
strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
-
array of type
record
len_min:1
Cluster addresses to use for Redis connections when the
redis
strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
-
boolean default:
false
If set to true, uses SSL to connect to Redis.
-
boolean default:
false
If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificate
inkong.conf
to specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depth
accordingly.
-
string
A string representing an SNI (server name indication) value for TLS.
-
integer default:
5
Maximum retry attempts for redirection.
-
boolean default:
false
If the connection to Redis is proxied (e.g. Envoy), set it
true
. Set thehost
andport
to point to the proxy address.
-
-
integer required default:
5
The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in
expires_in
.
-
number default:
3600
The lifetime of a token without an explicit
expires_in
value.
-
-
record required
-
string required default:
Authorization
len_min:0
The name of the header used to send the access token (obtained from the IdP) to the upstream service.
-
integer required default:
502
between:500
599
The response code to return to the consumer if Kong fails to obtain a token from the IdP.
-
string required default:
application/json; charset=utf-8
len_min:0
The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.
-
string required default:
Failed to authenticate request to upstream
len_min:0
The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.
-
string required default:
{ "code": "{{status}}", "message": "{{message}}" }
len_min:0
The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.
-
array of type
integer
default:401
An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.
-
-