コンテンツにスキップ
|
Plugin Hub
report-issue問題を報告する
header icon

Upstream OAuth Configuration

By Kong Inc.

このページは、まだ日本語ではご利用いただけません。翻訳中です。

構成

このプラグインはDBレスモードに対応しています。

互換性のあるプロトコル

Upstream OAuthプラグインは以下のプロトコルに対応しています:

grpc, grpcs, http, https

パラメータ

このプラグインの設定で使用できるすべてのパラメータのリストは次のとおりです。

  • name or plugin

    string required

    プラグイン名。この場合は upstream-oauth

    • Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドはnameです。
    • Kubernetes で KongPlugin オブジェクトを使用する場合、フィールドはpluginです。

  • instance_name

    string

    プラグインのインスタンスを識別するための任意のカスタム名 (例: upstream-oauth_my-service

    インスタンス名はKong ManagerとKonnectに表示されるので、 例えば複数のサービスで同じプラグインを複数のコンテキストで実行する場合に便利です。また、Kong Admin API経由で特定のプラグインインスタンスに アクセスするためにも使用できます。

    インスタンス名は、次のコンテキスト内で一意である必要があります。

    • Kong Gateway Enterpriseのワークスペース内
    • Konnectのコントロールプレーン(CP)またはコントロールプレーン(CP)グループ内
    • Kong Gateway (OSS)の全世界

  • service.name or service.id

    string

    プラグインが対象とするサービス名または ID。最上位の /plugins エンドポイント. からプラグインをサービスに追加する場合は、これらのパラメータのいずれかを設定してください /services/{serviceName|Id}/plugins を使用する場合は必要ありません。

  • route.name or route.id

    string

    プラグインがターゲットとするルート名または ID。最上位の /plugins エンドポイント. を通るルートにプラグインを追加する場合は、これらのパラメータのいずれかを設定してください /routes/{routeName|Id}/plugins を使用する場合は必要ありません。

  • consumer.name or consumer.id

    string

    プラグインがターゲットとするコンシューマーの名前または ID。 最上位の /plugins エンドポイント. からコンシューマーにプラグインを追加する場合は、これらのパラメーターのいずれかを設定してください /consumers/{consumerName|Id}/pluginsを使用する場合は必要ありません。

  • consumer_group.name or consumer_group.id

    string

    プラグインが対象とするコンシューマグループの名前または ID。 設定されている場合、プラグインは指定されたグループが認証されているリクエストに対してのみアクティブになります/plugins エンドポイント. /consumer_groups/{consumerGroupName|Id}/pluginsを使用する場合は必要ありません。

  • enabled

    boolean default: true

    このプラグインが適用されるかどうか。

  • config

    record required

    • client

      record required

      • auth_method

        string required default: client_secret_post Must be one of: client_secret_post, client_secret_basic, client_secret_jwt, none

        The authentication method used in client requests to the IdP. Supported values are: client_secret_basic to send client_id and client_secret in the Authorization: Basic header, client_secret_post to send client_id and client_secret as part of the request body, or client_secret_jwt to send a JWT signed with the client_secret using the client assertion as part of the body.

      • client_secret_jwt_alg

        string required default: HS512 Must be one of: HS512, HS256

        The algorithm to use with JWT when using client_secret_jwt authentication.

      • http_version

        number default: 1.1

        The HTTP version used for requests made by this plugin. Supported values: 1.1 for HTTP 1.1 and 1.0 for HTTP 1.0.

      • http_proxy

        string

        The proxy to use when making HTTP requests to the IdP.

      • http_proxy_authorization

        string

        The Proxy-Authorization header value to be used with http_proxy.

      • https_proxy

        string

        The proxy to use when making HTTPS requests to the IdP.

      • https_proxy_authorization

        string

        The Proxy-Authorization header value to be used with https_proxy.

      • no_proxy

        string

        A comma-separated list of hosts that should not be proxied.

      • timeout

        integer required default: 10000 between: 0 2147483646

        Network I/O timeout for requests to the IdP in milliseconds.

      • keep_alive

        boolean required default: true

        Whether to use keepalive connections to the IdP.

      • ssl_verify

        boolean default: false

        Whether to verify the certificate presented by the IdP when using HTTPS.

    • oauth

      record required

      • token_endpoint

        string required

        The token endpoint URI.

      • token_headers

        map

        Extra headers to be passed in the token endpoint request.

      • token_post_args

        map

        Extra post arguments to be passed in the token endpoint request.

      • grant_type

        string required default: client_credentials Must be one of: client_credentials, password

        The OAuth grant type to be used.

      • client_id

        string referenceable encrypted

        The client ID for the application registration in the IdP.

      • client_secret

        string referenceable encrypted

        The client secret for the application registration in the IdP.

      • username

        string referenceable encrypted

        The username to use if config.oauth.grant_type is set to password.

      • password

        string referenceable encrypted

        The password to use if config.oauth.grant_type is set to password.

      • scopes

        array of type string default: openid

        List of scopes to request from the IdP when obtaining a new token.

      • audience

        array of type string

        List of audiences passed to the IdP when obtaining a new token.

    • cache

      record required

      • strategy

        string required default: memory Must be one of: memory, redis

        The method Kong should use to cache tokens issued by the IdP.

      • memory

        record required

        • dictionary_name

          string required default: kong_db_cache

          The shared dictionary used by the plugin to cache tokens if config.cache.strategy is set to memory.

      • redis

        record required

        • host

          string default: 127.0.0.1

          A string representing a host name, such as example.com.

        • port

          integer default: 6379 between: 0 65535

          An integer representing a port number between 0 and 65535, inclusive.

        • connect_timeout

          integer default: 2000 between: 0 2147483646

          An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

        • send_timeout

          integer default: 2000 between: 0 2147483646

          An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

        • read_timeout

          integer default: 2000 between: 0 2147483646

          An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

        • username

          string referenceable

          Username to use for Redis connections. If undefined, ACL authentication won’t be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.

        • password

          string referenceable encrypted

          Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.

        • sentinel_username

          string referenceable

          Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won’t be performed. This requires Redis v6.2.0+.

        • sentinel_password

          string referenceable encrypted

          Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.

        • database

          integer default: 0

          Database to use for the Redis connection when using the redis strategy

        • keepalive_pool_size

          integer default: 256 between: 1 2147483646

          The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn’t specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.

        • keepalive_backlog

          integer between: 0 2147483646

          Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.

        • sentinel_master

          string

          Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.

        • sentinel_role

          string Must be one of: master, slave, any

          Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.

        • sentinel_nodes

          array of type record len_min: 1

          Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.

          • host

            string required default: 127.0.0.1

            A string representing a host name, such as example.com.

          • port

            integer default: 6379 between: 0 65535

            An integer representing a port number between 0 and 65535, inclusive.

        • cluster_nodes

          array of type record len_min: 1

          Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.

          • ip

            string required default: 127.0.0.1

            A string representing a host name, such as example.com.

          • port

            integer default: 6379 between: 0 65535

            An integer representing a port number between 0 and 65535, inclusive.

        • ssl

          boolean default: false

          If set to true, uses SSL to connect to Redis.

        • ssl_verify

          boolean default: false

          If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.

        • server_name

          string

          A string representing an SNI (server name indication) value for TLS.

        • cluster_max_redirections

          integer default: 5

          Maximum retry attempts for redirection.

        • connection_is_proxied

          boolean default: false

          If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.

      • eagerly_expire

        integer required default: 5

        The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in expires_in.

      • default_ttl

        number default: 3600

        The lifetime of a token without an explicit expires_in value.

    • behavior

      record required

      • upstream_access_token_header_name

        string required default: Authorization len_min: 0

        The name of the header used to send the access token (obtained from the IdP) to the upstream service.

      • idp_error_response_status_code

        integer required default: 502 between: 500 599

        The response code to return to the consumer if Kong fails to obtain a token from the IdP.

      • idp_error_response_content_type

        string required default: application/json; charset=utf-8 len_min: 0

        The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.

      • idp_error_response_message

        string required default: Failed to authenticate request to upstream len_min: 0

        The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.

      • idp_error_response_body_template

        string required default: { "code": "{{status}}", "message": "{{message}}" } len_min: 0

        The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.

      • purge_token_on_upstream_status_codes

        array of type integer default: 401

        An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.