Docs Home
konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong
konnect.GatewayPluginJwtSigner
Explore with Pulumi AI
GatewayPluginJwtSigner Resource
Example Usage
Coming soon!
Coming soon!
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.konnect.GatewayPluginJwtSigner;
import com.pulumi.konnect.GatewayPluginJwtSignerArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerConfigArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingAfterArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingBeforeArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerRouteArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerServiceArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myGatewaypluginjwtsigner = new GatewayPluginJwtSigner("myGatewaypluginjwtsigner", GatewayPluginJwtSignerArgs.builder()
.config(GatewayPluginJwtSignerConfigArgs.builder()
.access_token_consumer_by("custom_id")
.access_token_consumer_claim("...")
.access_token_introspection_authorization("...my_access_token_introspection_authorization...")
.access_token_introspection_body_args("...my_access_token_introspection_body_args...")
.access_token_introspection_consumer_by("custom_id")
.access_token_introspection_consumer_claim("...")
.access_token_introspection_endpoint("...my_access_token_introspection_endpoint...")
.access_token_introspection_hint("...my_access_token_introspection_hint...")
.access_token_introspection_jwt_claim("...")
.access_token_introspection_leeway(6.18)
.access_token_introspection_scopes_claim("...")
.access_token_introspection_scopes_required("...")
.access_token_introspection_timeout(4.24)
.access_token_issuer("...my_access_token_issuer...")
.access_token_jwks_uri("...my_access_token_jwks_uri...")
.access_token_jwks_uri_client_certificate("...my_access_token_jwks_uri_client_certificate...")
.access_token_jwks_uri_client_password("...my_access_token_jwks_uri_client_password...")
.access_token_jwks_uri_client_username("...my_access_token_jwks_uri_client_username...")
.access_token_jwks_uri_rotate_period(0.18)
.access_token_keyset("...my_access_token_keyset...")
.access_token_keyset_client_certificate("...my_access_token_keyset_client_certificate...")
.access_token_keyset_client_password("...my_access_token_keyset_client_password...")
.access_token_keyset_client_username("...my_access_token_keyset_client_username...")
.access_token_keyset_rotate_period(4.53)
.access_token_leeway(0.51)
.access_token_optional(false)
.access_token_request_header("...my_access_token_request_header...")
.access_token_scopes_claim("...")
.access_token_scopes_required("...")
.access_token_signing_algorithm("PS384")
.access_token_upstream_header("...my_access_token_upstream_header...")
.access_token_upstream_leeway(1.88)
.add_access_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.add_channel_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.add_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.cache_access_token_introspection(false)
.cache_channel_token_introspection(true)
.channel_token_consumer_by("id")
.channel_token_consumer_claim("...")
.channel_token_introspection_authorization("...my_channel_token_introspection_authorization...")
.channel_token_introspection_body_args("...my_channel_token_introspection_body_args...")
.channel_token_introspection_consumer_by("custom_id")
.channel_token_introspection_consumer_claim("...")
.channel_token_introspection_endpoint("...my_channel_token_introspection_endpoint...")
.channel_token_introspection_hint("...my_channel_token_introspection_hint...")
.channel_token_introspection_jwt_claim("...")
.channel_token_introspection_leeway(4.31)
.channel_token_introspection_scopes_claim("...")
.channel_token_introspection_scopes_required("...")
.channel_token_introspection_timeout(6.9)
.channel_token_issuer("...my_channel_token_issuer...")
.channel_token_jwks_uri("...my_channel_token_jwks_uri...")
.channel_token_jwks_uri_client_certificate("...my_channel_token_jwks_uri_client_certificate...")
.channel_token_jwks_uri_client_password("...my_channel_token_jwks_uri_client_password...")
.channel_token_jwks_uri_client_username("...my_channel_token_jwks_uri_client_username...")
.channel_token_jwks_uri_rotate_period(9.27)
.channel_token_keyset("...my_channel_token_keyset...")
.channel_token_keyset_client_certificate("...my_channel_token_keyset_client_certificate...")
.channel_token_keyset_client_password("...my_channel_token_keyset_client_password...")
.channel_token_keyset_client_username("...my_channel_token_keyset_client_username...")
.channel_token_keyset_rotate_period(0.98)
.channel_token_leeway(4.86)
.channel_token_optional(false)
.channel_token_request_header("...my_channel_token_request_header...")
.channel_token_scopes_claim("...")
.channel_token_scopes_required("...")
.channel_token_signing_algorithm("PS512")
.channel_token_upstream_header("...my_channel_token_upstream_header...")
.channel_token_upstream_leeway(5.01)
.enable_access_token_introspection(false)
.enable_channel_token_introspection(true)
.enable_hs_signatures(false)
.enable_instrumentation(true)
.original_access_token_upstream_header("...my_original_access_token_upstream_header...")
.original_channel_token_upstream_header("...my_original_channel_token_upstream_header...")
.realm("...my_realm...")
.remove_access_token_claims("...")
.remove_channel_token_claims("...")
.set_access_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.set_channel_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.set_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.trust_access_token_introspection(true)
.trust_channel_token_introspection(false)
.verify_access_token_expiry(true)
.verify_access_token_introspection_expiry(false)
.verify_access_token_introspection_scopes(false)
.verify_access_token_scopes(false)
.verify_access_token_signature(true)
.verify_channel_token_expiry(false)
.verify_channel_token_introspection_expiry(false)
.verify_channel_token_introspection_scopes(true)
.verify_channel_token_scopes(false)
.verify_channel_token_signature(false)
.build())
.controlPlaneId("9524ec7d-36d9-465d-a8c5-83a3c9390458")
.enabled(false)
.gatewayPluginJwtSignerId("...my_id...")
.instanceName("...my_instance_name...")
.ordering(GatewayPluginJwtSignerOrderingArgs.builder()
.after(GatewayPluginJwtSignerOrderingAfterArgs.builder()
.access("...")
.build())
.before(GatewayPluginJwtSignerOrderingBeforeArgs.builder()
.access("...")
.build())
.build())
.protocols("https")
.route(GatewayPluginJwtSignerRouteArgs.builder()
.id("...my_id...")
.build())
.service(GatewayPluginJwtSignerServiceArgs.builder()
.id("...my_id...")
.build())
.tags("...")
.build());
}
}
resources:
myGatewaypluginjwtsigner:
type: konnect:GatewayPluginJwtSigner
properties:
config:
access_token_consumer_by:
- custom_id
access_token_consumer_claim:
- '...'
access_token_introspection_authorization: '...my_access_token_introspection_authorization...'
access_token_introspection_body_args: '...my_access_token_introspection_body_args...'
access_token_introspection_consumer_by:
- custom_id
access_token_introspection_consumer_claim:
- '...'
access_token_introspection_endpoint: '...my_access_token_introspection_endpoint...'
access_token_introspection_hint: '...my_access_token_introspection_hint...'
access_token_introspection_jwt_claim:
- '...'
access_token_introspection_leeway: 6.18
access_token_introspection_scopes_claim:
- '...'
access_token_introspection_scopes_required:
- '...'
access_token_introspection_timeout: 4.24
access_token_issuer: '...my_access_token_issuer...'
access_token_jwks_uri: '...my_access_token_jwks_uri...'
access_token_jwks_uri_client_certificate: '...my_access_token_jwks_uri_client_certificate...'
access_token_jwks_uri_client_password: '...my_access_token_jwks_uri_client_password...'
access_token_jwks_uri_client_username: '...my_access_token_jwks_uri_client_username...'
access_token_jwks_uri_rotate_period: 0.18
access_token_keyset: '...my_access_token_keyset...'
access_token_keyset_client_certificate: '...my_access_token_keyset_client_certificate...'
access_token_keyset_client_password: '...my_access_token_keyset_client_password...'
access_token_keyset_client_username: '...my_access_token_keyset_client_username...'
access_token_keyset_rotate_period: 4.53
access_token_leeway: 0.51
access_token_optional: false
access_token_request_header: '...my_access_token_request_header...'
access_token_scopes_claim:
- '...'
access_token_scopes_required:
- '...'
access_token_signing_algorithm: PS384
access_token_upstream_header: '...my_access_token_upstream_header...'
access_token_upstream_leeway: 1.88
add_access_token_claims:
key:
fn::toJSON: value
add_channel_token_claims:
key:
fn::toJSON: value
add_claims:
key:
fn::toJSON: value
cache_access_token_introspection: false
cache_channel_token_introspection: true
channel_token_consumer_by:
- id
channel_token_consumer_claim:
- '...'
channel_token_introspection_authorization: '...my_channel_token_introspection_authorization...'
channel_token_introspection_body_args: '...my_channel_token_introspection_body_args...'
channel_token_introspection_consumer_by:
- custom_id
channel_token_introspection_consumer_claim:
- '...'
channel_token_introspection_endpoint: '...my_channel_token_introspection_endpoint...'
channel_token_introspection_hint: '...my_channel_token_introspection_hint...'
channel_token_introspection_jwt_claim:
- '...'
channel_token_introspection_leeway: 4.31
channel_token_introspection_scopes_claim:
- '...'
channel_token_introspection_scopes_required:
- '...'
channel_token_introspection_timeout: 6.9
channel_token_issuer: '...my_channel_token_issuer...'
channel_token_jwks_uri: '...my_channel_token_jwks_uri...'
channel_token_jwks_uri_client_certificate: '...my_channel_token_jwks_uri_client_certificate...'
channel_token_jwks_uri_client_password: '...my_channel_token_jwks_uri_client_password...'
channel_token_jwks_uri_client_username: '...my_channel_token_jwks_uri_client_username...'
channel_token_jwks_uri_rotate_period: 9.27
channel_token_keyset: '...my_channel_token_keyset...'
channel_token_keyset_client_certificate: '...my_channel_token_keyset_client_certificate...'
channel_token_keyset_client_password: '...my_channel_token_keyset_client_password...'
channel_token_keyset_client_username: '...my_channel_token_keyset_client_username...'
channel_token_keyset_rotate_period: 0.98
channel_token_leeway: 4.86
channel_token_optional: false
channel_token_request_header: '...my_channel_token_request_header...'
channel_token_scopes_claim:
- '...'
channel_token_scopes_required:
- '...'
channel_token_signing_algorithm: PS512
channel_token_upstream_header: '...my_channel_token_upstream_header...'
channel_token_upstream_leeway: 5.01
enable_access_token_introspection: false
enable_channel_token_introspection: true
enable_hs_signatures: false
enable_instrumentation: true
original_access_token_upstream_header: '...my_original_access_token_upstream_header...'
original_channel_token_upstream_header: '...my_original_channel_token_upstream_header...'
realm: '...my_realm...'
remove_access_token_claims:
- '...'
remove_channel_token_claims:
- '...'
set_access_token_claims:
key:
fn::toJSON: value
set_channel_token_claims:
key:
fn::toJSON: value
set_claims:
key:
fn::toJSON: value
trust_access_token_introspection: true
trust_channel_token_introspection: false
verify_access_token_expiry: true
verify_access_token_introspection_expiry: false
verify_access_token_introspection_scopes: false
verify_access_token_scopes: false
verify_access_token_signature: true
verify_channel_token_expiry: false
verify_channel_token_introspection_expiry: false
verify_channel_token_introspection_scopes: true
verify_channel_token_scopes: false
verify_channel_token_signature: false
controlPlaneId: 9524ec7d-36d9-465d-a8c5-83a3c9390458
enabled: false
gatewayPluginJwtSignerId: '...my_id...'
instanceName: '...my_instance_name...'
ordering:
after:
access:
- '...'
before:
access:
- '...'
protocols:
- https
route:
id: '...my_id...'
service:
id: '...my_id...'
tags:
- '...'
Create GatewayPluginJwtSigner Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GatewayPluginJwtSigner(name: string, args: GatewayPluginJwtSignerArgs, opts?: CustomResourceOptions);@overload
def GatewayPluginJwtSigner(resource_name: str,
args: GatewayPluginJwtSignerArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GatewayPluginJwtSigner(resource_name: str,
opts: Optional[ResourceOptions] = None,
config: Optional[GatewayPluginJwtSignerConfigArgs] = None,
control_plane_id: Optional[str] = None,
enabled: Optional[bool] = None,
gateway_plugin_jwt_signer_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginJwtSignerOrderingArgs] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginJwtSignerRouteArgs] = None,
service: Optional[GatewayPluginJwtSignerServiceArgs] = None,
tags: Optional[Sequence[str]] = None)func NewGatewayPluginJwtSigner(ctx *Context, name string, args GatewayPluginJwtSignerArgs, opts ...ResourceOption) (*GatewayPluginJwtSigner, error)public GatewayPluginJwtSigner(string name, GatewayPluginJwtSignerArgs args, CustomResourceOptions? opts = null)
public GatewayPluginJwtSigner(String name, GatewayPluginJwtSignerArgs args)
public GatewayPluginJwtSigner(String name, GatewayPluginJwtSignerArgs args, CustomResourceOptions options)
type: konnect:GatewayPluginJwtSigner
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var gatewayPluginJwtSignerResource = new Konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", new()
{
Config = new Konnect.Inputs.GatewayPluginJwtSignerConfigArgs
{
AccessTokenConsumerBies = new[]
{
"string",
},
AccessTokenConsumerClaims = new[]
{
"string",
},
AccessTokenIntrospectionAuthorization = "string",
AccessTokenIntrospectionBodyArgs = "string",
AccessTokenIntrospectionConsumerBies = new[]
{
"string",
},
AccessTokenIntrospectionConsumerClaims = new[]
{
"string",
},
AccessTokenIntrospectionEndpoint = "string",
AccessTokenIntrospectionHint = "string",
AccessTokenIntrospectionJwtClaims = new[]
{
"string",
},
AccessTokenIntrospectionLeeway = 0,
AccessTokenIntrospectionScopesClaims = new[]
{
"string",
},
AccessTokenIntrospectionScopesRequireds = new[]
{
"string",
},
AccessTokenIntrospectionTimeout = 0,
AccessTokenIssuer = "string",
AccessTokenJwksUri = "string",
AccessTokenJwksUriClientCertificate = "string",
AccessTokenJwksUriClientPassword = "string",
AccessTokenJwksUriClientUsername = "string",
AccessTokenJwksUriRotatePeriod = 0,
AccessTokenKeyset = "string",
AccessTokenKeysetClientCertificate = "string",
AccessTokenKeysetClientPassword = "string",
AccessTokenKeysetClientUsername = "string",
AccessTokenKeysetRotatePeriod = 0,
AccessTokenLeeway = 0,
AccessTokenOptional = false,
AccessTokenRequestHeader = "string",
AccessTokenScopesClaims = new[]
{
"string",
},
AccessTokenScopesRequireds = new[]
{
"string",
},
AccessTokenSigningAlgorithm = "string",
AccessTokenUpstreamHeader = "string",
AccessTokenUpstreamLeeway = 0,
AddAccessTokenClaims =
{
{ "string", "string" },
},
AddChannelTokenClaims =
{
{ "string", "string" },
},
AddClaims =
{
{ "string", "string" },
},
CacheAccessTokenIntrospection = false,
CacheChannelTokenIntrospection = false,
ChannelTokenConsumerBies = new[]
{
"string",
},
ChannelTokenConsumerClaims = new[]
{
"string",
},
ChannelTokenIntrospectionAuthorization = "string",
ChannelTokenIntrospectionBodyArgs = "string",
ChannelTokenIntrospectionConsumerBies = new[]
{
"string",
},
ChannelTokenIntrospectionConsumerClaims = new[]
{
"string",
},
ChannelTokenIntrospectionEndpoint = "string",
ChannelTokenIntrospectionHint = "string",
ChannelTokenIntrospectionJwtClaims = new[]
{
"string",
},
ChannelTokenIntrospectionLeeway = 0,
ChannelTokenIntrospectionScopesClaims = new[]
{
"string",
},
ChannelTokenIntrospectionScopesRequireds = new[]
{
"string",
},
ChannelTokenIntrospectionTimeout = 0,
ChannelTokenIssuer = "string",
ChannelTokenJwksUri = "string",
ChannelTokenJwksUriClientCertificate = "string",
ChannelTokenJwksUriClientPassword = "string",
ChannelTokenJwksUriClientUsername = "string",
ChannelTokenJwksUriRotatePeriod = 0,
ChannelTokenKeyset = "string",
ChannelTokenKeysetClientCertificate = "string",
ChannelTokenKeysetClientPassword = "string",
ChannelTokenKeysetClientUsername = "string",
ChannelTokenKeysetRotatePeriod = 0,
ChannelTokenLeeway = 0,
ChannelTokenOptional = false,
ChannelTokenRequestHeader = "string",
ChannelTokenScopesClaims = new[]
{
"string",
},
ChannelTokenScopesRequireds = new[]
{
"string",
},
ChannelTokenSigningAlgorithm = "string",
ChannelTokenUpstreamHeader = "string",
ChannelTokenUpstreamLeeway = 0,
EnableAccessTokenIntrospection = false,
EnableChannelTokenIntrospection = false,
EnableHsSignatures = false,
EnableInstrumentation = false,
OriginalAccessTokenUpstreamHeader = "string",
OriginalChannelTokenUpstreamHeader = "string",
Realm = "string",
RemoveAccessTokenClaims = new[]
{
"string",
},
RemoveChannelTokenClaims = new[]
{
"string",
},
SetAccessTokenClaims =
{
{ "string", "string" },
},
SetChannelTokenClaims =
{
{ "string", "string" },
},
SetClaims =
{
{ "string", "string" },
},
TrustAccessTokenIntrospection = false,
TrustChannelTokenIntrospection = false,
VerifyAccessTokenExpiry = false,
VerifyAccessTokenIntrospectionExpiry = false,
VerifyAccessTokenIntrospectionScopes = false,
VerifyAccessTokenScopes = false,
VerifyAccessTokenSignature = false,
VerifyChannelTokenExpiry = false,
VerifyChannelTokenIntrospectionExpiry = false,
VerifyChannelTokenIntrospectionScopes = false,
VerifyChannelTokenScopes = false,
VerifyChannelTokenSignature = false,
},
ControlPlaneId = "string",
Enabled = false,
GatewayPluginJwtSignerId = "string",
InstanceName = "string",
Ordering = new Konnect.Inputs.GatewayPluginJwtSignerOrderingArgs
{
After = new Konnect.Inputs.GatewayPluginJwtSignerOrderingAfterArgs
{
Accesses = new[]
{
"string",
},
},
Before = new Konnect.Inputs.GatewayPluginJwtSignerOrderingBeforeArgs
{
Accesses = new[]
{
"string",
},
},
},
Protocols = new[]
{
"string",
},
Route = new Konnect.Inputs.GatewayPluginJwtSignerRouteArgs
{
Id = "string",
},
Service = new Konnect.Inputs.GatewayPluginJwtSignerServiceArgs
{
Id = "string",
},
Tags = new[]
{
"string",
},
});
example, err := konnect.NewGatewayPluginJwtSigner(ctx, "gatewayPluginJwtSignerResource", &konnect.GatewayPluginJwtSignerArgs{
Config: &.GatewayPluginJwtSignerConfigArgs{
AccessTokenConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionAuthorization: pulumi.String("string"),
AccessTokenIntrospectionBodyArgs: pulumi.String("string"),
AccessTokenIntrospectionConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionEndpoint: pulumi.String("string"),
AccessTokenIntrospectionHint: pulumi.String("string"),
AccessTokenIntrospectionJwtClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionLeeway: pulumi.Float64(0),
AccessTokenIntrospectionScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionTimeout: pulumi.Float64(0),
AccessTokenIssuer: pulumi.String("string"),
AccessTokenJwksUri: pulumi.String("string"),
AccessTokenJwksUriClientCertificate: pulumi.String("string"),
AccessTokenJwksUriClientPassword: pulumi.String("string"),
AccessTokenJwksUriClientUsername: pulumi.String("string"),
AccessTokenJwksUriRotatePeriod: pulumi.Float64(0),
AccessTokenKeyset: pulumi.String("string"),
AccessTokenKeysetClientCertificate: pulumi.String("string"),
AccessTokenKeysetClientPassword: pulumi.String("string"),
AccessTokenKeysetClientUsername: pulumi.String("string"),
AccessTokenKeysetRotatePeriod: pulumi.Float64(0),
AccessTokenLeeway: pulumi.Float64(0),
AccessTokenOptional: pulumi.Bool(false),
AccessTokenRequestHeader: pulumi.String("string"),
AccessTokenScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenSigningAlgorithm: pulumi.String("string"),
AccessTokenUpstreamHeader: pulumi.String("string"),
AccessTokenUpstreamLeeway: pulumi.Float64(0),
AddAccessTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
AddChannelTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
AddClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
CacheAccessTokenIntrospection: pulumi.Bool(false),
CacheChannelTokenIntrospection: pulumi.Bool(false),
ChannelTokenConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionAuthorization: pulumi.String("string"),
ChannelTokenIntrospectionBodyArgs: pulumi.String("string"),
ChannelTokenIntrospectionConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionEndpoint: pulumi.String("string"),
ChannelTokenIntrospectionHint: pulumi.String("string"),
ChannelTokenIntrospectionJwtClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionLeeway: pulumi.Float64(0),
ChannelTokenIntrospectionScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionTimeout: pulumi.Float64(0),
ChannelTokenIssuer: pulumi.String("string"),
ChannelTokenJwksUri: pulumi.String("string"),
ChannelTokenJwksUriClientCertificate: pulumi.String("string"),
ChannelTokenJwksUriClientPassword: pulumi.String("string"),
ChannelTokenJwksUriClientUsername: pulumi.String("string"),
ChannelTokenJwksUriRotatePeriod: pulumi.Float64(0),
ChannelTokenKeyset: pulumi.String("string"),
ChannelTokenKeysetClientCertificate: pulumi.String("string"),
ChannelTokenKeysetClientPassword: pulumi.String("string"),
ChannelTokenKeysetClientUsername: pulumi.String("string"),
ChannelTokenKeysetRotatePeriod: pulumi.Float64(0),
ChannelTokenLeeway: pulumi.Float64(0),
ChannelTokenOptional: pulumi.Bool(false),
ChannelTokenRequestHeader: pulumi.String("string"),
ChannelTokenScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenSigningAlgorithm: pulumi.String("string"),
ChannelTokenUpstreamHeader: pulumi.String("string"),
ChannelTokenUpstreamLeeway: pulumi.Float64(0),
EnableAccessTokenIntrospection: pulumi.Bool(false),
EnableChannelTokenIntrospection: pulumi.Bool(false),
EnableHsSignatures: pulumi.Bool(false),
EnableInstrumentation: pulumi.Bool(false),
OriginalAccessTokenUpstreamHeader: pulumi.String("string"),
OriginalChannelTokenUpstreamHeader: pulumi.String("string"),
Realm: pulumi.String("string"),
RemoveAccessTokenClaims: pulumi.StringArray{
pulumi.String("string"),
},
RemoveChannelTokenClaims: pulumi.StringArray{
pulumi.String("string"),
},
SetAccessTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
SetChannelTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
SetClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
TrustAccessTokenIntrospection: pulumi.Bool(false),
TrustChannelTokenIntrospection: pulumi.Bool(false),
VerifyAccessTokenExpiry: pulumi.Bool(false),
VerifyAccessTokenIntrospectionExpiry: pulumi.Bool(false),
VerifyAccessTokenIntrospectionScopes: pulumi.Bool(false),
VerifyAccessTokenScopes: pulumi.Bool(false),
VerifyAccessTokenSignature: pulumi.Bool(false),
VerifyChannelTokenExpiry: pulumi.Bool(false),
VerifyChannelTokenIntrospectionExpiry: pulumi.Bool(false),
VerifyChannelTokenIntrospectionScopes: pulumi.Bool(false),
VerifyChannelTokenScopes: pulumi.Bool(false),
VerifyChannelTokenSignature: pulumi.Bool(false),
},
ControlPlaneId: pulumi.String("string"),
Enabled: pulumi.Bool(false),
GatewayPluginJwtSignerId: pulumi.String("string"),
InstanceName: pulumi.String("string"),
Ordering: &.GatewayPluginJwtSignerOrderingArgs{
After: &.GatewayPluginJwtSignerOrderingAfterArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
Before: &.GatewayPluginJwtSignerOrderingBeforeArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
Route: &.GatewayPluginJwtSignerRouteArgs{
Id: pulumi.String("string"),
},
Service: &.GatewayPluginJwtSignerServiceArgs{
Id: pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
})
var gatewayPluginJwtSignerResource = new GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", GatewayPluginJwtSignerArgs.builder()
.config(GatewayPluginJwtSignerConfigArgs.builder()
.accessTokenConsumerBies("string")
.accessTokenConsumerClaims("string")
.accessTokenIntrospectionAuthorization("string")
.accessTokenIntrospectionBodyArgs("string")
.accessTokenIntrospectionConsumerBies("string")
.accessTokenIntrospectionConsumerClaims("string")
.accessTokenIntrospectionEndpoint("string")
.accessTokenIntrospectionHint("string")
.accessTokenIntrospectionJwtClaims("string")
.accessTokenIntrospectionLeeway(0)
.accessTokenIntrospectionScopesClaims("string")
.accessTokenIntrospectionScopesRequireds("string")
.accessTokenIntrospectionTimeout(0)
.accessTokenIssuer("string")
.accessTokenJwksUri("string")
.accessTokenJwksUriClientCertificate("string")
.accessTokenJwksUriClientPassword("string")
.accessTokenJwksUriClientUsername("string")
.accessTokenJwksUriRotatePeriod(0)
.accessTokenKeyset("string")
.accessTokenKeysetClientCertificate("string")
.accessTokenKeysetClientPassword("string")
.accessTokenKeysetClientUsername("string")
.accessTokenKeysetRotatePeriod(0)
.accessTokenLeeway(0)
.accessTokenOptional(false)
.accessTokenRequestHeader("string")
.accessTokenScopesClaims("string")
.accessTokenScopesRequireds("string")
.accessTokenSigningAlgorithm("string")
.accessTokenUpstreamHeader("string")
.accessTokenUpstreamLeeway(0)
.addAccessTokenClaims(Map.of("string", "string"))
.addChannelTokenClaims(Map.of("string", "string"))
.addClaims(Map.of("string", "string"))
.cacheAccessTokenIntrospection(false)
.cacheChannelTokenIntrospection(false)
.channelTokenConsumerBies("string")
.channelTokenConsumerClaims("string")
.channelTokenIntrospectionAuthorization("string")
.channelTokenIntrospectionBodyArgs("string")
.channelTokenIntrospectionConsumerBies("string")
.channelTokenIntrospectionConsumerClaims("string")
.channelTokenIntrospectionEndpoint("string")
.channelTokenIntrospectionHint("string")
.channelTokenIntrospectionJwtClaims("string")
.channelTokenIntrospectionLeeway(0)
.channelTokenIntrospectionScopesClaims("string")
.channelTokenIntrospectionScopesRequireds("string")
.channelTokenIntrospectionTimeout(0)
.channelTokenIssuer("string")
.channelTokenJwksUri("string")
.channelTokenJwksUriClientCertificate("string")
.channelTokenJwksUriClientPassword("string")
.channelTokenJwksUriClientUsername("string")
.channelTokenJwksUriRotatePeriod(0)
.channelTokenKeyset("string")
.channelTokenKeysetClientCertificate("string")
.channelTokenKeysetClientPassword("string")
.channelTokenKeysetClientUsername("string")
.channelTokenKeysetRotatePeriod(0)
.channelTokenLeeway(0)
.channelTokenOptional(false)
.channelTokenRequestHeader("string")
.channelTokenScopesClaims("string")
.channelTokenScopesRequireds("string")
.channelTokenSigningAlgorithm("string")
.channelTokenUpstreamHeader("string")
.channelTokenUpstreamLeeway(0)
.enableAccessTokenIntrospection(false)
.enableChannelTokenIntrospection(false)
.enableHsSignatures(false)
.enableInstrumentation(false)
.originalAccessTokenUpstreamHeader("string")
.originalChannelTokenUpstreamHeader("string")
.realm("string")
.removeAccessTokenClaims("string")
.removeChannelTokenClaims("string")
.setAccessTokenClaims(Map.of("string", "string"))
.setChannelTokenClaims(Map.of("string", "string"))
.setClaims(Map.of("string", "string"))
.trustAccessTokenIntrospection(false)
.trustChannelTokenIntrospection(false)
.verifyAccessTokenExpiry(false)
.verifyAccessTokenIntrospectionExpiry(false)
.verifyAccessTokenIntrospectionScopes(false)
.verifyAccessTokenScopes(false)
.verifyAccessTokenSignature(false)
.verifyChannelTokenExpiry(false)
.verifyChannelTokenIntrospectionExpiry(false)
.verifyChannelTokenIntrospectionScopes(false)
.verifyChannelTokenScopes(false)
.verifyChannelTokenSignature(false)
.build())
.controlPlaneId("string")
.enabled(false)
.gatewayPluginJwtSignerId("string")
.instanceName("string")
.ordering(GatewayPluginJwtSignerOrderingArgs.builder()
.after(GatewayPluginJwtSignerOrderingAfterArgs.builder()
.accesses("string")
.build())
.before(GatewayPluginJwtSignerOrderingBeforeArgs.builder()
.accesses("string")
.build())
.build())
.protocols("string")
.route(GatewayPluginJwtSignerRouteArgs.builder()
.id("string")
.build())
.service(GatewayPluginJwtSignerServiceArgs.builder()
.id("string")
.build())
.tags("string")
.build());
gateway_plugin_jwt_signer_resource = konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource",
config={
"access_token_consumer_bies": ["string"],
"access_token_consumer_claims": ["string"],
"access_token_introspection_authorization": "string",
"access_token_introspection_body_args": "string",
"access_token_introspection_consumer_bies": ["string"],
"access_token_introspection_consumer_claims": ["string"],
"access_token_introspection_endpoint": "string",
"access_token_introspection_hint": "string",
"access_token_introspection_jwt_claims": ["string"],
"access_token_introspection_leeway": 0,
"access_token_introspection_scopes_claims": ["string"],
"access_token_introspection_scopes_requireds": ["string"],
"access_token_introspection_timeout": 0,
"access_token_issuer": "string",
"access_token_jwks_uri": "string",
"access_token_jwks_uri_client_certificate": "string",
"access_token_jwks_uri_client_password": "string",
"access_token_jwks_uri_client_username": "string",
"access_token_jwks_uri_rotate_period": 0,
"access_token_keyset": "string",
"access_token_keyset_client_certificate": "string",
"access_token_keyset_client_password": "string",
"access_token_keyset_client_username": "string",
"access_token_keyset_rotate_period": 0,
"access_token_leeway": 0,
"access_token_optional": False,
"access_token_request_header": "string",
"access_token_scopes_claims": ["string"],
"access_token_scopes_requireds": ["string"],
"access_token_signing_algorithm": "string",
"access_token_upstream_header": "string",
"access_token_upstream_leeway": 0,
"add_access_token_claims": {
"string": "string",
},
"add_channel_token_claims": {
"string": "string",
},
"add_claims": {
"string": "string",
},
"cache_access_token_introspection": False,
"cache_channel_token_introspection": False,
"channel_token_consumer_bies": ["string"],
"channel_token_consumer_claims": ["string"],
"channel_token_introspection_authorization": "string",
"channel_token_introspection_body_args": "string",
"channel_token_introspection_consumer_bies": ["string"],
"channel_token_introspection_consumer_claims": ["string"],
"channel_token_introspection_endpoint": "string",
"channel_token_introspection_hint": "string",
"channel_token_introspection_jwt_claims": ["string"],
"channel_token_introspection_leeway": 0,
"channel_token_introspection_scopes_claims": ["string"],
"channel_token_introspection_scopes_requireds": ["string"],
"channel_token_introspection_timeout": 0,
"channel_token_issuer": "string",
"channel_token_jwks_uri": "string",
"channel_token_jwks_uri_client_certificate": "string",
"channel_token_jwks_uri_client_password": "string",
"channel_token_jwks_uri_client_username": "string",
"channel_token_jwks_uri_rotate_period": 0,
"channel_token_keyset": "string",
"channel_token_keyset_client_certificate": "string",
"channel_token_keyset_client_password": "string",
"channel_token_keyset_client_username": "string",
"channel_token_keyset_rotate_period": 0,
"channel_token_leeway": 0,
"channel_token_optional": False,
"channel_token_request_header": "string",
"channel_token_scopes_claims": ["string"],
"channel_token_scopes_requireds": ["string"],
"channel_token_signing_algorithm": "string",
"channel_token_upstream_header": "string",
"channel_token_upstream_leeway": 0,
"enable_access_token_introspection": False,
"enable_channel_token_introspection": False,
"enable_hs_signatures": False,
"enable_instrumentation": False,
"original_access_token_upstream_header": "string",
"original_channel_token_upstream_header": "string",
"realm": "string",
"remove_access_token_claims": ["string"],
"remove_channel_token_claims": ["string"],
"set_access_token_claims": {
"string": "string",
},
"set_channel_token_claims": {
"string": "string",
},
"set_claims": {
"string": "string",
},
"trust_access_token_introspection": False,
"trust_channel_token_introspection": False,
"verify_access_token_expiry": False,
"verify_access_token_introspection_expiry": False,
"verify_access_token_introspection_scopes": False,
"verify_access_token_scopes": False,
"verify_access_token_signature": False,
"verify_channel_token_expiry": False,
"verify_channel_token_introspection_expiry": False,
"verify_channel_token_introspection_scopes": False,
"verify_channel_token_scopes": False,
"verify_channel_token_signature": False,
},
control_plane_id="string",
enabled=False,
gateway_plugin_jwt_signer_id="string",
instance_name="string",
ordering={
"after": {
"accesses": ["string"],
},
"before": {
"accesses": ["string"],
},
},
protocols=["string"],
route={
"id": "string",
},
service={
"id": "string",
},
tags=["string"])
const gatewayPluginJwtSignerResource = new konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", {
config: {
accessTokenConsumerBies: ["string"],
accessTokenConsumerClaims: ["string"],
accessTokenIntrospectionAuthorization: "string",
accessTokenIntrospectionBodyArgs: "string",
accessTokenIntrospectionConsumerBies: ["string"],
accessTokenIntrospectionConsumerClaims: ["string"],
accessTokenIntrospectionEndpoint: "string",
accessTokenIntrospectionHint: "string",
accessTokenIntrospectionJwtClaims: ["string"],
accessTokenIntrospectionLeeway: 0,
accessTokenIntrospectionScopesClaims: ["string"],
accessTokenIntrospectionScopesRequireds: ["string"],
accessTokenIntrospectionTimeout: 0,
accessTokenIssuer: "string",
accessTokenJwksUri: "string",
accessTokenJwksUriClientCertificate: "string",
accessTokenJwksUriClientPassword: "string",
accessTokenJwksUriClientUsername: "string",
accessTokenJwksUriRotatePeriod: 0,
accessTokenKeyset: "string",
accessTokenKeysetClientCertificate: "string",
accessTokenKeysetClientPassword: "string",
accessTokenKeysetClientUsername: "string",
accessTokenKeysetRotatePeriod: 0,
accessTokenLeeway: 0,
accessTokenOptional: false,
accessTokenRequestHeader: "string",
accessTokenScopesClaims: ["string"],
accessTokenScopesRequireds: ["string"],
accessTokenSigningAlgorithm: "string",
accessTokenUpstreamHeader: "string",
accessTokenUpstreamLeeway: 0,
addAccessTokenClaims: {
string: "string",
},
addChannelTokenClaims: {
string: "string",
},
addClaims: {
string: "string",
},
cacheAccessTokenIntrospection: false,
cacheChannelTokenIntrospection: false,
channelTokenConsumerBies: ["string"],
channelTokenConsumerClaims: ["string"],
channelTokenIntrospectionAuthorization: "string",
channelTokenIntrospectionBodyArgs: "string",
channelTokenIntrospectionConsumerBies: ["string"],
channelTokenIntrospectionConsumerClaims: ["string"],
channelTokenIntrospectionEndpoint: "string",
channelTokenIntrospectionHint: "string",
channelTokenIntrospectionJwtClaims: ["string"],
channelTokenIntrospectionLeeway: 0,
channelTokenIntrospectionScopesClaims: ["string"],
channelTokenIntrospectionScopesRequireds: ["string"],
channelTokenIntrospectionTimeout: 0,
channelTokenIssuer: "string",
channelTokenJwksUri: "string",
channelTokenJwksUriClientCertificate: "string",
channelTokenJwksUriClientPassword: "string",
channelTokenJwksUriClientUsername: "string",
channelTokenJwksUriRotatePeriod: 0,
channelTokenKeyset: "string",
channelTokenKeysetClientCertificate: "string",
channelTokenKeysetClientPassword: "string",
channelTokenKeysetClientUsername: "string",
channelTokenKeysetRotatePeriod: 0,
channelTokenLeeway: 0,
channelTokenOptional: false,
channelTokenRequestHeader: "string",
channelTokenScopesClaims: ["string"],
channelTokenScopesRequireds: ["string"],
channelTokenSigningAlgorithm: "string",
channelTokenUpstreamHeader: "string",
channelTokenUpstreamLeeway: 0,
enableAccessTokenIntrospection: false,
enableChannelTokenIntrospection: false,
enableHsSignatures: false,
enableInstrumentation: false,
originalAccessTokenUpstreamHeader: "string",
originalChannelTokenUpstreamHeader: "string",
realm: "string",
removeAccessTokenClaims: ["string"],
removeChannelTokenClaims: ["string"],
setAccessTokenClaims: {
string: "string",
},
setChannelTokenClaims: {
string: "string",
},
setClaims: {
string: "string",
},
trustAccessTokenIntrospection: false,
trustChannelTokenIntrospection: false,
verifyAccessTokenExpiry: false,
verifyAccessTokenIntrospectionExpiry: false,
verifyAccessTokenIntrospectionScopes: false,
verifyAccessTokenScopes: false,
verifyAccessTokenSignature: false,
verifyChannelTokenExpiry: false,
verifyChannelTokenIntrospectionExpiry: false,
verifyChannelTokenIntrospectionScopes: false,
verifyChannelTokenScopes: false,
verifyChannelTokenSignature: false,
},
controlPlaneId: "string",
enabled: false,
gatewayPluginJwtSignerId: "string",
instanceName: "string",
ordering: {
after: {
accesses: ["string"],
},
before: {
accesses: ["string"],
},
},
protocols: ["string"],
route: {
id: "string",
},
service: {
id: "string",
},
tags: ["string"],
});
type: konnect:GatewayPluginJwtSigner
properties:
config:
accessTokenConsumerBies:
- string
accessTokenConsumerClaims:
- string
accessTokenIntrospectionAuthorization: string
accessTokenIntrospectionBodyArgs: string
accessTokenIntrospectionConsumerBies:
- string
accessTokenIntrospectionConsumerClaims:
- string
accessTokenIntrospectionEndpoint: string
accessTokenIntrospectionHint: string
accessTokenIntrospectionJwtClaims:
- string
accessTokenIntrospectionLeeway: 0
accessTokenIntrospectionScopesClaims:
- string
accessTokenIntrospectionScopesRequireds:
- string
accessTokenIntrospectionTimeout: 0
accessTokenIssuer: string
accessTokenJwksUri: string
accessTokenJwksUriClientCertificate: string
accessTokenJwksUriClientPassword: string
accessTokenJwksUriClientUsername: string
accessTokenJwksUriRotatePeriod: 0
accessTokenKeyset: string
accessTokenKeysetClientCertificate: string
accessTokenKeysetClientPassword: string
accessTokenKeysetClientUsername: string
accessTokenKeysetRotatePeriod: 0
accessTokenLeeway: 0
accessTokenOptional: false
accessTokenRequestHeader: string
accessTokenScopesClaims:
- string
accessTokenScopesRequireds:
- string
accessTokenSigningAlgorithm: string
accessTokenUpstreamHeader: string
accessTokenUpstreamLeeway: 0
addAccessTokenClaims:
string: string
addChannelTokenClaims:
string: string
addClaims:
string: string
cacheAccessTokenIntrospection: false
cacheChannelTokenIntrospection: false
channelTokenConsumerBies:
- string
channelTokenConsumerClaims:
- string
channelTokenIntrospectionAuthorization: string
channelTokenIntrospectionBodyArgs: string
channelTokenIntrospectionConsumerBies:
- string
channelTokenIntrospectionConsumerClaims:
- string
channelTokenIntrospectionEndpoint: string
channelTokenIntrospectionHint: string
channelTokenIntrospectionJwtClaims:
- string
channelTokenIntrospectionLeeway: 0
channelTokenIntrospectionScopesClaims:
- string
channelTokenIntrospectionScopesRequireds:
- string
channelTokenIntrospectionTimeout: 0
channelTokenIssuer: string
channelTokenJwksUri: string
channelTokenJwksUriClientCertificate: string
channelTokenJwksUriClientPassword: string
channelTokenJwksUriClientUsername: string
channelTokenJwksUriRotatePeriod: 0
channelTokenKeyset: string
channelTokenKeysetClientCertificate: string
channelTokenKeysetClientPassword: string
channelTokenKeysetClientUsername: string
channelTokenKeysetRotatePeriod: 0
channelTokenLeeway: 0
channelTokenOptional: false
channelTokenRequestHeader: string
channelTokenScopesClaims:
- string
channelTokenScopesRequireds:
- string
channelTokenSigningAlgorithm: string
channelTokenUpstreamHeader: string
channelTokenUpstreamLeeway: 0
enableAccessTokenIntrospection: false
enableChannelTokenIntrospection: false
enableHsSignatures: false
enableInstrumentation: false
originalAccessTokenUpstreamHeader: string
originalChannelTokenUpstreamHeader: string
realm: string
removeAccessTokenClaims:
- string
removeChannelTokenClaims:
- string
setAccessTokenClaims:
string: string
setChannelTokenClaims:
string: string
setClaims:
string: string
trustAccessTokenIntrospection: false
trustChannelTokenIntrospection: false
verifyAccessTokenExpiry: false
verifyAccessTokenIntrospectionExpiry: false
verifyAccessTokenIntrospectionScopes: false
verifyAccessTokenScopes: false
verifyAccessTokenSignature: false
verifyChannelTokenExpiry: false
verifyChannelTokenIntrospectionExpiry: false
verifyChannelTokenIntrospectionScopes: false
verifyChannelTokenScopes: false
verifyChannelTokenSignature: false
controlPlaneId: string
enabled: false
gatewayPluginJwtSignerId: string
instanceName: string
ordering:
after:
accesses:
- string
before:
accesses:
- string
protocols:
- string
route:
id: string
service:
id: string
tags:
- string
GatewayPluginJwtSigner Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GatewayPluginJwtSigner resource accepts the following input properties:
- Config
Gateway
Plugin Jwt Signer Config - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringJwt Signer Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering - Protocols List<string>
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Config
Gateway
Plugin Jwt Signer Config Args - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringJwt Signer Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering Args - Protocols []string
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- config
Gateway
Plugin Jwt Signer Config - control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringJwt Signer Id - The ID of this resource.
- instance
Name String - ordering
Gateway
Plugin Jwt Signer Ordering - protocols List<String>
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- config
Gateway
Plugin Jwt Signer Config - control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled boolean
- Whether the plugin is applied.
- gateway
Plugin stringJwt Signer Id - The ID of this resource.
- instance
Name string - ordering
Gateway
Plugin Jwt Signer Ordering - protocols string[]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- config
Gateway
Plugin Jwt Signer Config Args - control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled bool
- Whether the plugin is applied.
- gateway_
plugin_ strjwt_ signer_ id - The ID of this resource.
- instance_
name str - ordering
Gateway
Plugin Jwt Signer Ordering Args - protocols Sequence[str]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- config Property Map
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringJwt Signer Id - The ID of this resource.
- instance
Name String - ordering Property Map
- protocols List<String>
- A set of strings representing HTTP protocols.
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
Outputs
All input properties are implicitly available as output properties. Additionally, the GatewayPluginJwtSigner resource produces the following output properties:
- created_
at float - Unix epoch when the resource was created.
- id str
- The provider-assigned unique ID for this managed resource.
- updated_
at float - Unix epoch when the resource was last updated.
Look up Existing GatewayPluginJwtSigner Resource
Get an existing GatewayPluginJwtSigner resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GatewayPluginJwtSignerState, opts?: CustomResourceOptions): GatewayPluginJwtSigner@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
config: Optional[GatewayPluginJwtSignerConfigArgs] = None,
control_plane_id: Optional[str] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_jwt_signer_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginJwtSignerOrderingArgs] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginJwtSignerRouteArgs] = None,
service: Optional[GatewayPluginJwtSignerServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None) -> GatewayPluginJwtSignerfunc GetGatewayPluginJwtSigner(ctx *Context, name string, id IDInput, state *GatewayPluginJwtSignerState, opts ...ResourceOption) (*GatewayPluginJwtSigner, error)public static GatewayPluginJwtSigner Get(string name, Input<string> id, GatewayPluginJwtSignerState? state, CustomResourceOptions? opts = null)public static GatewayPluginJwtSigner get(String name, Output<String> id, GatewayPluginJwtSignerState state, CustomResourceOptions options)resources: _: type: konnect:GatewayPluginJwtSigner get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Config
Gateway
Plugin Jwt Signer Config - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringJwt Signer Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering - Protocols List<string>
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Config
Gateway
Plugin Jwt Signer Config Args - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringJwt Signer Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering Args - Protocols []string
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config - control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringJwt Signer Id - The ID of this resource.
- instance
Name String - ordering
Gateway
Plugin Jwt Signer Ordering - protocols List<String>
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config - control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied.
- gateway
Plugin stringJwt Signer Id - The ID of this resource.
- instance
Name string - ordering
Gateway
Plugin Jwt Signer Ordering - protocols string[]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config Args - control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied.
- gateway_
plugin_ strjwt_ signer_ id - The ID of this resource.
- instance_
name str - ordering
Gateway
Plugin Jwt Signer Ordering Args - protocols Sequence[str]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- config Property Map
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringJwt Signer Id - The ID of this resource.
- instance
Name String - ordering Property Map
- protocols List<String>
- A set of strings representing HTTP protocols.
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Supporting Types
GatewayPluginJwtSignerConfig, GatewayPluginJwtSignerConfigArgs
- Access
Token List<string>Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - Access
Token List<string>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - Access
Token stringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - Access
Token List<string>Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- Access
Token List<string>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - Access
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - Access
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - Access
Token List<string>Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - Access
Token doubleIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - Access
Token List<string>Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - Access
Token List<string>Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - Access
Token doubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - Access
Token stringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - Access
Token stringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- Access
Token stringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Access
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - Access
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - Access
Token doubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - Access
Token stringKeyset - The name of the keyset containing signing keys.
- Access
Token stringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - Access
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - Access
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - Access
Token doubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - Access
Token doubleLeeway - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - Access
Token boolOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - Access
Token stringRequest Header - This parameter tells the name of the header where to look for the access token.
- Access
Token List<string>Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - Access
Token List<string>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - Access
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Access
Token stringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - Access
Token doubleUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - Add
Access Dictionary<string, string>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Channel Dictionary<string, string>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Claims Dictionary<string, string> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Cache
Access boolToken Introspection - Whether to cache access token introspection results.
- Cache
Channel boolToken Introspection - Whether to cache channel token introspection results.
- Channel
Token List<string>Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - Channel
Token List<string>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - Channel
Token stringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - Channel
Token List<string>Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - Channel
Token List<string>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - Channel
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - Channel
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - Channel
Token List<string>Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - Channel
Token doubleIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - Channel
Token List<string>Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - Channel
Token List<string>Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - Channel
Token doubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - Channel
Token stringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - Channel
Token stringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - Channel
Token stringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Channel
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - Channel
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - Channel
Token doubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - Channel
Token stringKeyset - The name of the keyset containing signing keys.
- Channel
Token stringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - Channel
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - Channel
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - Channel
Token doubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - Channel
Token doubleLeeway - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - Channel
Token boolOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - Channel
Token stringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - Channel
Token List<string>Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - Channel
Token List<string>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - Channel
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Channel
Token stringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - Channel
Token doubleUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - Enable
Access boolToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - Enable
Channel boolToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - Enable
Hs boolSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - Enable
Instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - Original
Access stringToken Upstream Header - The HTTP header name used to store the original access token.
- Original
Channel stringToken Upstream Header - The HTTP header name used to store the original channel token.
- Realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - Remove
Access List<string>Token Claims - remove claims. It should be an array, and each element is a claim key string.
- Remove
Channel List<string>Token Claims - remove claims. It should be an array, and each element is a claim key string.
- Set
Access Dictionary<string, string>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Channel Dictionary<string, string>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Claims Dictionary<string, string> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Trust
Access boolToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - Trust
Channel boolToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- Verify
Access boolToken Expiry - Quickly turn access token expiry verification off and on as needed.
- Verify
Access boolToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed.
- Verify
Access boolToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - Verify
Access boolToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - Verify
Access boolToken Signature - Quickly turn access token signature verification off and on as needed.
- Verify
Channel boolToken Expiry - Verify
Channel boolToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification.
- Verify
Channel boolToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - Verify
Channel boolToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - Verify
Channel boolToken Signature - Quickly turn on/off the channel token signature verification.
- Access
Token []stringConsumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - Access
Token []stringConsumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - Access
Token stringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - Access
Token []stringIntrospection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- Access
Token []stringIntrospection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - Access
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - Access
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - Access
Token []stringIntrospection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - Access
Token float64Introspection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - Access
Token []stringIntrospection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - Access
Token []stringIntrospection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - Access
Token float64Introspection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - Access
Token stringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - Access
Token stringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- Access
Token stringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Access
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - Access
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - Access
Token float64Jwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - Access
Token stringKeyset - The name of the keyset containing signing keys.
- Access
Token stringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - Access
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - Access
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - Access
Token float64Keyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - Access
Token float64Leeway - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - Access
Token boolOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - Access
Token stringRequest Header - This parameter tells the name of the header where to look for the access token.
- Access
Token []stringScopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - Access
Token []stringScopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - Access
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Access
Token stringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - Access
Token float64Upstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - Add
Access map[string]stringToken Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Channel map[string]stringToken Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Claims map[string]string - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Cache
Access boolToken Introspection - Whether to cache access token introspection results.
- Cache
Channel boolToken Introspection - Whether to cache channel token introspection results.
- Channel
Token []stringConsumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - Channel
Token []stringConsumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - Channel
Token stringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - Channel
Token []stringIntrospection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - Channel
Token []stringIntrospection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - Channel
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - Channel
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - Channel
Token []stringIntrospection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - Channel
Token float64Introspection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - Channel
Token []stringIntrospection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - Channel
Token []stringIntrospection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - Channel
Token float64Introspection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - Channel
Token stringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - Channel
Token stringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - Channel
Token stringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Channel
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - Channel
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - Channel
Token float64Jwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - Channel
Token stringKeyset - The name of the keyset containing signing keys.
- Channel
Token stringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - Channel
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - Channel
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - Channel
Token float64Keyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - Channel
Token float64Leeway - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - Channel
Token boolOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - Channel
Token stringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - Channel
Token []stringScopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - Channel
Token []stringScopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - Channel
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Channel
Token stringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - Channel
Token float64Upstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - Enable
Access boolToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - Enable
Channel boolToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - Enable
Hs boolSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - Enable
Instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - Original
Access stringToken Upstream Header - The HTTP header name used to store the original access token.
- Original
Channel stringToken Upstream Header - The HTTP header name used to store the original channel token.
- Realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - Remove
Access []stringToken Claims - remove claims. It should be an array, and each element is a claim key string.
- Remove
Channel []stringToken Claims - remove claims. It should be an array, and each element is a claim key string.
- Set
Access map[string]stringToken Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Channel map[string]stringToken Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Claims map[string]string - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Trust
Access boolToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - Trust
Channel boolToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- Verify
Access boolToken Expiry - Quickly turn access token expiry verification off and on as needed.
- Verify
Access boolToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed.
- Verify
Access boolToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - Verify
Access boolToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - Verify
Access boolToken Signature - Quickly turn access token signature verification off and on as needed.
- Verify
Channel boolToken Expiry - Verify
Channel boolToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification.
- Verify
Channel boolToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - Verify
Channel boolToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - Verify
Channel boolToken Signature - Quickly turn on/off the channel token signature verification.
- access
Token List<String>Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - String
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token StringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token List<String>Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token DoubleIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access
Token List<String>Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access
Token List<String>Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token DoubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token StringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access
Token StringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token StringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token DoubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access
Token StringKeyset - The name of the keyset containing signing keys.
- access
Token StringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token DoubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access
Token DoubleLeeway - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access
Token BooleanOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access
Token StringRequest Header - This parameter tells the name of the header where to look for the access token.
- access
Token List<String>Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token StringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access
Token DoubleUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add
Access Map<String,String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Map<String,String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims Map<String,String> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access BooleanToken Introspection - Whether to cache access token introspection results.
- cache
Channel BooleanToken Introspection - Whether to cache channel token introspection results.
- channel
Token List<String>Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - String
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token StringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token List<String>Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token DoubleIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel
Token List<String>Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel
Token List<String>Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token DoubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token StringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel
Token StringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token StringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token DoubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel
Token StringKeyset - The name of the keyset containing signing keys.
- channel
Token StringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token DoubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel
Token DoubleLeeway - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel
Token BooleanOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel
Token StringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token List<String>Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token StringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token DoubleUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable
Access BooleanToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable
Channel BooleanToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable
Hs BooleanSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable
Instrumentation Boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original
Access StringToken Upstream Header - The HTTP header name used to store the original access token.
- original
Channel StringToken Upstream Header - The HTTP header name used to store the original channel token.
- realm String
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string.
- remove
Channel List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string.
- set
Access Map<String,String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Map<String,String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims Map<String,String> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access BooleanToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust
Channel BooleanToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify
Access BooleanToken Expiry - Quickly turn access token expiry verification off and on as needed.
- verify
Access BooleanToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed.
- verify
Access BooleanToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify
Access BooleanToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify
Access BooleanToken Signature - Quickly turn access token signature verification off and on as needed.
- verify
Channel BooleanToken Expiry - verify
Channel BooleanToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification.
- verify
Channel BooleanToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify
Channel BooleanToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify
Channel BooleanToken Signature - Quickly turn on/off the channel token signature verification.
- access
Token string[]Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access
Token string[]Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token stringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token string[]Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access
Token string[]Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access
Token string[]Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token numberIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access
Token string[]Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access
Token string[]Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token numberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token stringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access
Token stringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token stringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token numberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access
Token stringKeyset - The name of the keyset containing signing keys.
- access
Token stringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token numberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access
Token numberLeeway - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access
Token booleanOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access
Token stringRequest Header - This parameter tells the name of the header where to look for the access token.
- access
Token string[]Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access
Token string[]Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token stringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access
Token numberUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add
Access {[key: string]: string}Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel {[key: string]: string}Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims {[key: string]: string} - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access booleanToken Introspection - Whether to cache access token introspection results.
- cache
Channel booleanToken Introspection - Whether to cache channel token introspection results.
- channel
Token string[]Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel
Token string[]Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token stringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token string[]Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel
Token string[]Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token string[]Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token numberIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel
Token string[]Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel
Token string[]Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token numberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token stringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel
Token stringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token stringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token numberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel
Token stringKeyset - The name of the keyset containing signing keys.
- channel
Token stringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token numberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel
Token numberLeeway - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel
Token booleanOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel
Token stringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token string[]Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel
Token string[]Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token stringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token numberUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable
Access booleanToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable
Channel booleanToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable
Hs booleanSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable
Instrumentation boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original
Access stringToken Upstream Header - The HTTP header name used to store the original access token.
- original
Channel stringToken Upstream Header - The HTTP header name used to store the original channel token.
- realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access string[]Token Claims - remove claims. It should be an array, and each element is a claim key string.
- remove
Channel string[]Token Claims - remove claims. It should be an array, and each element is a claim key string.
- set
Access {[key: string]: string}Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel {[key: string]: string}Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims {[key: string]: string} - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access booleanToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust
Channel booleanToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify
Access booleanToken Expiry - Quickly turn access token expiry verification off and on as needed.
- verify
Access booleanToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed.
- verify
Access booleanToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify
Access booleanToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify
Access booleanToken Signature - Quickly turn access token signature verification off and on as needed.
- verify
Channel booleanToken Expiry - verify
Channel booleanToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification.
- verify
Channel booleanToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify
Channel booleanToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify
Channel booleanToken Signature - Quickly turn on/off the channel token signature verification.
- access_
token_ Sequence[str]consumer_ bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access_
token_ Sequence[str]consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - str
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access_
token_ strintrospection_ body_ args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access_
token_ Sequence[str]introspection_ consumer_ bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access_
token_ Sequence[str]introspection_ consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access_
token_ strintrospection_ endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access_
token_ strintrospection_ hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access_
token_ Sequence[str]introspection_ jwt_ claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access_
token_ floatintrospection_ leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access_
token_ Sequence[str]introspection_ scopes_ claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access_
token_ Sequence[str]introspection_ scopes_ requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access_
token_ floatintrospection_ timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access_
token_ strissuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access_
token_ strjwks_ uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access_
token_ strjwks_ uri_ client_ certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access_
token_ strjwks_ uri_ client_ password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access_
token_ strjwks_ uri_ client_ username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access_
token_ floatjwks_ uri_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access_
token_ strkeyset - The name of the keyset containing signing keys.
- access_
token_ strkeyset_ client_ certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access_
token_ strkeyset_ client_ password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access_
token_ strkeyset_ client_ username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access_
token_ floatkeyset_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access_
token_ floatleeway - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access_
token_ booloptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access_
token_ strrequest_ header - This parameter tells the name of the header where to look for the access token.
- access_
token_ Sequence[str]scopes_ claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access_
token_ Sequence[str]scopes_ requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access_
token_ strsigning_ algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access_
token_ strupstream_ header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access_
token_ floatupstream_ leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add_
access_ Mapping[str, str]token_ claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add_
channel_ Mapping[str, str]token_ claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add_
claims Mapping[str, str] - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache_
access_ booltoken_ introspection - Whether to cache access token introspection results.
- cache_
channel_ booltoken_ introspection - Whether to cache channel token introspection results.
- channel_
token_ Sequence[str]consumer_ bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel_
token_ Sequence[str]consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - str
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel_
token_ strintrospection_ body_ args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel_
token_ Sequence[str]introspection_ consumer_ bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel_
token_ Sequence[str]introspection_ consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel_
token_ strintrospection_ endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel_
token_ strintrospection_ hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel_
token_ Sequence[str]introspection_ jwt_ claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel_
token_ floatintrospection_ leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel_
token_ Sequence[str]introspection_ scopes_ claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel_
token_ Sequence[str]introspection_ scopes_ requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel_
token_ floatintrospection_ timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel_
token_ strissuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel_
token_ strjwks_ uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel_
token_ strjwks_ uri_ client_ certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel_
token_ strjwks_ uri_ client_ password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel_
token_ strjwks_ uri_ client_ username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel_
token_ floatjwks_ uri_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel_
token_ strkeyset - The name of the keyset containing signing keys.
- channel_
token_ strkeyset_ client_ certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel_
token_ strkeyset_ client_ password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel_
token_ strkeyset_ client_ username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel_
token_ floatkeyset_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel_
token_ floatleeway - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel_
token_ booloptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel_
token_ strrequest_ header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel_
token_ Sequence[str]scopes_ claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel_
token_ Sequence[str]scopes_ requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel_
token_ strsigning_ algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel_
token_ strupstream_ header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel_
token_ floatupstream_ leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable_
access_ booltoken_ introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable_
channel_ booltoken_ introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable_
hs_ boolsignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable_
instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original_
access_ strtoken_ upstream_ header - The HTTP header name used to store the original access token.
- original_
channel_ strtoken_ upstream_ header - The HTTP header name used to store the original channel token.
- realm str
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove_
access_ Sequence[str]token_ claims - remove claims. It should be an array, and each element is a claim key string.
- remove_
channel_ Sequence[str]token_ claims - remove claims. It should be an array, and each element is a claim key string.
- set_
access_ Mapping[str, str]token_ claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set_
channel_ Mapping[str, str]token_ claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set_
claims Mapping[str, str] - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust_
access_ booltoken_ introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust_
channel_ booltoken_ introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify_
access_ booltoken_ expiry - Quickly turn access token expiry verification off and on as needed.
- verify_
access_ booltoken_ introspection_ expiry - Quickly turn access token introspection expiry verification off and on as needed.
- verify_
access_ booltoken_ introspection_ scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify_
access_ booltoken_ scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify_
access_ booltoken_ signature - Quickly turn access token signature verification off and on as needed.
- verify_
channel_ booltoken_ expiry - verify_
channel_ booltoken_ introspection_ expiry - Quickly turn on/off the channel token introspection expiry verification.
- verify_
channel_ booltoken_ introspection_ scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify_
channel_ booltoken_ scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify_
channel_ booltoken_ signature - Quickly turn on/off the channel token signature verification.
- access
Token List<String>Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - String
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token StringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token List<String>Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token NumberIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access
Token List<String>Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access
Token List<String>Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token NumberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token StringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access
Token StringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token StringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token NumberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access
Token StringKeyset - The name of the keyset containing signing keys.
- access
Token StringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token NumberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access
Token NumberLeeway - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access
Token BooleanOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access
Token StringRequest Header - This parameter tells the name of the header where to look for the access token.
- access
Token List<String>Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token StringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access
Token NumberUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add
Access Map<String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Map<String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims Map<String> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access BooleanToken Introspection - Whether to cache access token introspection results.
- cache
Channel BooleanToken Introspection - Whether to cache channel token introspection results.
- channel
Token List<String>Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - String
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token StringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token List<String>Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token NumberIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel
Token List<String>Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel
Token List<String>Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token NumberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token StringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel
Token StringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token StringJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token NumberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel
Token StringKeyset - The name of the keyset containing signing keys.
- channel
Token StringKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token NumberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel
Token NumberLeeway - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel
Token BooleanOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel
Token StringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token List<String>Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token StringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token NumberUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable
Access BooleanToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable
Channel BooleanToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable
Hs BooleanSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable
Instrumentation Boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original
Access StringToken Upstream Header - The HTTP header name used to store the original access token.
- original
Channel StringToken Upstream Header - The HTTP header name used to store the original channel token.
- realm String
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string.
- remove
Channel List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string.
- set
Access Map<String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Map<String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims Map<String> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access BooleanToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust
Channel BooleanToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify
Access BooleanToken Expiry - Quickly turn access token expiry verification off and on as needed.
- verify
Access BooleanToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed.
- verify
Access BooleanToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify
Access BooleanToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify
Access BooleanToken Signature - Quickly turn access token signature verification off and on as needed.
- verify
Channel BooleanToken Expiry - verify
Channel BooleanToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification.
- verify
Channel BooleanToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify
Channel BooleanToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify
Channel BooleanToken Signature - Quickly turn on/off the channel token signature verification.
GatewayPluginJwtSignerOrdering, GatewayPluginJwtSignerOrderingArgs
GatewayPluginJwtSignerOrderingAfter, GatewayPluginJwtSignerOrderingAfterArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginJwtSignerOrderingBefore, GatewayPluginJwtSignerOrderingBeforeArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginJwtSignerRoute, GatewayPluginJwtSignerRouteArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginJwtSignerService, GatewayPluginJwtSignerServiceArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
Import
$ pulumi import konnect:index/gatewayPluginJwtSigner:GatewayPluginJwtSigner my_konnect_gateway_plugin_jwt_signer "{ \"control_plane_id\": \"9524ec7d-36d9-465d-a8c5-83a3c9390458\", \"plugin_id\": \"3473c251-5b6c-4f45-b1ff-7ede735a366d\"}"
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- konnect kong/terraform-provider-konnect
- License
- Notes
- This Pulumi package is based on the
konnectTerraform Provider.