Docs Home
konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong
konnect.GatewayPluginOpenidConnect
Explore with Pulumi AI
GatewayPluginOpenidConnect Resource
Example Usage
Coming soon!
Coming soon!
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.konnect.GatewayPluginOpenidConnect;
import com.pulumi.konnect.GatewayPluginOpenidConnectArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectConfigArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectConfigRedisArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectOrderingArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectOrderingAfterArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectOrderingBeforeArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectRouteArgs;
import com.pulumi.konnect.inputs.GatewayPluginOpenidConnectServiceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myGatewaypluginopenidconnect = new GatewayPluginOpenidConnect("myGatewaypluginopenidconnect", GatewayPluginOpenidConnectArgs.builder()
.config(GatewayPluginOpenidConnectConfigArgs.builder()
.anonymous("...my_anonymous...")
.audience("...")
.audience_claim("...")
.audience_required("...")
.auth_methods("userinfo")
.authenticated_groups_claim("...")
.authorization_cookie_domain("...my_authorization_cookie_domain...")
.authorization_cookie_http_only(false)
.authorization_cookie_name("...my_authorization_cookie_name...")
.authorization_cookie_path("...my_authorization_cookie_path...")
.authorization_cookie_same_site("Strict")
.authorization_cookie_secure(false)
.authorization_endpoint("...my_authorization_endpoint...")
.authorization_query_args_client("...")
.authorization_query_args_names("...")
.authorization_query_args_values("...")
.authorization_rolling_timeout(1.26)
.bearer_token_cookie_name("...my_bearer_token_cookie_name...")
.bearer_token_param_type("body")
.by_username_ignore_case(false)
.cache_introspection(true)
.cache_token_exchange(false)
.cache_tokens(false)
.cache_tokens_salt("...my_cache_tokens_salt...")
.cache_ttl(4.51)
.cache_ttl_max(8.18)
.cache_ttl_min(0.48)
.cache_ttl_neg(5.85)
.cache_ttl_resurrect(0.5)
.cache_user_info(false)
.claims_forbidden("...")
.client_alg("HS384")
.client_arg("...my_client_arg...")
.client_auth("client_secret_post")
.client_credentials_param_type("query")
.client_id("...")
.client_jwk(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.client_secret("...")
.cluster_cache_redis(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.cluster_cache_strategy("off")
.consumer_by("id")
.consumer_claim("...")
.consumer_optional(true)
.credential_claim("...")
.disable_session("bearer")
.discovery_headers_names("...")
.discovery_headers_values("...")
.display_errors(false)
.domains("...")
.downstream_access_token_header("...my_downstream_access_token_header...")
.downstream_access_token_jwk_header("...my_downstream_access_token_jwk_header...")
.downstream_headers_claims("...")
.downstream_headers_names("...")
.downstream_id_token_header("...my_downstream_id_token_header...")
.downstream_id_token_jwk_header("...my_downstream_id_token_jwk_header...")
.downstream_introspection_header("...my_downstream_introspection_header...")
.downstream_introspection_jwt_header("...my_downstream_introspection_jwt_header...")
.downstream_refresh_token_header("...my_downstream_refresh_token_header...")
.downstream_session_id_header("...my_downstream_session_id_header...")
.downstream_user_info_header("...my_downstream_user_info_header...")
.downstream_user_info_jwt_header("...my_downstream_user_info_jwt_header...")
.dpop_proof_lifetime(9.34)
.dpop_use_nonce(true)
.enable_hs_signatures(true)
.end_session_endpoint("...my_end_session_endpoint...")
.expose_error_code(false)
.extra_jwks_uris("...")
.forbidden_destroy_session(false)
.forbidden_error_message("...my_forbidden_error_message...")
.forbidden_redirect_uri("...")
.groups_claim("...")
.groups_required("...")
.hide_credentials(true)
.http_proxy("...my_http_proxy...")
.http_proxy_authorization("...my_http_proxy_authorization...")
.http_version(2.54)
.https_proxy("...my_https_proxy...")
.https_proxy_authorization("...my_https_proxy_authorization...")
.id_token_param_name("...my_id_token_param_name...")
.id_token_param_type("query")
.ignore_signature("refresh_token")
.introspect_jwt_tokens(true)
.introspection_accept("application/json")
.introspection_check_active(false)
.introspection_endpoint("...my_introspection_endpoint...")
.introspection_endpoint_auth_method("client_secret_basic")
.introspection_headers_client("...")
.introspection_headers_names("...")
.introspection_headers_values("...")
.introspection_hint("...my_introspection_hint...")
.introspection_post_args_client("...")
.introspection_post_args_client_headers("...")
.introspection_post_args_names("...")
.introspection_post_args_values("...")
.introspection_token_param_name("...my_introspection_token_param_name...")
.issuer("...my_issuer...")
.issuers_allowed("...")
.jwt_session_claim("...my_jwt_session_claim...")
.jwt_session_cookie("...my_jwt_session_cookie...")
.keepalive(true)
.leeway(4.43)
.login_action("redirect")
.login_methods("authorization_code")
.login_redirect_mode("query")
.login_redirect_uri("...")
.login_tokens("refresh_token")
.logout_methods("GET")
.logout_post_arg("...my_logout_post_arg...")
.logout_query_arg("...my_logout_query_arg...")
.logout_redirect_uri("...")
.logout_revoke(true)
.logout_revoke_access_token(false)
.logout_revoke_refresh_token(false)
.logout_uri_suffix("...my_logout_uri_suffix...")
.max_age(0.81)
.mtls_introspection_endpoint("...my_mtls_introspection_endpoint...")
.mtls_revocation_endpoint("...my_mtls_revocation_endpoint...")
.mtls_token_endpoint("...my_mtls_token_endpoint...")
.no_proxy("...my_no_proxy...")
.password_param_type("body")
.preserve_query_args(true)
.proof_of_possession_auth_methods_validation(true)
.proof_of_possession_dpop("optional")
.proof_of_possession_mtls("off")
.pushed_authorization_request_endpoint("...my_pushed_authorization_request_endpoint...")
.pushed_authorization_request_endpoint_auth_method("tls_client_auth")
.redirect_uri("...")
.redis(GatewayPluginOpenidConnectConfigRedisArgs.builder()
.clusterMaxRedirections(9)
.clusterNodes(GatewayPluginOpenidConnectConfigRedisClusterNodeArgs.builder()
.ip("...my_ip...")
.port(55819)
.build())
.connectTimeout(829309575)
.connectionIsProxied(true)
.database(2)
.host("...my_host...")
.keepaliveBacklog(1420640006)
.keepalivePoolSize(147781497)
.password("...my_password...")
.port(20220)
.prefix("...my_prefix...")
.readTimeout(2120279470)
.sendTimeout(523577252)
.sentinelMaster("...my_sentinel_master...")
.sentinelNodes(GatewayPluginOpenidConnectConfigRedisSentinelNodeArgs.builder()
.host("...my_host...")
.port(58352)
.build())
.sentinelPassword("...my_sentinel_password...")
.sentinelRole("slave")
.sentinelUsername("...my_sentinel_username...")
.serverName("...my_server_name...")
.socket("...my_socket...")
.ssl(true)
.sslVerify(true)
.username("...my_username...")
.build())
.rediscovery_lifetime(0.82)
.refresh_token_param_name("...my_refresh_token_param_name...")
.refresh_token_param_type("header")
.refresh_tokens(true)
.require_proof_key_for_code_exchange(true)
.require_pushed_authorization_requests(true)
.require_signed_request_object(false)
.resolve_distributed_claims(true)
.response_mode("fragment.jwt")
.response_type("...")
.reverify(false)
.revocation_endpoint("...my_revocation_endpoint...")
.revocation_endpoint_auth_method("tls_client_auth")
.revocation_token_param_name("...my_revocation_token_param_name...")
.roles_claim("...")
.roles_required("...")
.run_on_preflight(true)
.scopes("...")
.scopes_claim("...")
.scopes_required("...")
.search_user_info(false)
.session_absolute_timeout(6.27)
.session_audience("...my_session_audience...")
.session_cookie_domain("...my_session_cookie_domain...")
.session_cookie_http_only(false)
.session_cookie_name("...my_session_cookie_name...")
.session_cookie_path("...my_session_cookie_path...")
.session_cookie_same_site("Default")
.session_cookie_secure(true)
.session_enforce_same_subject(false)
.session_hash_storage_key(false)
.session_hash_subject(false)
.session_idling_timeout(9.33)
.session_memcached_host("...my_session_memcached_host...")
.session_memcached_port(10230)
.session_memcached_prefix("...my_session_memcached_prefix...")
.session_memcached_socket("...my_session_memcached_socket...")
.session_remember(false)
.session_remember_absolute_timeout(6.89)
.session_remember_cookie_name("...my_session_remember_cookie_name...")
.session_remember_rolling_timeout(2.91)
.session_request_headers("audience")
.session_response_headers("absolute-timeout")
.session_rolling_timeout(5.68)
.session_secret("...my_session_secret...")
.session_storage("memcache")
.session_store_metadata(true)
.ssl_verify(true)
.timeout(0.75)
.tls_client_auth_cert_id("...my_tls_client_auth_cert_id...")
.tls_client_auth_ssl_verify(false)
.token_cache_key_include_scope(true)
.token_endpoint("...my_token_endpoint...")
.token_endpoint_auth_method("client_secret_post")
.token_exchange_endpoint("...my_token_exchange_endpoint...")
.token_headers_client("...")
.token_headers_grants("client_credentials")
.token_headers_names("...")
.token_headers_prefix("...my_token_headers_prefix...")
.token_headers_replay("...")
.token_headers_values("...")
.token_post_args_client("...")
.token_post_args_names("...")
.token_post_args_values("...")
.unauthorized_destroy_session(false)
.unauthorized_error_message("...my_unauthorized_error_message...")
.unauthorized_redirect_uri("...")
.unexpected_redirect_uri("...")
.upstream_access_token_header("...my_upstream_access_token_header...")
.upstream_access_token_jwk_header("...my_upstream_access_token_jwk_header...")
.upstream_headers_claims("...")
.upstream_headers_names("...")
.upstream_id_token_header("...my_upstream_id_token_header...")
.upstream_id_token_jwk_header("...my_upstream_id_token_jwk_header...")
.upstream_introspection_header("...my_upstream_introspection_header...")
.upstream_introspection_jwt_header("...my_upstream_introspection_jwt_header...")
.upstream_refresh_token_header("...my_upstream_refresh_token_header...")
.upstream_session_id_header("...my_upstream_session_id_header...")
.upstream_user_info_header("...my_upstream_user_info_header...")
.upstream_user_info_jwt_header("...my_upstream_user_info_jwt_header...")
.userinfo_accept("application/json")
.userinfo_endpoint("...my_userinfo_endpoint...")
.userinfo_headers_client("...")
.userinfo_headers_names("...")
.userinfo_headers_values("...")
.userinfo_query_args_client("...")
.userinfo_query_args_names("...")
.userinfo_query_args_values("...")
.using_pseudo_issuer(true)
.verify_claims(true)
.verify_nonce(false)
.verify_parameters(true)
.verify_signature(false)
.build())
.controlPlaneId("9524ec7d-36d9-465d-a8c5-83a3c9390458")
.enabled(true)
.gatewayPluginOpenidConnectId("...my_id...")
.instanceName("...my_instance_name...")
.ordering(GatewayPluginOpenidConnectOrderingArgs.builder()
.after(GatewayPluginOpenidConnectOrderingAfterArgs.builder()
.access("...")
.build())
.before(GatewayPluginOpenidConnectOrderingBeforeArgs.builder()
.access("...")
.build())
.build())
.protocols("http")
.route(GatewayPluginOpenidConnectRouteArgs.builder()
.id("...my_id...")
.build())
.service(GatewayPluginOpenidConnectServiceArgs.builder()
.id("...my_id...")
.build())
.tags("...")
.build());
}
}
resources:
myGatewaypluginopenidconnect:
type: konnect:GatewayPluginOpenidConnect
properties:
config:
anonymous: '...my_anonymous...'
audience:
- '...'
audience_claim:
- '...'
audience_required:
- '...'
auth_methods:
- userinfo
authenticated_groups_claim:
- '...'
authorization_cookie_domain: '...my_authorization_cookie_domain...'
authorization_cookie_http_only: false
authorization_cookie_name: '...my_authorization_cookie_name...'
authorization_cookie_path: '...my_authorization_cookie_path...'
authorization_cookie_same_site: Strict
authorization_cookie_secure: false
authorization_endpoint: '...my_authorization_endpoint...'
authorization_query_args_client:
- '...'
authorization_query_args_names:
- '...'
authorization_query_args_values:
- '...'
authorization_rolling_timeout: 1.26
bearer_token_cookie_name: '...my_bearer_token_cookie_name...'
bearer_token_param_type:
- body
by_username_ignore_case: false
cache_introspection: true
cache_token_exchange: false
cache_tokens: false
cache_tokens_salt: '...my_cache_tokens_salt...'
cache_ttl: 4.51
cache_ttl_max: 8.18
cache_ttl_min: 0.48
cache_ttl_neg: 5.85
cache_ttl_resurrect: 0.5
cache_user_info: false
claims_forbidden:
- '...'
client_alg:
- HS384
client_arg: '...my_client_arg...'
client_auth:
- client_secret_post
client_credentials_param_type:
- query
client_id:
- '...'
client_jwk:
- alg: '...my_alg...'
crv: '...my_crv...'
d: '...my_d...'
dp: '...my_dp...'
dq: '...my_dq...'
e: '...my_e...'
issuer: '...my_issuer...'
k: '...my_k...'
keyOps:
- '...'
kid: '...my_kid...'
kty: '...my_kty...'
n: '...my_n...'
oth: '...my_oth...'
p: '...my_p...'
q: '...my_q...'
qi: '...my_qi...'
r: '...my_r...'
t: '...my_t...'
use: '...my_use...'
x: '...my_x...'
x5c:
- '...'
x5t: '...my_x5t...'
x5tNumberS256: '...my_x5t_number_s256...'
x5u: '...my_x5u...'
y: '...my_y...'
client_secret:
- '...'
cluster_cache_redis:
clusterMaxRedirections: 5
clusterNodes:
- ip: '...my_ip...'
port: 39126
connectTimeout: 1.007376275e+09
connectionIsProxied: false
database: 6
host: '...my_host...'
keepaliveBacklog: 5.13691764e+08
keepalivePoolSize: 7.42855137e+08
password: '...my_password...'
port: 25288
readTimeout: 1.652724306e+09
sendTimeout: 2.4704322e+07
sentinelMaster: '...my_sentinel_master...'
sentinelNodes:
- host: '...my_host...'
port: 5690
sentinelPassword: '...my_sentinel_password...'
sentinelRole: any
sentinelUsername: '...my_sentinel_username...'
serverName: '...my_server_name...'
ssl: true
sslVerify: true
username: '...my_username...'
cluster_cache_strategy: off
consumer_by:
- id
consumer_claim:
- '...'
consumer_optional: true
credential_claim:
- '...'
disable_session:
- bearer
discovery_headers_names:
- '...'
discovery_headers_values:
- '...'
display_errors: false
domains:
- '...'
downstream_access_token_header: '...my_downstream_access_token_header...'
downstream_access_token_jwk_header: '...my_downstream_access_token_jwk_header...'
downstream_headers_claims:
- '...'
downstream_headers_names:
- '...'
downstream_id_token_header: '...my_downstream_id_token_header...'
downstream_id_token_jwk_header: '...my_downstream_id_token_jwk_header...'
downstream_introspection_header: '...my_downstream_introspection_header...'
downstream_introspection_jwt_header: '...my_downstream_introspection_jwt_header...'
downstream_refresh_token_header: '...my_downstream_refresh_token_header...'
downstream_session_id_header: '...my_downstream_session_id_header...'
downstream_user_info_header: '...my_downstream_user_info_header...'
downstream_user_info_jwt_header: '...my_downstream_user_info_jwt_header...'
dpop_proof_lifetime: 9.34
dpop_use_nonce: true
enable_hs_signatures: true
end_session_endpoint: '...my_end_session_endpoint...'
expose_error_code: false
extra_jwks_uris:
- '...'
forbidden_destroy_session: false
forbidden_error_message: '...my_forbidden_error_message...'
forbidden_redirect_uri:
- '...'
groups_claim:
- '...'
groups_required:
- '...'
hide_credentials: true
http_proxy: '...my_http_proxy...'
http_proxy_authorization: '...my_http_proxy_authorization...'
http_version: 2.54
https_proxy: '...my_https_proxy...'
https_proxy_authorization: '...my_https_proxy_authorization...'
id_token_param_name: '...my_id_token_param_name...'
id_token_param_type:
- query
ignore_signature:
- refresh_token
introspect_jwt_tokens: true
introspection_accept: application/json
introspection_check_active: false
introspection_endpoint: '...my_introspection_endpoint...'
introspection_endpoint_auth_method: client_secret_basic
introspection_headers_client:
- '...'
introspection_headers_names:
- '...'
introspection_headers_values:
- '...'
introspection_hint: '...my_introspection_hint...'
introspection_post_args_client:
- '...'
introspection_post_args_client_headers:
- '...'
introspection_post_args_names:
- '...'
introspection_post_args_values:
- '...'
introspection_token_param_name: '...my_introspection_token_param_name...'
issuer: '...my_issuer...'
issuers_allowed:
- '...'
jwt_session_claim: '...my_jwt_session_claim...'
jwt_session_cookie: '...my_jwt_session_cookie...'
keepalive: true
leeway: 4.43
login_action: redirect
login_methods:
- authorization_code
login_redirect_mode: query
login_redirect_uri:
- '...'
login_tokens:
- refresh_token
logout_methods:
- GET
logout_post_arg: '...my_logout_post_arg...'
logout_query_arg: '...my_logout_query_arg...'
logout_redirect_uri:
- '...'
logout_revoke: true
logout_revoke_access_token: false
logout_revoke_refresh_token: false
logout_uri_suffix: '...my_logout_uri_suffix...'
max_age: 0.81
mtls_introspection_endpoint: '...my_mtls_introspection_endpoint...'
mtls_revocation_endpoint: '...my_mtls_revocation_endpoint...'
mtls_token_endpoint: '...my_mtls_token_endpoint...'
no_proxy: '...my_no_proxy...'
password_param_type:
- body
preserve_query_args: true
proof_of_possession_auth_methods_validation: true
proof_of_possession_dpop: optional
proof_of_possession_mtls: off
pushed_authorization_request_endpoint: '...my_pushed_authorization_request_endpoint...'
pushed_authorization_request_endpoint_auth_method: tls_client_auth
redirect_uri:
- '...'
redis:
clusterMaxRedirections: 9
clusterNodes:
- ip: '...my_ip...'
port: 55819
connectTimeout: 8.29309575e+08
connectionIsProxied: true
database: 2
host: '...my_host...'
keepaliveBacklog: 1.420640006e+09
keepalivePoolSize: 1.47781497e+08
password: '...my_password...'
port: 20220
prefix: '...my_prefix...'
readTimeout: 2.12027947e+09
sendTimeout: 5.23577252e+08
sentinelMaster: '...my_sentinel_master...'
sentinelNodes:
- host: '...my_host...'
port: 58352
sentinelPassword: '...my_sentinel_password...'
sentinelRole: slave
sentinelUsername: '...my_sentinel_username...'
serverName: '...my_server_name...'
socket: '...my_socket...'
ssl: true
sslVerify: true
username: '...my_username...'
rediscovery_lifetime: 0.82
refresh_token_param_name: '...my_refresh_token_param_name...'
refresh_token_param_type:
- header
refresh_tokens: true
require_proof_key_for_code_exchange: true
require_pushed_authorization_requests: true
require_signed_request_object: false
resolve_distributed_claims: true
response_mode: fragment.jwt
response_type:
- '...'
reverify: false
revocation_endpoint: '...my_revocation_endpoint...'
revocation_endpoint_auth_method: tls_client_auth
revocation_token_param_name: '...my_revocation_token_param_name...'
roles_claim:
- '...'
roles_required:
- '...'
run_on_preflight: true
scopes:
- '...'
scopes_claim:
- '...'
scopes_required:
- '...'
search_user_info: false
session_absolute_timeout: 6.27
session_audience: '...my_session_audience...'
session_cookie_domain: '...my_session_cookie_domain...'
session_cookie_http_only: false
session_cookie_name: '...my_session_cookie_name...'
session_cookie_path: '...my_session_cookie_path...'
session_cookie_same_site: Default
session_cookie_secure: true
session_enforce_same_subject: false
session_hash_storage_key: false
session_hash_subject: false
session_idling_timeout: 9.33
session_memcached_host: '...my_session_memcached_host...'
session_memcached_port: 10230
session_memcached_prefix: '...my_session_memcached_prefix...'
session_memcached_socket: '...my_session_memcached_socket...'
session_remember: false
session_remember_absolute_timeout: 6.89
session_remember_cookie_name: '...my_session_remember_cookie_name...'
session_remember_rolling_timeout: 2.91
session_request_headers:
- audience
session_response_headers:
- absolute-timeout
session_rolling_timeout: 5.68
session_secret: '...my_session_secret...'
session_storage: memcache
session_store_metadata: true
ssl_verify: true
timeout: 0.75
tls_client_auth_cert_id: '...my_tls_client_auth_cert_id...'
tls_client_auth_ssl_verify: false
token_cache_key_include_scope: true
token_endpoint: '...my_token_endpoint...'
token_endpoint_auth_method: client_secret_post
token_exchange_endpoint: '...my_token_exchange_endpoint...'
token_headers_client:
- '...'
token_headers_grants:
- client_credentials
token_headers_names:
- '...'
token_headers_prefix: '...my_token_headers_prefix...'
token_headers_replay:
- '...'
token_headers_values:
- '...'
token_post_args_client:
- '...'
token_post_args_names:
- '...'
token_post_args_values:
- '...'
unauthorized_destroy_session: false
unauthorized_error_message: '...my_unauthorized_error_message...'
unauthorized_redirect_uri:
- '...'
unexpected_redirect_uri:
- '...'
upstream_access_token_header: '...my_upstream_access_token_header...'
upstream_access_token_jwk_header: '...my_upstream_access_token_jwk_header...'
upstream_headers_claims:
- '...'
upstream_headers_names:
- '...'
upstream_id_token_header: '...my_upstream_id_token_header...'
upstream_id_token_jwk_header: '...my_upstream_id_token_jwk_header...'
upstream_introspection_header: '...my_upstream_introspection_header...'
upstream_introspection_jwt_header: '...my_upstream_introspection_jwt_header...'
upstream_refresh_token_header: '...my_upstream_refresh_token_header...'
upstream_session_id_header: '...my_upstream_session_id_header...'
upstream_user_info_header: '...my_upstream_user_info_header...'
upstream_user_info_jwt_header: '...my_upstream_user_info_jwt_header...'
userinfo_accept: application/json
userinfo_endpoint: '...my_userinfo_endpoint...'
userinfo_headers_client:
- '...'
userinfo_headers_names:
- '...'
userinfo_headers_values:
- '...'
userinfo_query_args_client:
- '...'
userinfo_query_args_names:
- '...'
userinfo_query_args_values:
- '...'
using_pseudo_issuer: true
verify_claims: true
verify_nonce: false
verify_parameters: true
verify_signature: false
controlPlaneId: 9524ec7d-36d9-465d-a8c5-83a3c9390458
enabled: true
gatewayPluginOpenidConnectId: '...my_id...'
instanceName: '...my_instance_name...'
ordering:
after:
access:
- '...'
before:
access:
- '...'
protocols:
- http
route:
id: '...my_id...'
service:
id: '...my_id...'
tags:
- '...'
Create GatewayPluginOpenidConnect Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GatewayPluginOpenidConnect(name: string, args: GatewayPluginOpenidConnectArgs, opts?: CustomResourceOptions);@overload
def GatewayPluginOpenidConnect(resource_name: str,
args: GatewayPluginOpenidConnectArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GatewayPluginOpenidConnect(resource_name: str,
opts: Optional[ResourceOptions] = None,
config: Optional[GatewayPluginOpenidConnectConfigArgs] = None,
control_plane_id: Optional[str] = None,
enabled: Optional[bool] = None,
gateway_plugin_openid_connect_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginOpenidConnectOrderingArgs] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginOpenidConnectRouteArgs] = None,
service: Optional[GatewayPluginOpenidConnectServiceArgs] = None,
tags: Optional[Sequence[str]] = None)func NewGatewayPluginOpenidConnect(ctx *Context, name string, args GatewayPluginOpenidConnectArgs, opts ...ResourceOption) (*GatewayPluginOpenidConnect, error)public GatewayPluginOpenidConnect(string name, GatewayPluginOpenidConnectArgs args, CustomResourceOptions? opts = null)
public GatewayPluginOpenidConnect(String name, GatewayPluginOpenidConnectArgs args)
public GatewayPluginOpenidConnect(String name, GatewayPluginOpenidConnectArgs args, CustomResourceOptions options)
type: konnect:GatewayPluginOpenidConnect
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GatewayPluginOpenidConnectArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GatewayPluginOpenidConnectArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GatewayPluginOpenidConnectArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GatewayPluginOpenidConnectArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GatewayPluginOpenidConnectArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var gatewayPluginOpenidConnectResource = new Konnect.GatewayPluginOpenidConnect("gatewayPluginOpenidConnectResource", new()
{
Config = new Konnect.Inputs.GatewayPluginOpenidConnectConfigArgs
{
Scopes = new[]
{
"string",
},
Anonymous = "string",
AudienceClaims = new[]
{
"string",
},
AudienceRequireds = new[]
{
"string",
},
Audiences = new[]
{
"string",
},
AuthMethods = new[]
{
"string",
},
AuthenticatedGroupsClaims = new[]
{
"string",
},
AuthorizationCookieDomain = "string",
AuthorizationCookieHttpOnly = false,
AuthorizationCookieName = "string",
AuthorizationCookiePath = "string",
AuthorizationCookieSameSite = "string",
AuthorizationCookieSecure = false,
AuthorizationEndpoint = "string",
AuthorizationQueryArgsClients = new[]
{
"string",
},
AuthorizationQueryArgsNames = new[]
{
"string",
},
AuthorizationQueryArgsValues = new[]
{
"string",
},
AuthorizationRollingTimeout = 0,
BearerTokenCookieName = "string",
BearerTokenParamTypes = new[]
{
"string",
},
ByUsernameIgnoreCase = false,
CacheIntrospection = false,
CacheTokenExchange = false,
CacheTokens = false,
CacheTokensSalt = "string",
CacheTtl = 0,
CacheTtlMax = 0,
CacheTtlMin = 0,
CacheTtlNeg = 0,
CacheTtlResurrect = 0,
CacheUserInfo = false,
ClaimsForbiddens = new[]
{
"string",
},
ClientAlgs = new[]
{
"string",
},
ClientArg = "string",
ClientAuths = new[]
{
"string",
},
ClientCredentialsParamTypes = new[]
{
"string",
},
ClientIds = new[]
{
"string",
},
ClientJwks = new[]
{
new Konnect.Inputs.GatewayPluginOpenidConnectConfigClientJwkArgs
{
Alg = "string",
Crv = "string",
D = "string",
Dp = "string",
Dq = "string",
E = "string",
Issuer = "string",
K = "string",
KeyOps = new[]
{
"string",
},
Kid = "string",
Kty = "string",
N = "string",
Oth = "string",
P = "string",
Q = "string",
Qi = "string",
R = "string",
T = "string",
Use = "string",
X = "string",
X5cs = new[]
{
"string",
},
X5t = "string",
X5tNumberS256 = "string",
X5u = "string",
Y = "string",
},
},
ClientSecrets = new[]
{
"string",
},
ClusterCacheRedis = new Konnect.Inputs.GatewayPluginOpenidConnectConfigClusterCacheRedisArgs
{
ClusterMaxRedirections = 0,
ClusterNodes = new[]
{
new Konnect.Inputs.GatewayPluginOpenidConnectConfigClusterCacheRedisClusterNodeArgs
{
Ip = "string",
Port = 0,
},
},
ConnectTimeout = 0,
ConnectionIsProxied = false,
Database = 0,
Host = "string",
KeepaliveBacklog = 0,
KeepalivePoolSize = 0,
Password = "string",
Port = 0,
ReadTimeout = 0,
SendTimeout = 0,
SentinelMaster = "string",
SentinelNodes = new[]
{
new Konnect.Inputs.GatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNodeArgs
{
Host = "string",
Port = 0,
},
},
SentinelPassword = "string",
SentinelRole = "string",
SentinelUsername = "string",
ServerName = "string",
Ssl = false,
SslVerify = false,
Username = "string",
},
ClusterCacheStrategy = "string",
ConsumerBies = new[]
{
"string",
},
ConsumerClaims = new[]
{
"string",
},
ConsumerOptional = false,
CredentialClaims = new[]
{
"string",
},
DisableSessions = new[]
{
"string",
},
DiscoveryHeadersNames = new[]
{
"string",
},
DiscoveryHeadersValues = new[]
{
"string",
},
DisplayErrors = false,
Domains = new[]
{
"string",
},
DownstreamAccessTokenHeader = "string",
DownstreamAccessTokenJwkHeader = "string",
DownstreamHeadersClaims = new[]
{
"string",
},
DownstreamHeadersNames = new[]
{
"string",
},
DownstreamIdTokenHeader = "string",
DownstreamIdTokenJwkHeader = "string",
DownstreamIntrospectionHeader = "string",
DownstreamIntrospectionJwtHeader = "string",
DownstreamRefreshTokenHeader = "string",
DownstreamSessionIdHeader = "string",
DownstreamUserInfoHeader = "string",
DownstreamUserInfoJwtHeader = "string",
DpopProofLifetime = 0,
DpopUseNonce = false,
EnableHsSignatures = false,
EndSessionEndpoint = "string",
ExposeErrorCode = false,
ExtraJwksUris = new[]
{
"string",
},
ForbiddenDestroySession = false,
ForbiddenErrorMessage = "string",
ForbiddenRedirectUris = new[]
{
"string",
},
GroupsClaims = new[]
{
"string",
},
GroupsRequireds = new[]
{
"string",
},
HideCredentials = false,
HttpProxy = "string",
HttpProxyAuthorization = "string",
HttpVersion = 0,
HttpsProxy = "string",
HttpsProxyAuthorization = "string",
IdTokenParamName = "string",
IdTokenParamTypes = new[]
{
"string",
},
IgnoreSignatures = new[]
{
"string",
},
IntrospectJwtTokens = false,
IntrospectionAccept = "string",
IntrospectionCheckActive = false,
IntrospectionEndpoint = "string",
IntrospectionEndpointAuthMethod = "string",
IntrospectionHeadersClients = new[]
{
"string",
},
IntrospectionHeadersNames = new[]
{
"string",
},
IntrospectionHeadersValues = new[]
{
"string",
},
IntrospectionHint = "string",
IntrospectionPostArgsClientHeaders = new[]
{
"string",
},
IntrospectionPostArgsClients = new[]
{
"string",
},
IntrospectionPostArgsNames = new[]
{
"string",
},
IntrospectionPostArgsValues = new[]
{
"string",
},
IntrospectionTokenParamName = "string",
Issuer = "string",
IssuersAlloweds = new[]
{
"string",
},
JwtSessionClaim = "string",
JwtSessionCookie = "string",
Keepalive = false,
Leeway = 0,
LoginAction = "string",
LoginMethods = new[]
{
"string",
},
LoginRedirectMode = "string",
LoginRedirectUris = new[]
{
"string",
},
LoginTokens = new[]
{
"string",
},
LogoutMethods = new[]
{
"string",
},
LogoutPostArg = "string",
LogoutQueryArg = "string",
LogoutRedirectUris = new[]
{
"string",
},
LogoutRevoke = false,
LogoutRevokeAccessToken = false,
LogoutRevokeRefreshToken = false,
LogoutUriSuffix = "string",
MaxAge = 0,
MtlsIntrospectionEndpoint = "string",
MtlsRevocationEndpoint = "string",
MtlsTokenEndpoint = "string",
NoProxy = "string",
PasswordParamTypes = new[]
{
"string",
},
PreserveQueryArgs = false,
ProofOfPossessionAuthMethodsValidation = false,
ProofOfPossessionDpop = "string",
ProofOfPossessionMtls = "string",
PushedAuthorizationRequestEndpoint = "string",
PushedAuthorizationRequestEndpointAuthMethod = "string",
RedirectUris = new[]
{
"string",
},
Redis = new Konnect.Inputs.GatewayPluginOpenidConnectConfigRedisArgs
{
ClusterMaxRedirections = 0,
ClusterNodes = new[]
{
new Konnect.Inputs.GatewayPluginOpenidConnectConfigRedisClusterNodeArgs
{
Ip = "string",
Port = 0,
},
},
ConnectTimeout = 0,
ConnectionIsProxied = false,
Database = 0,
Host = "string",
KeepaliveBacklog = 0,
KeepalivePoolSize = 0,
Password = "string",
Port = 0,
Prefix = "string",
ReadTimeout = 0,
SendTimeout = 0,
SentinelMaster = "string",
SentinelNodes = new[]
{
new Konnect.Inputs.GatewayPluginOpenidConnectConfigRedisSentinelNodeArgs
{
Host = "string",
Port = 0,
},
},
SentinelPassword = "string",
SentinelRole = "string",
SentinelUsername = "string",
ServerName = "string",
Socket = "string",
Ssl = false,
SslVerify = false,
Username = "string",
},
RediscoveryLifetime = 0,
RefreshTokenParamName = "string",
RefreshTokenParamTypes = new[]
{
"string",
},
RefreshTokens = false,
RequireProofKeyForCodeExchange = false,
RequirePushedAuthorizationRequests = false,
RequireSignedRequestObject = false,
ResolveDistributedClaims = false,
ResponseMode = "string",
ResponseTypes = new[]
{
"string",
},
Reverify = false,
RevocationEndpoint = "string",
RevocationEndpointAuthMethod = "string",
RevocationTokenParamName = "string",
RolesClaims = new[]
{
"string",
},
RolesRequireds = new[]
{
"string",
},
RunOnPreflight = false,
ScopesClaims = new[]
{
"string",
},
ScopesRequireds = new[]
{
"string",
},
SearchUserInfo = false,
SessionAbsoluteTimeout = 0,
SessionAudience = "string",
SessionCookieDomain = "string",
SessionCookieHttpOnly = false,
SessionCookieName = "string",
SessionCookiePath = "string",
SessionCookieSameSite = "string",
SessionCookieSecure = false,
SessionEnforceSameSubject = false,
SessionHashStorageKey = false,
SessionHashSubject = false,
SessionIdlingTimeout = 0,
SessionMemcachedHost = "string",
SessionMemcachedPort = 0,
SessionMemcachedPrefix = "string",
SessionMemcachedSocket = "string",
SessionRemember = false,
SessionRememberAbsoluteTimeout = 0,
SessionRememberCookieName = "string",
SessionRememberRollingTimeout = 0,
SessionRequestHeaders = new[]
{
"string",
},
SessionResponseHeaders = new[]
{
"string",
},
SessionRollingTimeout = 0,
SessionSecret = "string",
SessionStorage = "string",
SessionStoreMetadata = false,
SslVerify = false,
Timeout = 0,
TlsClientAuthCertId = "string",
TlsClientAuthSslVerify = false,
TokenCacheKeyIncludeScope = false,
TokenEndpoint = "string",
TokenEndpointAuthMethod = "string",
TokenExchangeEndpoint = "string",
TokenHeadersClients = new[]
{
"string",
},
TokenHeadersGrants = new[]
{
"string",
},
TokenHeadersNames = new[]
{
"string",
},
TokenHeadersPrefix = "string",
TokenHeadersReplays = new[]
{
"string",
},
TokenHeadersValues = new[]
{
"string",
},
TokenPostArgsClients = new[]
{
"string",
},
TokenPostArgsNames = new[]
{
"string",
},
TokenPostArgsValues = new[]
{
"string",
},
UnauthorizedDestroySession = false,
UnauthorizedErrorMessage = "string",
UnauthorizedRedirectUris = new[]
{
"string",
},
UnexpectedRedirectUris = new[]
{
"string",
},
UpstreamAccessTokenHeader = "string",
UpstreamAccessTokenJwkHeader = "string",
UpstreamHeadersClaims = new[]
{
"string",
},
UpstreamHeadersNames = new[]
{
"string",
},
UpstreamIdTokenHeader = "string",
UpstreamIdTokenJwkHeader = "string",
UpstreamIntrospectionHeader = "string",
UpstreamIntrospectionJwtHeader = "string",
UpstreamRefreshTokenHeader = "string",
UpstreamSessionIdHeader = "string",
UpstreamUserInfoHeader = "string",
UpstreamUserInfoJwtHeader = "string",
UserinfoAccept = "string",
UserinfoEndpoint = "string",
UserinfoHeadersClients = new[]
{
"string",
},
UserinfoHeadersNames = new[]
{
"string",
},
UserinfoHeadersValues = new[]
{
"string",
},
UserinfoQueryArgsClients = new[]
{
"string",
},
UserinfoQueryArgsNames = new[]
{
"string",
},
UserinfoQueryArgsValues = new[]
{
"string",
},
UsingPseudoIssuer = false,
VerifyClaims = false,
VerifyNonce = false,
VerifyParameters = false,
VerifySignature = false,
},
ControlPlaneId = "string",
Enabled = false,
GatewayPluginOpenidConnectId = "string",
InstanceName = "string",
Ordering = new Konnect.Inputs.GatewayPluginOpenidConnectOrderingArgs
{
After = new Konnect.Inputs.GatewayPluginOpenidConnectOrderingAfterArgs
{
Accesses = new[]
{
"string",
},
},
Before = new Konnect.Inputs.GatewayPluginOpenidConnectOrderingBeforeArgs
{
Accesses = new[]
{
"string",
},
},
},
Protocols = new[]
{
"string",
},
Route = new Konnect.Inputs.GatewayPluginOpenidConnectRouteArgs
{
Id = "string",
},
Service = new Konnect.Inputs.GatewayPluginOpenidConnectServiceArgs
{
Id = "string",
},
Tags = new[]
{
"string",
},
});
example, err := konnect.NewGatewayPluginOpenidConnect(ctx, "gatewayPluginOpenidConnectResource", &konnect.GatewayPluginOpenidConnectArgs{
Config: &.GatewayPluginOpenidConnectConfigArgs{
Scopes: pulumi.StringArray{
pulumi.String("string"),
},
Anonymous: pulumi.String("string"),
AudienceClaims: pulumi.StringArray{
pulumi.String("string"),
},
AudienceRequireds: pulumi.StringArray{
pulumi.String("string"),
},
Audiences: pulumi.StringArray{
pulumi.String("string"),
},
AuthMethods: pulumi.StringArray{
pulumi.String("string"),
},
AuthenticatedGroupsClaims: pulumi.StringArray{
pulumi.String("string"),
},
AuthorizationCookieDomain: pulumi.String("string"),
AuthorizationCookieHttpOnly: pulumi.Bool(false),
AuthorizationCookieName: pulumi.String("string"),
AuthorizationCookiePath: pulumi.String("string"),
AuthorizationCookieSameSite: pulumi.String("string"),
AuthorizationCookieSecure: pulumi.Bool(false),
AuthorizationEndpoint: pulumi.String("string"),
AuthorizationQueryArgsClients: pulumi.StringArray{
pulumi.String("string"),
},
AuthorizationQueryArgsNames: pulumi.StringArray{
pulumi.String("string"),
},
AuthorizationQueryArgsValues: pulumi.StringArray{
pulumi.String("string"),
},
AuthorizationRollingTimeout: pulumi.Float64(0),
BearerTokenCookieName: pulumi.String("string"),
BearerTokenParamTypes: pulumi.StringArray{
pulumi.String("string"),
},
ByUsernameIgnoreCase: pulumi.Bool(false),
CacheIntrospection: pulumi.Bool(false),
CacheTokenExchange: pulumi.Bool(false),
CacheTokens: pulumi.Bool(false),
CacheTokensSalt: pulumi.String("string"),
CacheTtl: pulumi.Float64(0),
CacheTtlMax: pulumi.Float64(0),
CacheTtlMin: pulumi.Float64(0),
CacheTtlNeg: pulumi.Float64(0),
CacheTtlResurrect: pulumi.Float64(0),
CacheUserInfo: pulumi.Bool(false),
ClaimsForbiddens: pulumi.StringArray{
pulumi.String("string"),
},
ClientAlgs: pulumi.StringArray{
pulumi.String("string"),
},
ClientArg: pulumi.String("string"),
ClientAuths: pulumi.StringArray{
pulumi.String("string"),
},
ClientCredentialsParamTypes: pulumi.StringArray{
pulumi.String("string"),
},
ClientIds: pulumi.StringArray{
pulumi.String("string"),
},
ClientJwks: .GatewayPluginOpenidConnectConfigClientJwkArray{
&.GatewayPluginOpenidConnectConfigClientJwkArgs{
Alg: pulumi.String("string"),
Crv: pulumi.String("string"),
D: pulumi.String("string"),
Dp: pulumi.String("string"),
Dq: pulumi.String("string"),
E: pulumi.String("string"),
Issuer: pulumi.String("string"),
K: pulumi.String("string"),
KeyOps: pulumi.StringArray{
pulumi.String("string"),
},
Kid: pulumi.String("string"),
Kty: pulumi.String("string"),
N: pulumi.String("string"),
Oth: pulumi.String("string"),
P: pulumi.String("string"),
Q: pulumi.String("string"),
Qi: pulumi.String("string"),
R: pulumi.String("string"),
T: pulumi.String("string"),
Use: pulumi.String("string"),
X: pulumi.String("string"),
X5cs: pulumi.StringArray{
pulumi.String("string"),
},
X5t: pulumi.String("string"),
X5tNumberS256: pulumi.String("string"),
X5u: pulumi.String("string"),
Y: pulumi.String("string"),
},
},
ClientSecrets: pulumi.StringArray{
pulumi.String("string"),
},
ClusterCacheRedis: &.GatewayPluginOpenidConnectConfigClusterCacheRedisArgs{
ClusterMaxRedirections: pulumi.Float64(0),
ClusterNodes: .GatewayPluginOpenidConnectConfigClusterCacheRedisClusterNodeArray{
&.GatewayPluginOpenidConnectConfigClusterCacheRedisClusterNodeArgs{
Ip: pulumi.String("string"),
Port: pulumi.Float64(0),
},
},
ConnectTimeout: pulumi.Float64(0),
ConnectionIsProxied: pulumi.Bool(false),
Database: pulumi.Float64(0),
Host: pulumi.String("string"),
KeepaliveBacklog: pulumi.Float64(0),
KeepalivePoolSize: pulumi.Float64(0),
Password: pulumi.String("string"),
Port: pulumi.Float64(0),
ReadTimeout: pulumi.Float64(0),
SendTimeout: pulumi.Float64(0),
SentinelMaster: pulumi.String("string"),
SentinelNodes: .GatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNodeArray{
&.GatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNodeArgs{
Host: pulumi.String("string"),
Port: pulumi.Float64(0),
},
},
SentinelPassword: pulumi.String("string"),
SentinelRole: pulumi.String("string"),
SentinelUsername: pulumi.String("string"),
ServerName: pulumi.String("string"),
Ssl: pulumi.Bool(false),
SslVerify: pulumi.Bool(false),
Username: pulumi.String("string"),
},
ClusterCacheStrategy: pulumi.String("string"),
ConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ConsumerOptional: pulumi.Bool(false),
CredentialClaims: pulumi.StringArray{
pulumi.String("string"),
},
DisableSessions: pulumi.StringArray{
pulumi.String("string"),
},
DiscoveryHeadersNames: pulumi.StringArray{
pulumi.String("string"),
},
DiscoveryHeadersValues: pulumi.StringArray{
pulumi.String("string"),
},
DisplayErrors: pulumi.Bool(false),
Domains: pulumi.StringArray{
pulumi.String("string"),
},
DownstreamAccessTokenHeader: pulumi.String("string"),
DownstreamAccessTokenJwkHeader: pulumi.String("string"),
DownstreamHeadersClaims: pulumi.StringArray{
pulumi.String("string"),
},
DownstreamHeadersNames: pulumi.StringArray{
pulumi.String("string"),
},
DownstreamIdTokenHeader: pulumi.String("string"),
DownstreamIdTokenJwkHeader: pulumi.String("string"),
DownstreamIntrospectionHeader: pulumi.String("string"),
DownstreamIntrospectionJwtHeader: pulumi.String("string"),
DownstreamRefreshTokenHeader: pulumi.String("string"),
DownstreamSessionIdHeader: pulumi.String("string"),
DownstreamUserInfoHeader: pulumi.String("string"),
DownstreamUserInfoJwtHeader: pulumi.String("string"),
DpopProofLifetime: pulumi.Float64(0),
DpopUseNonce: pulumi.Bool(false),
EnableHsSignatures: pulumi.Bool(false),
EndSessionEndpoint: pulumi.String("string"),
ExposeErrorCode: pulumi.Bool(false),
ExtraJwksUris: pulumi.StringArray{
pulumi.String("string"),
},
ForbiddenDestroySession: pulumi.Bool(false),
ForbiddenErrorMessage: pulumi.String("string"),
ForbiddenRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
GroupsClaims: pulumi.StringArray{
pulumi.String("string"),
},
GroupsRequireds: pulumi.StringArray{
pulumi.String("string"),
},
HideCredentials: pulumi.Bool(false),
HttpProxy: pulumi.String("string"),
HttpProxyAuthorization: pulumi.String("string"),
HttpVersion: pulumi.Float64(0),
HttpsProxy: pulumi.String("string"),
HttpsProxyAuthorization: pulumi.String("string"),
IdTokenParamName: pulumi.String("string"),
IdTokenParamTypes: pulumi.StringArray{
pulumi.String("string"),
},
IgnoreSignatures: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectJwtTokens: pulumi.Bool(false),
IntrospectionAccept: pulumi.String("string"),
IntrospectionCheckActive: pulumi.Bool(false),
IntrospectionEndpoint: pulumi.String("string"),
IntrospectionEndpointAuthMethod: pulumi.String("string"),
IntrospectionHeadersClients: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionHeadersNames: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionHeadersValues: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionHint: pulumi.String("string"),
IntrospectionPostArgsClientHeaders: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionPostArgsClients: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionPostArgsNames: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionPostArgsValues: pulumi.StringArray{
pulumi.String("string"),
},
IntrospectionTokenParamName: pulumi.String("string"),
Issuer: pulumi.String("string"),
IssuersAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
JwtSessionClaim: pulumi.String("string"),
JwtSessionCookie: pulumi.String("string"),
Keepalive: pulumi.Bool(false),
Leeway: pulumi.Float64(0),
LoginAction: pulumi.String("string"),
LoginMethods: pulumi.StringArray{
pulumi.String("string"),
},
LoginRedirectMode: pulumi.String("string"),
LoginRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
LoginTokens: pulumi.StringArray{
pulumi.String("string"),
},
LogoutMethods: pulumi.StringArray{
pulumi.String("string"),
},
LogoutPostArg: pulumi.String("string"),
LogoutQueryArg: pulumi.String("string"),
LogoutRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
LogoutRevoke: pulumi.Bool(false),
LogoutRevokeAccessToken: pulumi.Bool(false),
LogoutRevokeRefreshToken: pulumi.Bool(false),
LogoutUriSuffix: pulumi.String("string"),
MaxAge: pulumi.Float64(0),
MtlsIntrospectionEndpoint: pulumi.String("string"),
MtlsRevocationEndpoint: pulumi.String("string"),
MtlsTokenEndpoint: pulumi.String("string"),
NoProxy: pulumi.String("string"),
PasswordParamTypes: pulumi.StringArray{
pulumi.String("string"),
},
PreserveQueryArgs: pulumi.Bool(false),
ProofOfPossessionAuthMethodsValidation: pulumi.Bool(false),
ProofOfPossessionDpop: pulumi.String("string"),
ProofOfPossessionMtls: pulumi.String("string"),
PushedAuthorizationRequestEndpoint: pulumi.String("string"),
PushedAuthorizationRequestEndpointAuthMethod: pulumi.String("string"),
RedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
Redis: &.GatewayPluginOpenidConnectConfigRedisArgs{
ClusterMaxRedirections: pulumi.Float64(0),
ClusterNodes: .GatewayPluginOpenidConnectConfigRedisClusterNodeArray{
&.GatewayPluginOpenidConnectConfigRedisClusterNodeArgs{
Ip: pulumi.String("string"),
Port: pulumi.Float64(0),
},
},
ConnectTimeout: pulumi.Float64(0),
ConnectionIsProxied: pulumi.Bool(false),
Database: pulumi.Float64(0),
Host: pulumi.String("string"),
KeepaliveBacklog: pulumi.Float64(0),
KeepalivePoolSize: pulumi.Float64(0),
Password: pulumi.String("string"),
Port: pulumi.Float64(0),
Prefix: pulumi.String("string"),
ReadTimeout: pulumi.Float64(0),
SendTimeout: pulumi.Float64(0),
SentinelMaster: pulumi.String("string"),
SentinelNodes: .GatewayPluginOpenidConnectConfigRedisSentinelNodeArray{
&.GatewayPluginOpenidConnectConfigRedisSentinelNodeArgs{
Host: pulumi.String("string"),
Port: pulumi.Float64(0),
},
},
SentinelPassword: pulumi.String("string"),
SentinelRole: pulumi.String("string"),
SentinelUsername: pulumi.String("string"),
ServerName: pulumi.String("string"),
Socket: pulumi.String("string"),
Ssl: pulumi.Bool(false),
SslVerify: pulumi.Bool(false),
Username: pulumi.String("string"),
},
RediscoveryLifetime: pulumi.Float64(0),
RefreshTokenParamName: pulumi.String("string"),
RefreshTokenParamTypes: pulumi.StringArray{
pulumi.String("string"),
},
RefreshTokens: pulumi.Bool(false),
RequireProofKeyForCodeExchange: pulumi.Bool(false),
RequirePushedAuthorizationRequests: pulumi.Bool(false),
RequireSignedRequestObject: pulumi.Bool(false),
ResolveDistributedClaims: pulumi.Bool(false),
ResponseMode: pulumi.String("string"),
ResponseTypes: pulumi.StringArray{
pulumi.String("string"),
},
Reverify: pulumi.Bool(false),
RevocationEndpoint: pulumi.String("string"),
RevocationEndpointAuthMethod: pulumi.String("string"),
RevocationTokenParamName: pulumi.String("string"),
RolesClaims: pulumi.StringArray{
pulumi.String("string"),
},
RolesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
RunOnPreflight: pulumi.Bool(false),
ScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
SearchUserInfo: pulumi.Bool(false),
SessionAbsoluteTimeout: pulumi.Float64(0),
SessionAudience: pulumi.String("string"),
SessionCookieDomain: pulumi.String("string"),
SessionCookieHttpOnly: pulumi.Bool(false),
SessionCookieName: pulumi.String("string"),
SessionCookiePath: pulumi.String("string"),
SessionCookieSameSite: pulumi.String("string"),
SessionCookieSecure: pulumi.Bool(false),
SessionEnforceSameSubject: pulumi.Bool(false),
SessionHashStorageKey: pulumi.Bool(false),
SessionHashSubject: pulumi.Bool(false),
SessionIdlingTimeout: pulumi.Float64(0),
SessionMemcachedHost: pulumi.String("string"),
SessionMemcachedPort: pulumi.Float64(0),
SessionMemcachedPrefix: pulumi.String("string"),
SessionMemcachedSocket: pulumi.String("string"),
SessionRemember: pulumi.Bool(false),
SessionRememberAbsoluteTimeout: pulumi.Float64(0),
SessionRememberCookieName: pulumi.String("string"),
SessionRememberRollingTimeout: pulumi.Float64(0),
SessionRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
SessionResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
SessionRollingTimeout: pulumi.Float64(0),
SessionSecret: pulumi.String("string"),
SessionStorage: pulumi.String("string"),
SessionStoreMetadata: pulumi.Bool(false),
SslVerify: pulumi.Bool(false),
Timeout: pulumi.Float64(0),
TlsClientAuthCertId: pulumi.String("string"),
TlsClientAuthSslVerify: pulumi.Bool(false),
TokenCacheKeyIncludeScope: pulumi.Bool(false),
TokenEndpoint: pulumi.String("string"),
TokenEndpointAuthMethod: pulumi.String("string"),
TokenExchangeEndpoint: pulumi.String("string"),
TokenHeadersClients: pulumi.StringArray{
pulumi.String("string"),
},
TokenHeadersGrants: pulumi.StringArray{
pulumi.String("string"),
},
TokenHeadersNames: pulumi.StringArray{
pulumi.String("string"),
},
TokenHeadersPrefix: pulumi.String("string"),
TokenHeadersReplays: pulumi.StringArray{
pulumi.String("string"),
},
TokenHeadersValues: pulumi.StringArray{
pulumi.String("string"),
},
TokenPostArgsClients: pulumi.StringArray{
pulumi.String("string"),
},
TokenPostArgsNames: pulumi.StringArray{
pulumi.String("string"),
},
TokenPostArgsValues: pulumi.StringArray{
pulumi.String("string"),
},
UnauthorizedDestroySession: pulumi.Bool(false),
UnauthorizedErrorMessage: pulumi.String("string"),
UnauthorizedRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
UnexpectedRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
UpstreamAccessTokenHeader: pulumi.String("string"),
UpstreamAccessTokenJwkHeader: pulumi.String("string"),
UpstreamHeadersClaims: pulumi.StringArray{
pulumi.String("string"),
},
UpstreamHeadersNames: pulumi.StringArray{
pulumi.String("string"),
},
UpstreamIdTokenHeader: pulumi.String("string"),
UpstreamIdTokenJwkHeader: pulumi.String("string"),
UpstreamIntrospectionHeader: pulumi.String("string"),
UpstreamIntrospectionJwtHeader: pulumi.String("string"),
UpstreamRefreshTokenHeader: pulumi.String("string"),
UpstreamSessionIdHeader: pulumi.String("string"),
UpstreamUserInfoHeader: pulumi.String("string"),
UpstreamUserInfoJwtHeader: pulumi.String("string"),
UserinfoAccept: pulumi.String("string"),
UserinfoEndpoint: pulumi.String("string"),
UserinfoHeadersClients: pulumi.StringArray{
pulumi.String("string"),
},
UserinfoHeadersNames: pulumi.StringArray{
pulumi.String("string"),
},
UserinfoHeadersValues: pulumi.StringArray{
pulumi.String("string"),
},
UserinfoQueryArgsClients: pulumi.StringArray{
pulumi.String("string"),
},
UserinfoQueryArgsNames: pulumi.StringArray{
pulumi.String("string"),
},
UserinfoQueryArgsValues: pulumi.StringArray{
pulumi.String("string"),
},
UsingPseudoIssuer: pulumi.Bool(false),
VerifyClaims: pulumi.Bool(false),
VerifyNonce: pulumi.Bool(false),
VerifyParameters: pulumi.Bool(false),
VerifySignature: pulumi.Bool(false),
},
ControlPlaneId: pulumi.String("string"),
Enabled: pulumi.Bool(false),
GatewayPluginOpenidConnectId: pulumi.String("string"),
InstanceName: pulumi.String("string"),
Ordering: &.GatewayPluginOpenidConnectOrderingArgs{
After: &.GatewayPluginOpenidConnectOrderingAfterArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
Before: &.GatewayPluginOpenidConnectOrderingBeforeArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
Route: &.GatewayPluginOpenidConnectRouteArgs{
Id: pulumi.String("string"),
},
Service: &.GatewayPluginOpenidConnectServiceArgs{
Id: pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
})
var gatewayPluginOpenidConnectResource = new GatewayPluginOpenidConnect("gatewayPluginOpenidConnectResource", GatewayPluginOpenidConnectArgs.builder()
.config(GatewayPluginOpenidConnectConfigArgs.builder()
.scopes("string")
.anonymous("string")
.audienceClaims("string")
.audienceRequireds("string")
.audiences("string")
.authMethods("string")
.authenticatedGroupsClaims("string")
.authorizationCookieDomain("string")
.authorizationCookieHttpOnly(false)
.authorizationCookieName("string")
.authorizationCookiePath("string")
.authorizationCookieSameSite("string")
.authorizationCookieSecure(false)
.authorizationEndpoint("string")
.authorizationQueryArgsClients("string")
.authorizationQueryArgsNames("string")
.authorizationQueryArgsValues("string")
.authorizationRollingTimeout(0)
.bearerTokenCookieName("string")
.bearerTokenParamTypes("string")
.byUsernameIgnoreCase(false)
.cacheIntrospection(false)
.cacheTokenExchange(false)
.cacheTokens(false)
.cacheTokensSalt("string")
.cacheTtl(0)
.cacheTtlMax(0)
.cacheTtlMin(0)
.cacheTtlNeg(0)
.cacheTtlResurrect(0)
.cacheUserInfo(false)
.claimsForbiddens("string")
.clientAlgs("string")
.clientArg("string")
.clientAuths("string")
.clientCredentialsParamTypes("string")
.clientIds("string")
.clientJwks(GatewayPluginOpenidConnectConfigClientJwkArgs.builder()
.alg("string")
.crv("string")
.d("string")
.dp("string")
.dq("string")
.e("string")
.issuer("string")
.k("string")
.keyOps("string")
.kid("string")
.kty("string")
.n("string")
.oth("string")
.p("string")
.q("string")
.qi("string")
.r("string")
.t("string")
.use("string")
.x("string")
.x5cs("string")
.x5t("string")
.x5tNumberS256("string")
.x5u("string")
.y("string")
.build())
.clientSecrets("string")
.clusterCacheRedis(GatewayPluginOpenidConnectConfigClusterCacheRedisArgs.builder()
.clusterMaxRedirections(0)
.clusterNodes(GatewayPluginOpenidConnectConfigClusterCacheRedisClusterNodeArgs.builder()
.ip("string")
.port(0)
.build())
.connectTimeout(0)
.connectionIsProxied(false)
.database(0)
.host("string")
.keepaliveBacklog(0)
.keepalivePoolSize(0)
.password("string")
.port(0)
.readTimeout(0)
.sendTimeout(0)
.sentinelMaster("string")
.sentinelNodes(GatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNodeArgs.builder()
.host("string")
.port(0)
.build())
.sentinelPassword("string")
.sentinelRole("string")
.sentinelUsername("string")
.serverName("string")
.ssl(false)
.sslVerify(false)
.username("string")
.build())
.clusterCacheStrategy("string")
.consumerBies("string")
.consumerClaims("string")
.consumerOptional(false)
.credentialClaims("string")
.disableSessions("string")
.discoveryHeadersNames("string")
.discoveryHeadersValues("string")
.displayErrors(false)
.domains("string")
.downstreamAccessTokenHeader("string")
.downstreamAccessTokenJwkHeader("string")
.downstreamHeadersClaims("string")
.downstreamHeadersNames("string")
.downstreamIdTokenHeader("string")
.downstreamIdTokenJwkHeader("string")
.downstreamIntrospectionHeader("string")
.downstreamIntrospectionJwtHeader("string")
.downstreamRefreshTokenHeader("string")
.downstreamSessionIdHeader("string")
.downstreamUserInfoHeader("string")
.downstreamUserInfoJwtHeader("string")
.dpopProofLifetime(0)
.dpopUseNonce(false)
.enableHsSignatures(false)
.endSessionEndpoint("string")
.exposeErrorCode(false)
.extraJwksUris("string")
.forbiddenDestroySession(false)
.forbiddenErrorMessage("string")
.forbiddenRedirectUris("string")
.groupsClaims("string")
.groupsRequireds("string")
.hideCredentials(false)
.httpProxy("string")
.httpProxyAuthorization("string")
.httpVersion(0)
.httpsProxy("string")
.httpsProxyAuthorization("string")
.idTokenParamName("string")
.idTokenParamTypes("string")
.ignoreSignatures("string")
.introspectJwtTokens(false)
.introspectionAccept("string")
.introspectionCheckActive(false)
.introspectionEndpoint("string")
.introspectionEndpointAuthMethod("string")
.introspectionHeadersClients("string")
.introspectionHeadersNames("string")
.introspectionHeadersValues("string")
.introspectionHint("string")
.introspectionPostArgsClientHeaders("string")
.introspectionPostArgsClients("string")
.introspectionPostArgsNames("string")
.introspectionPostArgsValues("string")
.introspectionTokenParamName("string")
.issuer("string")
.issuersAlloweds("string")
.jwtSessionClaim("string")
.jwtSessionCookie("string")
.keepalive(false)
.leeway(0)
.loginAction("string")
.loginMethods("string")
.loginRedirectMode("string")
.loginRedirectUris("string")
.loginTokens("string")
.logoutMethods("string")
.logoutPostArg("string")
.logoutQueryArg("string")
.logoutRedirectUris("string")
.logoutRevoke(false)
.logoutRevokeAccessToken(false)
.logoutRevokeRefreshToken(false)
.logoutUriSuffix("string")
.maxAge(0)
.mtlsIntrospectionEndpoint("string")
.mtlsRevocationEndpoint("string")
.mtlsTokenEndpoint("string")
.noProxy("string")
.passwordParamTypes("string")
.preserveQueryArgs(false)
.proofOfPossessionAuthMethodsValidation(false)
.proofOfPossessionDpop("string")
.proofOfPossessionMtls("string")
.pushedAuthorizationRequestEndpoint("string")
.pushedAuthorizationRequestEndpointAuthMethod("string")
.redirectUris("string")
.redis(GatewayPluginOpenidConnectConfigRedisArgs.builder()
.clusterMaxRedirections(0)
.clusterNodes(GatewayPluginOpenidConnectConfigRedisClusterNodeArgs.builder()
.ip("string")
.port(0)
.build())
.connectTimeout(0)
.connectionIsProxied(false)
.database(0)
.host("string")
.keepaliveBacklog(0)
.keepalivePoolSize(0)
.password("string")
.port(0)
.prefix("string")
.readTimeout(0)
.sendTimeout(0)
.sentinelMaster("string")
.sentinelNodes(GatewayPluginOpenidConnectConfigRedisSentinelNodeArgs.builder()
.host("string")
.port(0)
.build())
.sentinelPassword("string")
.sentinelRole("string")
.sentinelUsername("string")
.serverName("string")
.socket("string")
.ssl(false)
.sslVerify(false)
.username("string")
.build())
.rediscoveryLifetime(0)
.refreshTokenParamName("string")
.refreshTokenParamTypes("string")
.refreshTokens(false)
.requireProofKeyForCodeExchange(false)
.requirePushedAuthorizationRequests(false)
.requireSignedRequestObject(false)
.resolveDistributedClaims(false)
.responseMode("string")
.responseTypes("string")
.reverify(false)
.revocationEndpoint("string")
.revocationEndpointAuthMethod("string")
.revocationTokenParamName("string")
.rolesClaims("string")
.rolesRequireds("string")
.runOnPreflight(false)
.scopesClaims("string")
.scopesRequireds("string")
.searchUserInfo(false)
.sessionAbsoluteTimeout(0)
.sessionAudience("string")
.sessionCookieDomain("string")
.sessionCookieHttpOnly(false)
.sessionCookieName("string")
.sessionCookiePath("string")
.sessionCookieSameSite("string")
.sessionCookieSecure(false)
.sessionEnforceSameSubject(false)
.sessionHashStorageKey(false)
.sessionHashSubject(false)
.sessionIdlingTimeout(0)
.sessionMemcachedHost("string")
.sessionMemcachedPort(0)
.sessionMemcachedPrefix("string")
.sessionMemcachedSocket("string")
.sessionRemember(false)
.sessionRememberAbsoluteTimeout(0)
.sessionRememberCookieName("string")
.sessionRememberRollingTimeout(0)
.sessionRequestHeaders("string")
.sessionResponseHeaders("string")
.sessionRollingTimeout(0)
.sessionSecret("string")
.sessionStorage("string")
.sessionStoreMetadata(false)
.sslVerify(false)
.timeout(0)
.tlsClientAuthCertId("string")
.tlsClientAuthSslVerify(false)
.tokenCacheKeyIncludeScope(false)
.tokenEndpoint("string")
.tokenEndpointAuthMethod("string")
.tokenExchangeEndpoint("string")
.tokenHeadersClients("string")
.tokenHeadersGrants("string")
.tokenHeadersNames("string")
.tokenHeadersPrefix("string")
.tokenHeadersReplays("string")
.tokenHeadersValues("string")
.tokenPostArgsClients("string")
.tokenPostArgsNames("string")
.tokenPostArgsValues("string")
.unauthorizedDestroySession(false)
.unauthorizedErrorMessage("string")
.unauthorizedRedirectUris("string")
.unexpectedRedirectUris("string")
.upstreamAccessTokenHeader("string")
.upstreamAccessTokenJwkHeader("string")
.upstreamHeadersClaims("string")
.upstreamHeadersNames("string")
.upstreamIdTokenHeader("string")
.upstreamIdTokenJwkHeader("string")
.upstreamIntrospectionHeader("string")
.upstreamIntrospectionJwtHeader("string")
.upstreamRefreshTokenHeader("string")
.upstreamSessionIdHeader("string")
.upstreamUserInfoHeader("string")
.upstreamUserInfoJwtHeader("string")
.userinfoAccept("string")
.userinfoEndpoint("string")
.userinfoHeadersClients("string")
.userinfoHeadersNames("string")
.userinfoHeadersValues("string")
.userinfoQueryArgsClients("string")
.userinfoQueryArgsNames("string")
.userinfoQueryArgsValues("string")
.usingPseudoIssuer(false)
.verifyClaims(false)
.verifyNonce(false)
.verifyParameters(false)
.verifySignature(false)
.build())
.controlPlaneId("string")
.enabled(false)
.gatewayPluginOpenidConnectId("string")
.instanceName("string")
.ordering(GatewayPluginOpenidConnectOrderingArgs.builder()
.after(GatewayPluginOpenidConnectOrderingAfterArgs.builder()
.accesses("string")
.build())
.before(GatewayPluginOpenidConnectOrderingBeforeArgs.builder()
.accesses("string")
.build())
.build())
.protocols("string")
.route(GatewayPluginOpenidConnectRouteArgs.builder()
.id("string")
.build())
.service(GatewayPluginOpenidConnectServiceArgs.builder()
.id("string")
.build())
.tags("string")
.build());
gateway_plugin_openid_connect_resource = konnect.GatewayPluginOpenidConnect("gatewayPluginOpenidConnectResource",
config={
"scopes": ["string"],
"anonymous": "string",
"audience_claims": ["string"],
"audience_requireds": ["string"],
"audiences": ["string"],
"auth_methods": ["string"],
"authenticated_groups_claims": ["string"],
"authorization_cookie_domain": "string",
"authorization_cookie_http_only": False,
"authorization_cookie_name": "string",
"authorization_cookie_path": "string",
"authorization_cookie_same_site": "string",
"authorization_cookie_secure": False,
"authorization_endpoint": "string",
"authorization_query_args_clients": ["string"],
"authorization_query_args_names": ["string"],
"authorization_query_args_values": ["string"],
"authorization_rolling_timeout": 0,
"bearer_token_cookie_name": "string",
"bearer_token_param_types": ["string"],
"by_username_ignore_case": False,
"cache_introspection": False,
"cache_token_exchange": False,
"cache_tokens": False,
"cache_tokens_salt": "string",
"cache_ttl": 0,
"cache_ttl_max": 0,
"cache_ttl_min": 0,
"cache_ttl_neg": 0,
"cache_ttl_resurrect": 0,
"cache_user_info": False,
"claims_forbiddens": ["string"],
"client_algs": ["string"],
"client_arg": "string",
"client_auths": ["string"],
"client_credentials_param_types": ["string"],
"client_ids": ["string"],
"client_jwks": [{
"alg": "string",
"crv": "string",
"d": "string",
"dp": "string",
"dq": "string",
"e": "string",
"issuer": "string",
"k": "string",
"key_ops": ["string"],
"kid": "string",
"kty": "string",
"n": "string",
"oth": "string",
"p": "string",
"q": "string",
"qi": "string",
"r": "string",
"t": "string",
"use": "string",
"x": "string",
"x5cs": ["string"],
"x5t": "string",
"x5t_number_s256": "string",
"x5u": "string",
"y": "string",
}],
"client_secrets": ["string"],
"cluster_cache_redis": {
"cluster_max_redirections": 0,
"cluster_nodes": [{
"ip": "string",
"port": 0,
}],
"connect_timeout": 0,
"connection_is_proxied": False,
"database": 0,
"host": "string",
"keepalive_backlog": 0,
"keepalive_pool_size": 0,
"password": "string",
"port": 0,
"read_timeout": 0,
"send_timeout": 0,
"sentinel_master": "string",
"sentinel_nodes": [{
"host": "string",
"port": 0,
}],
"sentinel_password": "string",
"sentinel_role": "string",
"sentinel_username": "string",
"server_name": "string",
"ssl": False,
"ssl_verify": False,
"username": "string",
},
"cluster_cache_strategy": "string",
"consumer_bies": ["string"],
"consumer_claims": ["string"],
"consumer_optional": False,
"credential_claims": ["string"],
"disable_sessions": ["string"],
"discovery_headers_names": ["string"],
"discovery_headers_values": ["string"],
"display_errors": False,
"domains": ["string"],
"downstream_access_token_header": "string",
"downstream_access_token_jwk_header": "string",
"downstream_headers_claims": ["string"],
"downstream_headers_names": ["string"],
"downstream_id_token_header": "string",
"downstream_id_token_jwk_header": "string",
"downstream_introspection_header": "string",
"downstream_introspection_jwt_header": "string",
"downstream_refresh_token_header": "string",
"downstream_session_id_header": "string",
"downstream_user_info_header": "string",
"downstream_user_info_jwt_header": "string",
"dpop_proof_lifetime": 0,
"dpop_use_nonce": False,
"enable_hs_signatures": False,
"end_session_endpoint": "string",
"expose_error_code": False,
"extra_jwks_uris": ["string"],
"forbidden_destroy_session": False,
"forbidden_error_message": "string",
"forbidden_redirect_uris": ["string"],
"groups_claims": ["string"],
"groups_requireds": ["string"],
"hide_credentials": False,
"http_proxy": "string",
"http_proxy_authorization": "string",
"http_version": 0,
"https_proxy": "string",
"https_proxy_authorization": "string",
"id_token_param_name": "string",
"id_token_param_types": ["string"],
"ignore_signatures": ["string"],
"introspect_jwt_tokens": False,
"introspection_accept": "string",
"introspection_check_active": False,
"introspection_endpoint": "string",
"introspection_endpoint_auth_method": "string",
"introspection_headers_clients": ["string"],
"introspection_headers_names": ["string"],
"introspection_headers_values": ["string"],
"introspection_hint": "string",
"introspection_post_args_client_headers": ["string"],
"introspection_post_args_clients": ["string"],
"introspection_post_args_names": ["string"],
"introspection_post_args_values": ["string"],
"introspection_token_param_name": "string",
"issuer": "string",
"issuers_alloweds": ["string"],
"jwt_session_claim": "string",
"jwt_session_cookie": "string",
"keepalive": False,
"leeway": 0,
"login_action": "string",
"login_methods": ["string"],
"login_redirect_mode": "string",
"login_redirect_uris": ["string"],
"login_tokens": ["string"],
"logout_methods": ["string"],
"logout_post_arg": "string",
"logout_query_arg": "string",
"logout_redirect_uris": ["string"],
"logout_revoke": False,
"logout_revoke_access_token": False,
"logout_revoke_refresh_token": False,
"logout_uri_suffix": "string",
"max_age": 0,
"mtls_introspection_endpoint": "string",
"mtls_revocation_endpoint": "string",
"mtls_token_endpoint": "string",
"no_proxy": "string",
"password_param_types": ["string"],
"preserve_query_args": False,
"proof_of_possession_auth_methods_validation": False,
"proof_of_possession_dpop": "string",
"proof_of_possession_mtls": "string",
"pushed_authorization_request_endpoint": "string",
"pushed_authorization_request_endpoint_auth_method": "string",
"redirect_uris": ["string"],
"redis": {
"cluster_max_redirections": 0,
"cluster_nodes": [{
"ip": "string",
"port": 0,
}],
"connect_timeout": 0,
"connection_is_proxied": False,
"database": 0,
"host": "string",
"keepalive_backlog": 0,
"keepalive_pool_size": 0,
"password": "string",
"port": 0,
"prefix": "string",
"read_timeout": 0,
"send_timeout": 0,
"sentinel_master": "string",
"sentinel_nodes": [{
"host": "string",
"port": 0,
}],
"sentinel_password": "string",
"sentinel_role": "string",
"sentinel_username": "string",
"server_name": "string",
"socket": "string",
"ssl": False,
"ssl_verify": False,
"username": "string",
},
"rediscovery_lifetime": 0,
"refresh_token_param_name": "string",
"refresh_token_param_types": ["string"],
"refresh_tokens": False,
"require_proof_key_for_code_exchange": False,
"require_pushed_authorization_requests": False,
"require_signed_request_object": False,
"resolve_distributed_claims": False,
"response_mode": "string",
"response_types": ["string"],
"reverify": False,
"revocation_endpoint": "string",
"revocation_endpoint_auth_method": "string",
"revocation_token_param_name": "string",
"roles_claims": ["string"],
"roles_requireds": ["string"],
"run_on_preflight": False,
"scopes_claims": ["string"],
"scopes_requireds": ["string"],
"search_user_info": False,
"session_absolute_timeout": 0,
"session_audience": "string",
"session_cookie_domain": "string",
"session_cookie_http_only": False,
"session_cookie_name": "string",
"session_cookie_path": "string",
"session_cookie_same_site": "string",
"session_cookie_secure": False,
"session_enforce_same_subject": False,
"session_hash_storage_key": False,
"session_hash_subject": False,
"session_idling_timeout": 0,
"session_memcached_host": "string",
"session_memcached_port": 0,
"session_memcached_prefix": "string",
"session_memcached_socket": "string",
"session_remember": False,
"session_remember_absolute_timeout": 0,
"session_remember_cookie_name": "string",
"session_remember_rolling_timeout": 0,
"session_request_headers": ["string"],
"session_response_headers": ["string"],
"session_rolling_timeout": 0,
"session_secret": "string",
"session_storage": "string",
"session_store_metadata": False,
"ssl_verify": False,
"timeout": 0,
"tls_client_auth_cert_id": "string",
"tls_client_auth_ssl_verify": False,
"token_cache_key_include_scope": False,
"token_endpoint": "string",
"token_endpoint_auth_method": "string",
"token_exchange_endpoint": "string",
"token_headers_clients": ["string"],
"token_headers_grants": ["string"],
"token_headers_names": ["string"],
"token_headers_prefix": "string",
"token_headers_replays": ["string"],
"token_headers_values": ["string"],
"token_post_args_clients": ["string"],
"token_post_args_names": ["string"],
"token_post_args_values": ["string"],
"unauthorized_destroy_session": False,
"unauthorized_error_message": "string",
"unauthorized_redirect_uris": ["string"],
"unexpected_redirect_uris": ["string"],
"upstream_access_token_header": "string",
"upstream_access_token_jwk_header": "string",
"upstream_headers_claims": ["string"],
"upstream_headers_names": ["string"],
"upstream_id_token_header": "string",
"upstream_id_token_jwk_header": "string",
"upstream_introspection_header": "string",
"upstream_introspection_jwt_header": "string",
"upstream_refresh_token_header": "string",
"upstream_session_id_header": "string",
"upstream_user_info_header": "string",
"upstream_user_info_jwt_header": "string",
"userinfo_accept": "string",
"userinfo_endpoint": "string",
"userinfo_headers_clients": ["string"],
"userinfo_headers_names": ["string"],
"userinfo_headers_values": ["string"],
"userinfo_query_args_clients": ["string"],
"userinfo_query_args_names": ["string"],
"userinfo_query_args_values": ["string"],
"using_pseudo_issuer": False,
"verify_claims": False,
"verify_nonce": False,
"verify_parameters": False,
"verify_signature": False,
},
control_plane_id="string",
enabled=False,
gateway_plugin_openid_connect_id="string",
instance_name="string",
ordering={
"after": {
"accesses": ["string"],
},
"before": {
"accesses": ["string"],
},
},
protocols=["string"],
route={
"id": "string",
},
service={
"id": "string",
},
tags=["string"])
const gatewayPluginOpenidConnectResource = new konnect.GatewayPluginOpenidConnect("gatewayPluginOpenidConnectResource", {
config: {
scopes: ["string"],
anonymous: "string",
audienceClaims: ["string"],
audienceRequireds: ["string"],
audiences: ["string"],
authMethods: ["string"],
authenticatedGroupsClaims: ["string"],
authorizationCookieDomain: "string",
authorizationCookieHttpOnly: false,
authorizationCookieName: "string",
authorizationCookiePath: "string",
authorizationCookieSameSite: "string",
authorizationCookieSecure: false,
authorizationEndpoint: "string",
authorizationQueryArgsClients: ["string"],
authorizationQueryArgsNames: ["string"],
authorizationQueryArgsValues: ["string"],
authorizationRollingTimeout: 0,
bearerTokenCookieName: "string",
bearerTokenParamTypes: ["string"],
byUsernameIgnoreCase: false,
cacheIntrospection: false,
cacheTokenExchange: false,
cacheTokens: false,
cacheTokensSalt: "string",
cacheTtl: 0,
cacheTtlMax: 0,
cacheTtlMin: 0,
cacheTtlNeg: 0,
cacheTtlResurrect: 0,
cacheUserInfo: false,
claimsForbiddens: ["string"],
clientAlgs: ["string"],
clientArg: "string",
clientAuths: ["string"],
clientCredentialsParamTypes: ["string"],
clientIds: ["string"],
clientJwks: [{
alg: "string",
crv: "string",
d: "string",
dp: "string",
dq: "string",
e: "string",
issuer: "string",
k: "string",
keyOps: ["string"],
kid: "string",
kty: "string",
n: "string",
oth: "string",
p: "string",
q: "string",
qi: "string",
r: "string",
t: "string",
use: "string",
x: "string",
x5cs: ["string"],
x5t: "string",
x5tNumberS256: "string",
x5u: "string",
y: "string",
}],
clientSecrets: ["string"],
clusterCacheRedis: {
clusterMaxRedirections: 0,
clusterNodes: [{
ip: "string",
port: 0,
}],
connectTimeout: 0,
connectionIsProxied: false,
database: 0,
host: "string",
keepaliveBacklog: 0,
keepalivePoolSize: 0,
password: "string",
port: 0,
readTimeout: 0,
sendTimeout: 0,
sentinelMaster: "string",
sentinelNodes: [{
host: "string",
port: 0,
}],
sentinelPassword: "string",
sentinelRole: "string",
sentinelUsername: "string",
serverName: "string",
ssl: false,
sslVerify: false,
username: "string",
},
clusterCacheStrategy: "string",
consumerBies: ["string"],
consumerClaims: ["string"],
consumerOptional: false,
credentialClaims: ["string"],
disableSessions: ["string"],
discoveryHeadersNames: ["string"],
discoveryHeadersValues: ["string"],
displayErrors: false,
domains: ["string"],
downstreamAccessTokenHeader: "string",
downstreamAccessTokenJwkHeader: "string",
downstreamHeadersClaims: ["string"],
downstreamHeadersNames: ["string"],
downstreamIdTokenHeader: "string",
downstreamIdTokenJwkHeader: "string",
downstreamIntrospectionHeader: "string",
downstreamIntrospectionJwtHeader: "string",
downstreamRefreshTokenHeader: "string",
downstreamSessionIdHeader: "string",
downstreamUserInfoHeader: "string",
downstreamUserInfoJwtHeader: "string",
dpopProofLifetime: 0,
dpopUseNonce: false,
enableHsSignatures: false,
endSessionEndpoint: "string",
exposeErrorCode: false,
extraJwksUris: ["string"],
forbiddenDestroySession: false,
forbiddenErrorMessage: "string",
forbiddenRedirectUris: ["string"],
groupsClaims: ["string"],
groupsRequireds: ["string"],
hideCredentials: false,
httpProxy: "string",
httpProxyAuthorization: "string",
httpVersion: 0,
httpsProxy: "string",
httpsProxyAuthorization: "string",
idTokenParamName: "string",
idTokenParamTypes: ["string"],
ignoreSignatures: ["string"],
introspectJwtTokens: false,
introspectionAccept: "string",
introspectionCheckActive: false,
introspectionEndpoint: "string",
introspectionEndpointAuthMethod: "string",
introspectionHeadersClients: ["string"],
introspectionHeadersNames: ["string"],
introspectionHeadersValues: ["string"],
introspectionHint: "string",
introspectionPostArgsClientHeaders: ["string"],
introspectionPostArgsClients: ["string"],
introspectionPostArgsNames: ["string"],
introspectionPostArgsValues: ["string"],
introspectionTokenParamName: "string",
issuer: "string",
issuersAlloweds: ["string"],
jwtSessionClaim: "string",
jwtSessionCookie: "string",
keepalive: false,
leeway: 0,
loginAction: "string",
loginMethods: ["string"],
loginRedirectMode: "string",
loginRedirectUris: ["string"],
loginTokens: ["string"],
logoutMethods: ["string"],
logoutPostArg: "string",
logoutQueryArg: "string",
logoutRedirectUris: ["string"],
logoutRevoke: false,
logoutRevokeAccessToken: false,
logoutRevokeRefreshToken: false,
logoutUriSuffix: "string",
maxAge: 0,
mtlsIntrospectionEndpoint: "string",
mtlsRevocationEndpoint: "string",
mtlsTokenEndpoint: "string",
noProxy: "string",
passwordParamTypes: ["string"],
preserveQueryArgs: false,
proofOfPossessionAuthMethodsValidation: false,
proofOfPossessionDpop: "string",
proofOfPossessionMtls: "string",
pushedAuthorizationRequestEndpoint: "string",
pushedAuthorizationRequestEndpointAuthMethod: "string",
redirectUris: ["string"],
redis: {
clusterMaxRedirections: 0,
clusterNodes: [{
ip: "string",
port: 0,
}],
connectTimeout: 0,
connectionIsProxied: false,
database: 0,
host: "string",
keepaliveBacklog: 0,
keepalivePoolSize: 0,
password: "string",
port: 0,
prefix: "string",
readTimeout: 0,
sendTimeout: 0,
sentinelMaster: "string",
sentinelNodes: [{
host: "string",
port: 0,
}],
sentinelPassword: "string",
sentinelRole: "string",
sentinelUsername: "string",
serverName: "string",
socket: "string",
ssl: false,
sslVerify: false,
username: "string",
},
rediscoveryLifetime: 0,
refreshTokenParamName: "string",
refreshTokenParamTypes: ["string"],
refreshTokens: false,
requireProofKeyForCodeExchange: false,
requirePushedAuthorizationRequests: false,
requireSignedRequestObject: false,
resolveDistributedClaims: false,
responseMode: "string",
responseTypes: ["string"],
reverify: false,
revocationEndpoint: "string",
revocationEndpointAuthMethod: "string",
revocationTokenParamName: "string",
rolesClaims: ["string"],
rolesRequireds: ["string"],
runOnPreflight: false,
scopesClaims: ["string"],
scopesRequireds: ["string"],
searchUserInfo: false,
sessionAbsoluteTimeout: 0,
sessionAudience: "string",
sessionCookieDomain: "string",
sessionCookieHttpOnly: false,
sessionCookieName: "string",
sessionCookiePath: "string",
sessionCookieSameSite: "string",
sessionCookieSecure: false,
sessionEnforceSameSubject: false,
sessionHashStorageKey: false,
sessionHashSubject: false,
sessionIdlingTimeout: 0,
sessionMemcachedHost: "string",
sessionMemcachedPort: 0,
sessionMemcachedPrefix: "string",
sessionMemcachedSocket: "string",
sessionRemember: false,
sessionRememberAbsoluteTimeout: 0,
sessionRememberCookieName: "string",
sessionRememberRollingTimeout: 0,
sessionRequestHeaders: ["string"],
sessionResponseHeaders: ["string"],
sessionRollingTimeout: 0,
sessionSecret: "string",
sessionStorage: "string",
sessionStoreMetadata: false,
sslVerify: false,
timeout: 0,
tlsClientAuthCertId: "string",
tlsClientAuthSslVerify: false,
tokenCacheKeyIncludeScope: false,
tokenEndpoint: "string",
tokenEndpointAuthMethod: "string",
tokenExchangeEndpoint: "string",
tokenHeadersClients: ["string"],
tokenHeadersGrants: ["string"],
tokenHeadersNames: ["string"],
tokenHeadersPrefix: "string",
tokenHeadersReplays: ["string"],
tokenHeadersValues: ["string"],
tokenPostArgsClients: ["string"],
tokenPostArgsNames: ["string"],
tokenPostArgsValues: ["string"],
unauthorizedDestroySession: false,
unauthorizedErrorMessage: "string",
unauthorizedRedirectUris: ["string"],
unexpectedRedirectUris: ["string"],
upstreamAccessTokenHeader: "string",
upstreamAccessTokenJwkHeader: "string",
upstreamHeadersClaims: ["string"],
upstreamHeadersNames: ["string"],
upstreamIdTokenHeader: "string",
upstreamIdTokenJwkHeader: "string",
upstreamIntrospectionHeader: "string",
upstreamIntrospectionJwtHeader: "string",
upstreamRefreshTokenHeader: "string",
upstreamSessionIdHeader: "string",
upstreamUserInfoHeader: "string",
upstreamUserInfoJwtHeader: "string",
userinfoAccept: "string",
userinfoEndpoint: "string",
userinfoHeadersClients: ["string"],
userinfoHeadersNames: ["string"],
userinfoHeadersValues: ["string"],
userinfoQueryArgsClients: ["string"],
userinfoQueryArgsNames: ["string"],
userinfoQueryArgsValues: ["string"],
usingPseudoIssuer: false,
verifyClaims: false,
verifyNonce: false,
verifyParameters: false,
verifySignature: false,
},
controlPlaneId: "string",
enabled: false,
gatewayPluginOpenidConnectId: "string",
instanceName: "string",
ordering: {
after: {
accesses: ["string"],
},
before: {
accesses: ["string"],
},
},
protocols: ["string"],
route: {
id: "string",
},
service: {
id: "string",
},
tags: ["string"],
});
type: konnect:GatewayPluginOpenidConnect
properties:
config:
anonymous: string
audienceClaims:
- string
audienceRequireds:
- string
audiences:
- string
authMethods:
- string
authenticatedGroupsClaims:
- string
authorizationCookieDomain: string
authorizationCookieHttpOnly: false
authorizationCookieName: string
authorizationCookiePath: string
authorizationCookieSameSite: string
authorizationCookieSecure: false
authorizationEndpoint: string
authorizationQueryArgsClients:
- string
authorizationQueryArgsNames:
- string
authorizationQueryArgsValues:
- string
authorizationRollingTimeout: 0
bearerTokenCookieName: string
bearerTokenParamTypes:
- string
byUsernameIgnoreCase: false
cacheIntrospection: false
cacheTokenExchange: false
cacheTokens: false
cacheTokensSalt: string
cacheTtl: 0
cacheTtlMax: 0
cacheTtlMin: 0
cacheTtlNeg: 0
cacheTtlResurrect: 0
cacheUserInfo: false
claimsForbiddens:
- string
clientAlgs:
- string
clientArg: string
clientAuths:
- string
clientCredentialsParamTypes:
- string
clientIds:
- string
clientJwks:
- alg: string
crv: string
d: string
dp: string
dq: string
e: string
issuer: string
k: string
keyOps:
- string
kid: string
kty: string
"n": string
oth: string
p: string
q: string
qi: string
r: string
t: string
use: string
x: string
x5cs:
- string
x5t: string
x5tNumberS256: string
x5u: string
"y": string
clientSecrets:
- string
clusterCacheRedis:
clusterMaxRedirections: 0
clusterNodes:
- ip: string
port: 0
connectTimeout: 0
connectionIsProxied: false
database: 0
host: string
keepaliveBacklog: 0
keepalivePoolSize: 0
password: string
port: 0
readTimeout: 0
sendTimeout: 0
sentinelMaster: string
sentinelNodes:
- host: string
port: 0
sentinelPassword: string
sentinelRole: string
sentinelUsername: string
serverName: string
ssl: false
sslVerify: false
username: string
clusterCacheStrategy: string
consumerBies:
- string
consumerClaims:
- string
consumerOptional: false
credentialClaims:
- string
disableSessions:
- string
discoveryHeadersNames:
- string
discoveryHeadersValues:
- string
displayErrors: false
domains:
- string
downstreamAccessTokenHeader: string
downstreamAccessTokenJwkHeader: string
downstreamHeadersClaims:
- string
downstreamHeadersNames:
- string
downstreamIdTokenHeader: string
downstreamIdTokenJwkHeader: string
downstreamIntrospectionHeader: string
downstreamIntrospectionJwtHeader: string
downstreamRefreshTokenHeader: string
downstreamSessionIdHeader: string
downstreamUserInfoHeader: string
downstreamUserInfoJwtHeader: string
dpopProofLifetime: 0
dpopUseNonce: false
enableHsSignatures: false
endSessionEndpoint: string
exposeErrorCode: false
extraJwksUris:
- string
forbiddenDestroySession: false
forbiddenErrorMessage: string
forbiddenRedirectUris:
- string
groupsClaims:
- string
groupsRequireds:
- string
hideCredentials: false
httpProxy: string
httpProxyAuthorization: string
httpVersion: 0
httpsProxy: string
httpsProxyAuthorization: string
idTokenParamName: string
idTokenParamTypes:
- string
ignoreSignatures:
- string
introspectJwtTokens: false
introspectionAccept: string
introspectionCheckActive: false
introspectionEndpoint: string
introspectionEndpointAuthMethod: string
introspectionHeadersClients:
- string
introspectionHeadersNames:
- string
introspectionHeadersValues:
- string
introspectionHint: string
introspectionPostArgsClientHeaders:
- string
introspectionPostArgsClients:
- string
introspectionPostArgsNames:
- string
introspectionPostArgsValues:
- string
introspectionTokenParamName: string
issuer: string
issuersAlloweds:
- string
jwtSessionClaim: string
jwtSessionCookie: string
keepalive: false
leeway: 0
loginAction: string
loginMethods:
- string
loginRedirectMode: string
loginRedirectUris:
- string
loginTokens:
- string
logoutMethods:
- string
logoutPostArg: string
logoutQueryArg: string
logoutRedirectUris:
- string
logoutRevoke: false
logoutRevokeAccessToken: false
logoutRevokeRefreshToken: false
logoutUriSuffix: string
maxAge: 0
mtlsIntrospectionEndpoint: string
mtlsRevocationEndpoint: string
mtlsTokenEndpoint: string
noProxy: string
passwordParamTypes:
- string
preserveQueryArgs: false
proofOfPossessionAuthMethodsValidation: false
proofOfPossessionDpop: string
proofOfPossessionMtls: string
pushedAuthorizationRequestEndpoint: string
pushedAuthorizationRequestEndpointAuthMethod: string
redirectUris:
- string
redis:
clusterMaxRedirections: 0
clusterNodes:
- ip: string
port: 0
connectTimeout: 0
connectionIsProxied: false
database: 0
host: string
keepaliveBacklog: 0
keepalivePoolSize: 0
password: string
port: 0
prefix: string
readTimeout: 0
sendTimeout: 0
sentinelMaster: string
sentinelNodes:
- host: string
port: 0
sentinelPassword: string
sentinelRole: string
sentinelUsername: string
serverName: string
socket: string
ssl: false
sslVerify: false
username: string
rediscoveryLifetime: 0
refreshTokenParamName: string
refreshTokenParamTypes:
- string
refreshTokens: false
requireProofKeyForCodeExchange: false
requirePushedAuthorizationRequests: false
requireSignedRequestObject: false
resolveDistributedClaims: false
responseMode: string
responseTypes:
- string
reverify: false
revocationEndpoint: string
revocationEndpointAuthMethod: string
revocationTokenParamName: string
rolesClaims:
- string
rolesRequireds:
- string
runOnPreflight: false
scopes:
- string
scopesClaims:
- string
scopesRequireds:
- string
searchUserInfo: false
sessionAbsoluteTimeout: 0
sessionAudience: string
sessionCookieDomain: string
sessionCookieHttpOnly: false
sessionCookieName: string
sessionCookiePath: string
sessionCookieSameSite: string
sessionCookieSecure: false
sessionEnforceSameSubject: false
sessionHashStorageKey: false
sessionHashSubject: false
sessionIdlingTimeout: 0
sessionMemcachedHost: string
sessionMemcachedPort: 0
sessionMemcachedPrefix: string
sessionMemcachedSocket: string
sessionRemember: false
sessionRememberAbsoluteTimeout: 0
sessionRememberCookieName: string
sessionRememberRollingTimeout: 0
sessionRequestHeaders:
- string
sessionResponseHeaders:
- string
sessionRollingTimeout: 0
sessionSecret: string
sessionStorage: string
sessionStoreMetadata: false
sslVerify: false
timeout: 0
tlsClientAuthCertId: string
tlsClientAuthSslVerify: false
tokenCacheKeyIncludeScope: false
tokenEndpoint: string
tokenEndpointAuthMethod: string
tokenExchangeEndpoint: string
tokenHeadersClients:
- string
tokenHeadersGrants:
- string
tokenHeadersNames:
- string
tokenHeadersPrefix: string
tokenHeadersReplays:
- string
tokenHeadersValues:
- string
tokenPostArgsClients:
- string
tokenPostArgsNames:
- string
tokenPostArgsValues:
- string
unauthorizedDestroySession: false
unauthorizedErrorMessage: string
unauthorizedRedirectUris:
- string
unexpectedRedirectUris:
- string
upstreamAccessTokenHeader: string
upstreamAccessTokenJwkHeader: string
upstreamHeadersClaims:
- string
upstreamHeadersNames:
- string
upstreamIdTokenHeader: string
upstreamIdTokenJwkHeader: string
upstreamIntrospectionHeader: string
upstreamIntrospectionJwtHeader: string
upstreamRefreshTokenHeader: string
upstreamSessionIdHeader: string
upstreamUserInfoHeader: string
upstreamUserInfoJwtHeader: string
userinfoAccept: string
userinfoEndpoint: string
userinfoHeadersClients:
- string
userinfoHeadersNames:
- string
userinfoHeadersValues:
- string
userinfoQueryArgsClients:
- string
userinfoQueryArgsNames:
- string
userinfoQueryArgsValues:
- string
usingPseudoIssuer: false
verifyClaims: false
verifyNonce: false
verifyParameters: false
verifySignature: false
controlPlaneId: string
enabled: false
gatewayPluginOpenidConnectId: string
instanceName: string
ordering:
after:
accesses:
- string
before:
accesses:
- string
protocols:
- string
route:
id: string
service:
id: string
tags:
- string
GatewayPluginOpenidConnect Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GatewayPluginOpenidConnect resource accepts the following input properties:
- Config
Gateway
Plugin Openid Connect Config - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringOpenid Connect Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Openid Connect Ordering - Protocols List<string>
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Openid Connect Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Openid Connect Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Config
Gateway
Plugin Openid Connect Config Args - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringOpenid Connect Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Openid Connect Ordering Args - Protocols []string
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Openid Connect Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Openid Connect Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- config
Gateway
Plugin Openid Connect Config - control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringOpenid Connect Id - The ID of this resource.
- instance
Name String - ordering
Gateway
Plugin Openid Connect Ordering - protocols List<String>
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Openid Connect Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Openid Connect Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- config
Gateway
Plugin Openid Connect Config - control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled boolean
- Whether the plugin is applied.
- gateway
Plugin stringOpenid Connect Id - The ID of this resource.
- instance
Name string - ordering
Gateway
Plugin Openid Connect Ordering - protocols string[]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Openid Connect Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Openid Connect Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- config
Gateway
Plugin Openid Connect Config Args - control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled bool
- Whether the plugin is applied.
- gateway_
plugin_ stropenid_ connect_ id - The ID of this resource.
- instance_
name str - ordering
Gateway
Plugin Openid Connect Ordering Args - protocols Sequence[str]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Openid Connect Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Openid Connect Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- config Property Map
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringOpenid Connect Id - The ID of this resource.
- instance
Name String - ordering Property Map
- protocols List<String>
- A set of strings representing HTTP protocols.
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
Outputs
All input properties are implicitly available as output properties. Additionally, the GatewayPluginOpenidConnect resource produces the following output properties:
- created_
at float - Unix epoch when the resource was created.
- id str
- The provider-assigned unique ID for this managed resource.
- updated_
at float - Unix epoch when the resource was last updated.
Look up Existing GatewayPluginOpenidConnect Resource
Get an existing GatewayPluginOpenidConnect resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GatewayPluginOpenidConnectState, opts?: CustomResourceOptions): GatewayPluginOpenidConnect@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
config: Optional[GatewayPluginOpenidConnectConfigArgs] = None,
control_plane_id: Optional[str] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_openid_connect_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginOpenidConnectOrderingArgs] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginOpenidConnectRouteArgs] = None,
service: Optional[GatewayPluginOpenidConnectServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None) -> GatewayPluginOpenidConnectfunc GetGatewayPluginOpenidConnect(ctx *Context, name string, id IDInput, state *GatewayPluginOpenidConnectState, opts ...ResourceOption) (*GatewayPluginOpenidConnect, error)public static GatewayPluginOpenidConnect Get(string name, Input<string> id, GatewayPluginOpenidConnectState? state, CustomResourceOptions? opts = null)public static GatewayPluginOpenidConnect get(String name, Output<String> id, GatewayPluginOpenidConnectState state, CustomResourceOptions options)resources: _: type: konnect:GatewayPluginOpenidConnect get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Config
Gateway
Plugin Openid Connect Config - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringOpenid Connect Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Openid Connect Ordering - Protocols List<string>
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Openid Connect Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Openid Connect Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Config
Gateway
Plugin Openid Connect Config Args - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin stringOpenid Connect Id - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Openid Connect Ordering Args - Protocols []string
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Openid Connect Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Openid Connect Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Openid Connect Config - control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringOpenid Connect Id - The ID of this resource.
- instance
Name String - ordering
Gateway
Plugin Openid Connect Ordering - protocols List<String>
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Openid Connect Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Openid Connect Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Openid Connect Config - control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied.
- gateway
Plugin stringOpenid Connect Id - The ID of this resource.
- instance
Name string - ordering
Gateway
Plugin Openid Connect Ordering - protocols string[]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Openid Connect Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Openid Connect Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Openid Connect Config Args - control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied.
- gateway_
plugin_ stropenid_ connect_ id - The ID of this resource.
- instance_
name str - ordering
Gateway
Plugin Openid Connect Ordering Args - protocols Sequence[str]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Openid Connect Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Openid Connect Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- config Property Map
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin StringOpenid Connect Id - The ID of this resource.
- instance
Name String - ordering Property Map
- protocols List<String>
- A set of strings representing HTTP protocols.
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Supporting Types
GatewayPluginOpenidConnectConfig, GatewayPluginOpenidConnectConfigArgs
- Scopes List<string>
- The scopes passed to the authorization and token endpoints.
- Anonymous string
- An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xxHTTP status code. This value must refer to the consumeridorusernameattribute, and not itscustom_id. - Audience
Claims List<string> - The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Audience
Requireds List<string> - The audiences (
audience_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Audiences List<string>
- The audience passed to the authorization endpoint.
- Auth
Methods List<string> - Types of credentials/grants to enable.
- Authenticated
Groups List<string>Claims - The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
- string
- The authorization cookie Domain flag.
- bool
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - string
- The authorization cookie name.
- string
- The authorization cookie Path flag.
- string
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- bool
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- string
- The authorization endpoint. If set it overrides the value in
authorization_endpointreturned by the discovery endpoint. - List<string>
- Extra query arguments passed from the client to the authorization endpoint.
- List<string>
- Extra query argument names passed to the authorization endpoint.
- List<string>
- Extra query argument values passed to the authorization endpoint.
- double
- Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- string
- The name of the cookie in which the bearer token is passed.
- Bearer
Token List<string>Param Types - Where to look for the bearer token: -
header: search theAuthorization,access-token, andx-access-tokenHTTP headers -query: search the URL's query string -body: search the HTTP request body -cookie: search the HTTP request cookies specified withconfig.bearer_token_cookie_name. - By
Username boolIgnore Case - If
consumer_byis set tousername, specify whetherusernamecan match consumers case-insensitively. - Cache
Introspection bool - Cache the introspection endpoint requests.
- Cache
Token boolExchange - Cache the token exchange endpoint requests.
- Cache
Tokens bool - Cache the token endpoint requests.
- Cache
Tokens stringSalt - Salt used for generating the cache key that is used for caching the token endpoint requests.
- Cache
Ttl double - The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
- Cache
Ttl doubleMax - The maximum cache ttl in seconds (enforced).
- Cache
Ttl doubleMin - The minimum cache ttl in seconds (enforced).
- Cache
Ttl doubleNeg - The negative cache ttl in seconds.
- Cache
Ttl doubleResurrect - The resurrection ttl in seconds.
- Cache
User boolInfo - Cache the user info requests.
- Claims
Forbiddens List<string> - If given, these claims are forbidden in the token payload.
- Client
Algs List<string> - The algorithm to use for clientsecretjwt (only HS***) or private*key*jwt authentication.
- Client
Arg string - The client to use for this request (the selection is made with a request parameter with the same name).
- Client
Auths List<string> - The default OpenID Connect client authentication method is 'clientsecretbasic' (using 'Authorization: Basic' header), 'clientsecretpost' (credentials in body), 'clientsecretjwt' (signed client assertion in body), 'privatekeyjwt' (private key-signed assertion), 'tlsclientauth' (client certificate), 'selfsignedtlsclientauth' (self-signed client certificate), and 'none' (no authentication).
- Client
Credentials List<string>Param Types - Where to look for the client credentials: -
header: search the HTTP headers -query: search the URL's query string -body: search from the HTTP request body. - Client
Ids List<string> - The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
- Client
Jwks List<GatewayPlugin Openid Connect Config Client Jwk> - The JWK used for the privatekeyjwt authentication.
- Client
Secrets List<string> - The client secret.
- Cluster
Cache GatewayRedis Plugin Openid Connect Config Cluster Cache Redis - Cluster
Cache stringStrategy - The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared. must be one of ["off", "redis"]
- Consumer
Bies List<string> - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. - Consumer
Claims List<string> - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Consumer
Optional bool - Do not terminate the request if consumer mapping fails.
- Credential
Claims List<string> - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Disable
Sessions List<string> - Disable issuing the session cookie with the specified grants.
- Discovery
Headers List<string>Names - Extra header names passed to the discovery endpoint.
- Discovery
Headers List<string>Values - Extra header values passed to the discovery endpoint.
- Display
Errors bool - Display errors on failure responses.
- Domains List<string>
- The allowed values for the
hdclaim. - Downstream
Access stringToken Header - The downstream access token header.
- Downstream
Access stringToken Jwk Header - The downstream access token JWK header.
- Downstream
Headers List<string>Claims - The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Downstream
Headers List<string>Names - The downstream header names for the claim values.
- Downstream
Id stringToken Header - The downstream id token header.
- Downstream
Id stringToken Jwk Header - The downstream id token JWK header.
- Downstream
Introspection stringHeader - The downstream introspection header.
- Downstream
Introspection stringJwt Header - The downstream introspection JWT header.
- Downstream
Refresh stringToken Header - The downstream refresh token header.
- Downstream
Session stringId Header - The downstream session id header.
- Downstream
User stringInfo Header - The downstream user info header.
- Downstream
User stringInfo Jwt Header - The downstream user info JWT header (in case the user info returns a JWT response).
- Dpop
Proof doubleLifetime - Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
- Dpop
Use boolNonce - Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
- Enable
Hs boolSignatures - Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
- End
Session stringEndpoint - The end session endpoint. If set it overrides the value in
end_session_endpointreturned by the discovery endpoint. - Expose
Error boolCode - Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to
falseto disable. - Extra
Jwks List<string>Uris - JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
- Forbidden
Destroy boolSession - Destroy any active session for the forbidden requests.
- Forbidden
Error stringMessage - The error message for the forbidden requests (when not using the redirection).
- Forbidden
Redirect List<string>Uris - Where to redirect the client on forbidden requests.
- Groups
Claims List<string> - The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Groups
Requireds List<string> - The groups (
groups_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Hide
Credentials bool - Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
- Http
Proxy string - The HTTP proxy.
- string
- The HTTP proxy authorization.
- Http
Version double - The HTTP version used for the requests by this plugin: -
1.1: HTTP 1.1 (the default) -1.0: HTTP 1.0. - Https
Proxy string - The HTTPS proxy.
- string
- The HTTPS proxy authorization.
- Id
Token stringParam Name - The name of the parameter used to pass the id token.
- Id
Token List<string>Param Types - Where to look for the id token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - Ignore
Signatures List<string> - Skip the token signature verification on certain grants: -
password: OAuth password grant -client_credentials: OAuth client credentials grant -authorization_code: authorization code flow -refresh_token: OAuth refresh token grant -session: session cookie authentication -introspection: OAuth introspection -userinfo: OpenID Connect user info endpoint authentication. - Introspect
Jwt boolTokens - Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
- Introspection
Accept string - The value of
Acceptheader for introspection requests: -application/json: introspection response as JSON -application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) -application/jwt: introspection response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt", "application/token-introspection+jwt"] - Introspection
Check boolActive - Check that the introspection response has an
activeclaim with a value oftrue. - Introspection
Endpoint string - The introspection endpoint. If set it overrides the value in
introspection_endpointreturned by the discovery endpoint. - Introspection
Endpoint stringAuth Method - The introspection endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"] - Introspection
Headers List<string>Clients - Extra headers passed from the client to the introspection endpoint.
- Introspection
Headers List<string>Names - Extra header names passed to the introspection endpoint.
- Introspection
Headers List<string>Values - Extra header values passed to the introspection endpoint.
- Introspection
Hint string - Introspection hint parameter value passed to the introspection endpoint.
- Introspection
Post List<string>Args Client Headers - Extra post arguments passed from the client headers to the introspection endpoint.
- Introspection
Post List<string>Args Clients - Extra post arguments passed from the client to the introspection endpoint.
- Introspection
Post List<string>Args Names - Extra post argument names passed to the introspection endpoint.
- Introspection
Post List<string>Args Values - Extra post argument values passed to the introspection endpoint.
- Introspection
Token stringParam Name - Designate token's parameter name for introspection.
- Issuer string
- The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure
config.using_pseudo_issuer=true. - Issuers
Alloweds List<string> - The issuers allowed to be present in the tokens (
issclaim). - Jwt
Session stringClaim - The claim to match against the JWT session cookie.
- string
- The name of the JWT session cookie.
- Keepalive bool
- Use keepalive with the HTTP client.
- Leeway double
- Defines leeway time (in seconds) for
auth_time,exp,iat, andnbfclaims - Login
Action string - What to do after successful login: -
upstream: proxy request to upstream service -response: terminate request with a response -redirect: redirect to a different location. must be one of ["redirect", "response", "upstream"] - Login
Methods List<string> - Enable login functionality with specified grants.
- Login
Redirect stringMode - Where to place
login_tokenswhen usingredirectlogin_action: -query: place tokens in query string -fragment: place tokens in url fragment (not readable by servers). must be one of ["fragment", "query"] - Login
Redirect List<string>Uris - Where to redirect the client when
login_actionis set toredirect. - Login
Tokens List<string> - What tokens to include in
responsebody orredirectquery string or fragment: -id_token: include id token -access_token: include access token -refresh_token: include refresh token -tokens: include the full token endpoint response -introspection: include introspection response. - Logout
Methods List<string> - The request methods that can activate the logout: -
POST: HTTP POST method -GET: HTTP GET method -DELETE: HTTP DELETE method. - Logout
Post stringArg - The request body argument that activates the logout.
- Logout
Query stringArg - The request query argument that activates the logout.
- Logout
Redirect List<string>Uris - Where to redirect the client after the logout.
- Logout
Revoke bool - Revoke tokens as part of the logout.
- Logout
Revoke boolAccess Token - Revoke the access token as part of the logout. Requires
logout_revoketo be set totrue. - Logout
Revoke boolRefresh Token - Revoke the refresh token as part of the logout. Requires
logout_revoketo be set totrue. - Logout
Uri stringSuffix - The request URI suffix that activates the logout.
- Max
Age double - The maximum age (in seconds) compared to the
auth_timeclaim. - Mtls
Introspection stringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - Mtls
Revocation stringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - Mtls
Token stringEndpoint - Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - No
Proxy string - Do not use proxy with these hosts.
- Password
Param List<string>Types - Where to look for the username and password: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - Preserve
Query boolArgs - With this parameter, you can preserve request query arguments even when doing authorization code flow.
- Proof
Of boolPossession Auth Methods Validation - If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
- Proof
Of stringPossession Dpop - Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof. must be one of ["off", "optional", "strict"]
- Proof
Of stringPossession Mtls - Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401. must be one of ["off", "optional", "strict"]
- string
- The pushed authorization endpoint. If set it overrides the value in
pushed_authorization_request_endpointreturned by the discovery endpoint. - string
- The pushed authorization request endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - Redirect
Uris List<string> - The redirect URI passed to the authorization and token endpoints.
- Redis
Gateway
Plugin Openid Connect Config Redis - Rediscovery
Lifetime double - Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
- Refresh
Token stringParam Name - The name of the parameter used to pass the refresh token.
- Refresh
Token List<string>Param Types - Where to look for the refresh token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - Refresh
Tokens bool - Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_tokenavailable. - Require
Proof boolKey For Code Exchange - Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of
code_challenge_methods_supported, and enabled automatically (in case thecode_challenge_methods_supportedis missing, the PKCE will not be enabled). - bool
- Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of
require_pushed_authorization_requests(which defaults tofalse). - Require
Signed boolRequest Object - Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of
require_signed_request_object, and enabled automatically (in case therequire_signed_request_objectis missing, the feature will not be enabled). - Resolve
Distributed boolClaims - Distributed claims are represented by the
_claim_namesand_claim_sourcesmembers of the JSON object containing the claims. If this parameter is set totrue, the plugin explicitly resolves these distributed claims. - Response
Mode string - Response mode passed to the authorization endpoint: -
query: for parameters in query string -form_post: for parameters in request body -fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) -query.jwt,form_post.jwt,fragment.jwt: similar toquery,form_postandfragmentbut the parameters are encoded in a JWT -jwt: shortcut that indicates the default encoding for the requested response type. must be one of ["form_post", "form_post.jwt", "fragment", "fragment.jwt", "jwt", "query", "query.jwt"] - Response
Types List<string> - The response type passed to the authorization endpoint.
- Reverify bool
- Specifies whether to always verify tokens stored in the session.
- Revocation
Endpoint string - The revocation endpoint. If set it overrides the value in
revocation_endpointreturned by the discovery endpoint. - Revocation
Endpoint stringAuth Method - The revocation endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - Revocation
Token stringParam Name - Designate token's parameter name for revocation.
- Roles
Claims List<string> - The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Roles
Requireds List<string> - The roles (
roles_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Run
On boolPreflight - Specifies whether to run this plugin on pre-flight (
OPTIONS) requests. - Scopes
Claims List<string> - The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Scopes
Requireds List<string> - The scopes (
scopes_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Search
User boolInfo - Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
- Session
Absolute doubleTimeout - Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- Session
Audience string - The session audience, which is the intended target application. For example
"my-application". - string
- The session cookie Domain flag.
- bool
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - string
- The session cookie name.
- string
- The session cookie Path flag.
- string
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- bool
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- Session
Enforce boolSame Subject - When set to
true, audiences are forced to share the same subject. - Session
Hash boolStorage Key - When set to
true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie. - Session
Hash boolSubject - When set to
true, the value of subject is hashed before being stored. Only applies whensession_store_metadatais enabled. - Session
Idling doubleTimeout - Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
- Session
Memcached stringHost - The memcached host.
- Session
Memcached doublePort - The memcached port.
- Session
Memcached stringPrefix - The memcached session key prefix.
- Session
Memcached stringSocket - The memcached unix socket path.
- Session
Remember bool - Enables or disables persistent sessions.
- Session
Remember doubleAbsolute Timeout - Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- string
- Persistent session cookie name. Use with the
rememberconfiguration parameter. - Session
Remember doubleRolling Timeout - Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
- Session
Request List<string>Headers - Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout request headers. - Session
Response List<string>Headers - Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout response headers. - Session
Rolling doubleTimeout - Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- Session
Secret string - The session secret.
- Session
Storage string - The session storage for session data: -
cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) -memcache: stores session data in memcached -redis: stores session data in Redis. must be one of ["cookie", "memcache", "memcached", "redis"] - Session
Store boolMetadata - Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
- Ssl
Verify bool - Verify identity provider server certificate. If set to
true, the plugin uses the CA certificate set in thekong.confconfig parameterlua_ssl_trusted_certificate. - Timeout double
- Network IO timeout in milliseconds.
- Tls
Client stringAuth Cert Id - ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
- Tls
Client boolAuth Ssl Verify - Verify identity provider server certificate during mTLS client authentication.
- Token
Cache boolKey Include Scope - Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
- Token
Endpoint string - The token endpoint. If set it overrides the value in
token_endpointreturned by the discovery endpoint. - Token
Endpoint stringAuth Method - The token endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - Token
Exchange stringEndpoint - The token exchange endpoint.
- Token
Headers List<string>Clients - Extra headers passed from the client to the token endpoint.
- Token
Headers List<string>Grants - Enable the sending of the token endpoint response headers only with certain grants: -
password: with OAuth password grant -client_credentials: with OAuth client credentials grant -authorization_code: with authorization code flow -refresh_tokenwith refresh token grant. - Token
Headers List<string>Names - Extra header names passed to the token endpoint.
- Token
Headers stringPrefix - Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
- Token
Headers List<string>Replays - The names of token endpoint response headers to forward to the downstream client.
- Token
Headers List<string>Values - Extra header values passed to the token endpoint.
- Token
Post List<string>Args Clients - Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scopevalues, like this:config.token_post_args_client=scopeIn this case, the token would take thescopevalue from the query parameter or from the request body or from the header and send it to the token endpoint. - Token
Post List<string>Args Names - Extra post argument names passed to the token endpoint.
- Token
Post List<string>Args Values - Extra post argument values passed to the token endpoint.
- bool
- Destroy any active session for the unauthorized requests.
- string
- The error message for the unauthorized requests (when not using the redirection).
- List<string>
- Where to redirect the client on unauthorized requests.
- Unexpected
Redirect List<string>Uris - Where to redirect the client when unexpected errors happen with the requests.
- Upstream
Access stringToken Header - The upstream access token header.
- Upstream
Access stringToken Jwk Header - The upstream access token JWK header.
- Upstream
Headers List<string>Claims - The upstream header claims. Only top level claims are supported.
- Upstream
Headers List<string>Names - The upstream header names for the claim values.
- Upstream
Id stringToken Header - The upstream id token header.
- Upstream
Id stringToken Jwk Header - The upstream id token JWK header.
- Upstream
Introspection stringHeader - The upstream introspection header.
- Upstream
Introspection stringJwt Header - The upstream introspection JWT header.
- Upstream
Refresh stringToken Header - The upstream refresh token header.
- Upstream
Session stringId Header - The upstream session id header.
- Upstream
User stringInfo Header - The upstream user info header.
- Upstream
User stringInfo Jwt Header - The upstream user info JWT header (in case the user info returns a JWT response).
- Userinfo
Accept string - The value of
Acceptheader for user info requests: -application/json: user info response as JSON -application/jwt: user info response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt"] - Userinfo
Endpoint string - The user info endpoint. If set it overrides the value in
userinfo_endpointreturned by the discovery endpoint. - Userinfo
Headers List<string>Clients - Extra headers passed from the client to the user info endpoint.
- Userinfo
Headers List<string>Names - Extra header names passed to the user info endpoint.
- Userinfo
Headers List<string>Values - Extra header values passed to the user info endpoint.
- Userinfo
Query List<string>Args Clients - Extra query arguments passed from the client to the user info endpoint.
- Userinfo
Query List<string>Args Names - Extra query argument names passed to the user info endpoint.
- Userinfo
Query List<string>Args Values - Extra query argument values passed to the user info endpoint.
- Using
Pseudo boolIssuer - If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with
config.issuer. - Verify
Claims bool - Verify tokens for standard claims.
- Verify
Nonce bool - Verify nonce on authorization code flow.
- Verify
Parameters bool - Verify plugin configuration against discovery.
- Verify
Signature bool - Verify signature of tokens.
- Scopes []string
- The scopes passed to the authorization and token endpoints.
- Anonymous string
- An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xxHTTP status code. This value must refer to the consumeridorusernameattribute, and not itscustom_id. - Audience
Claims []string - The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Audience
Requireds []string - The audiences (
audience_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Audiences []string
- The audience passed to the authorization endpoint.
- Auth
Methods []string - Types of credentials/grants to enable.
- Authenticated
Groups []stringClaims - The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
- string
- The authorization cookie Domain flag.
- bool
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - string
- The authorization cookie name.
- string
- The authorization cookie Path flag.
- string
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- bool
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- string
- The authorization endpoint. If set it overrides the value in
authorization_endpointreturned by the discovery endpoint. - []string
- Extra query arguments passed from the client to the authorization endpoint.
- []string
- Extra query argument names passed to the authorization endpoint.
- []string
- Extra query argument values passed to the authorization endpoint.
- float64
- Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- string
- The name of the cookie in which the bearer token is passed.
- Bearer
Token []stringParam Types - Where to look for the bearer token: -
header: search theAuthorization,access-token, andx-access-tokenHTTP headers -query: search the URL's query string -body: search the HTTP request body -cookie: search the HTTP request cookies specified withconfig.bearer_token_cookie_name. - By
Username boolIgnore Case - If
consumer_byis set tousername, specify whetherusernamecan match consumers case-insensitively. - Cache
Introspection bool - Cache the introspection endpoint requests.
- Cache
Token boolExchange - Cache the token exchange endpoint requests.
- Cache
Tokens bool - Cache the token endpoint requests.
- Cache
Tokens stringSalt - Salt used for generating the cache key that is used for caching the token endpoint requests.
- Cache
Ttl float64 - The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
- Cache
Ttl float64Max - The maximum cache ttl in seconds (enforced).
- Cache
Ttl float64Min - The minimum cache ttl in seconds (enforced).
- Cache
Ttl float64Neg - The negative cache ttl in seconds.
- Cache
Ttl float64Resurrect - The resurrection ttl in seconds.
- Cache
User boolInfo - Cache the user info requests.
- Claims
Forbiddens []string - If given, these claims are forbidden in the token payload.
- Client
Algs []string - The algorithm to use for clientsecretjwt (only HS***) or private*key*jwt authentication.
- Client
Arg string - The client to use for this request (the selection is made with a request parameter with the same name).
- Client
Auths []string - The default OpenID Connect client authentication method is 'clientsecretbasic' (using 'Authorization: Basic' header), 'clientsecretpost' (credentials in body), 'clientsecretjwt' (signed client assertion in body), 'privatekeyjwt' (private key-signed assertion), 'tlsclientauth' (client certificate), 'selfsignedtlsclientauth' (self-signed client certificate), and 'none' (no authentication).
- Client
Credentials []stringParam Types - Where to look for the client credentials: -
header: search the HTTP headers -query: search the URL's query string -body: search from the HTTP request body. - Client
Ids []string - The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
- Client
Jwks []GatewayPlugin Openid Connect Config Client Jwk - The JWK used for the privatekeyjwt authentication.
- Client
Secrets []string - The client secret.
- Cluster
Cache GatewayRedis Plugin Openid Connect Config Cluster Cache Redis - Cluster
Cache stringStrategy - The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared. must be one of ["off", "redis"]
- Consumer
Bies []string - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. - Consumer
Claims []string - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Consumer
Optional bool - Do not terminate the request if consumer mapping fails.
- Credential
Claims []string - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Disable
Sessions []string - Disable issuing the session cookie with the specified grants.
- Discovery
Headers []stringNames - Extra header names passed to the discovery endpoint.
- Discovery
Headers []stringValues - Extra header values passed to the discovery endpoint.
- Display
Errors bool - Display errors on failure responses.
- Domains []string
- The allowed values for the
hdclaim. - Downstream
Access stringToken Header - The downstream access token header.
- Downstream
Access stringToken Jwk Header - The downstream access token JWK header.
- Downstream
Headers []stringClaims - The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Downstream
Headers []stringNames - The downstream header names for the claim values.
- Downstream
Id stringToken Header - The downstream id token header.
- Downstream
Id stringToken Jwk Header - The downstream id token JWK header.
- Downstream
Introspection stringHeader - The downstream introspection header.
- Downstream
Introspection stringJwt Header - The downstream introspection JWT header.
- Downstream
Refresh stringToken Header - The downstream refresh token header.
- Downstream
Session stringId Header - The downstream session id header.
- Downstream
User stringInfo Header - The downstream user info header.
- Downstream
User stringInfo Jwt Header - The downstream user info JWT header (in case the user info returns a JWT response).
- Dpop
Proof float64Lifetime - Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
- Dpop
Use boolNonce - Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
- Enable
Hs boolSignatures - Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
- End
Session stringEndpoint - The end session endpoint. If set it overrides the value in
end_session_endpointreturned by the discovery endpoint. - Expose
Error boolCode - Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to
falseto disable. - Extra
Jwks []stringUris - JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
- Forbidden
Destroy boolSession - Destroy any active session for the forbidden requests.
- Forbidden
Error stringMessage - The error message for the forbidden requests (when not using the redirection).
- Forbidden
Redirect []stringUris - Where to redirect the client on forbidden requests.
- Groups
Claims []string - The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Groups
Requireds []string - The groups (
groups_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Hide
Credentials bool - Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
- Http
Proxy string - The HTTP proxy.
- string
- The HTTP proxy authorization.
- Http
Version float64 - The HTTP version used for the requests by this plugin: -
1.1: HTTP 1.1 (the default) -1.0: HTTP 1.0. - Https
Proxy string - The HTTPS proxy.
- string
- The HTTPS proxy authorization.
- Id
Token stringParam Name - The name of the parameter used to pass the id token.
- Id
Token []stringParam Types - Where to look for the id token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - Ignore
Signatures []string - Skip the token signature verification on certain grants: -
password: OAuth password grant -client_credentials: OAuth client credentials grant -authorization_code: authorization code flow -refresh_token: OAuth refresh token grant -session: session cookie authentication -introspection: OAuth introspection -userinfo: OpenID Connect user info endpoint authentication. - Introspect
Jwt boolTokens - Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
- Introspection
Accept string - The value of
Acceptheader for introspection requests: -application/json: introspection response as JSON -application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) -application/jwt: introspection response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt", "application/token-introspection+jwt"] - Introspection
Check boolActive - Check that the introspection response has an
activeclaim with a value oftrue. - Introspection
Endpoint string - The introspection endpoint. If set it overrides the value in
introspection_endpointreturned by the discovery endpoint. - Introspection
Endpoint stringAuth Method - The introspection endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"] - Introspection
Headers []stringClients - Extra headers passed from the client to the introspection endpoint.
- Introspection
Headers []stringNames - Extra header names passed to the introspection endpoint.
- Introspection
Headers []stringValues - Extra header values passed to the introspection endpoint.
- Introspection
Hint string - Introspection hint parameter value passed to the introspection endpoint.
- Introspection
Post []stringArgs Client Headers - Extra post arguments passed from the client headers to the introspection endpoint.
- Introspection
Post []stringArgs Clients - Extra post arguments passed from the client to the introspection endpoint.
- Introspection
Post []stringArgs Names - Extra post argument names passed to the introspection endpoint.
- Introspection
Post []stringArgs Values - Extra post argument values passed to the introspection endpoint.
- Introspection
Token stringParam Name - Designate token's parameter name for introspection.
- Issuer string
- The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure
config.using_pseudo_issuer=true. - Issuers
Alloweds []string - The issuers allowed to be present in the tokens (
issclaim). - Jwt
Session stringClaim - The claim to match against the JWT session cookie.
- string
- The name of the JWT session cookie.
- Keepalive bool
- Use keepalive with the HTTP client.
- Leeway float64
- Defines leeway time (in seconds) for
auth_time,exp,iat, andnbfclaims - Login
Action string - What to do after successful login: -
upstream: proxy request to upstream service -response: terminate request with a response -redirect: redirect to a different location. must be one of ["redirect", "response", "upstream"] - Login
Methods []string - Enable login functionality with specified grants.
- Login
Redirect stringMode - Where to place
login_tokenswhen usingredirectlogin_action: -query: place tokens in query string -fragment: place tokens in url fragment (not readable by servers). must be one of ["fragment", "query"] - Login
Redirect []stringUris - Where to redirect the client when
login_actionis set toredirect. - Login
Tokens []string - What tokens to include in
responsebody orredirectquery string or fragment: -id_token: include id token -access_token: include access token -refresh_token: include refresh token -tokens: include the full token endpoint response -introspection: include introspection response. - Logout
Methods []string - The request methods that can activate the logout: -
POST: HTTP POST method -GET: HTTP GET method -DELETE: HTTP DELETE method. - Logout
Post stringArg - The request body argument that activates the logout.
- Logout
Query stringArg - The request query argument that activates the logout.
- Logout
Redirect []stringUris - Where to redirect the client after the logout.
- Logout
Revoke bool - Revoke tokens as part of the logout.
- Logout
Revoke boolAccess Token - Revoke the access token as part of the logout. Requires
logout_revoketo be set totrue. - Logout
Revoke boolRefresh Token - Revoke the refresh token as part of the logout. Requires
logout_revoketo be set totrue. - Logout
Uri stringSuffix - The request URI suffix that activates the logout.
- Max
Age float64 - The maximum age (in seconds) compared to the
auth_timeclaim. - Mtls
Introspection stringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - Mtls
Revocation stringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - Mtls
Token stringEndpoint - Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - No
Proxy string - Do not use proxy with these hosts.
- Password
Param []stringTypes - Where to look for the username and password: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - Preserve
Query boolArgs - With this parameter, you can preserve request query arguments even when doing authorization code flow.
- Proof
Of boolPossession Auth Methods Validation - If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
- Proof
Of stringPossession Dpop - Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof. must be one of ["off", "optional", "strict"]
- Proof
Of stringPossession Mtls - Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401. must be one of ["off", "optional", "strict"]
- string
- The pushed authorization endpoint. If set it overrides the value in
pushed_authorization_request_endpointreturned by the discovery endpoint. - string
- The pushed authorization request endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - Redirect
Uris []string - The redirect URI passed to the authorization and token endpoints.
- Redis
Gateway
Plugin Openid Connect Config Redis - Rediscovery
Lifetime float64 - Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
- Refresh
Token stringParam Name - The name of the parameter used to pass the refresh token.
- Refresh
Token []stringParam Types - Where to look for the refresh token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - Refresh
Tokens bool - Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_tokenavailable. - Require
Proof boolKey For Code Exchange - Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of
code_challenge_methods_supported, and enabled automatically (in case thecode_challenge_methods_supportedis missing, the PKCE will not be enabled). - bool
- Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of
require_pushed_authorization_requests(which defaults tofalse). - Require
Signed boolRequest Object - Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of
require_signed_request_object, and enabled automatically (in case therequire_signed_request_objectis missing, the feature will not be enabled). - Resolve
Distributed boolClaims - Distributed claims are represented by the
_claim_namesand_claim_sourcesmembers of the JSON object containing the claims. If this parameter is set totrue, the plugin explicitly resolves these distributed claims. - Response
Mode string - Response mode passed to the authorization endpoint: -
query: for parameters in query string -form_post: for parameters in request body -fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) -query.jwt,form_post.jwt,fragment.jwt: similar toquery,form_postandfragmentbut the parameters are encoded in a JWT -jwt: shortcut that indicates the default encoding for the requested response type. must be one of ["form_post", "form_post.jwt", "fragment", "fragment.jwt", "jwt", "query", "query.jwt"] - Response
Types []string - The response type passed to the authorization endpoint.
- Reverify bool
- Specifies whether to always verify tokens stored in the session.
- Revocation
Endpoint string - The revocation endpoint. If set it overrides the value in
revocation_endpointreturned by the discovery endpoint. - Revocation
Endpoint stringAuth Method - The revocation endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - Revocation
Token stringParam Name - Designate token's parameter name for revocation.
- Roles
Claims []string - The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Roles
Requireds []string - The roles (
roles_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Run
On boolPreflight - Specifies whether to run this plugin on pre-flight (
OPTIONS) requests. - Scopes
Claims []string - The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
- Scopes
Requireds []string - The scopes (
scopes_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - Search
User boolInfo - Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
- Session
Absolute float64Timeout - Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- Session
Audience string - The session audience, which is the intended target application. For example
"my-application". - string
- The session cookie Domain flag.
- bool
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - string
- The session cookie name.
- string
- The session cookie Path flag.
- string
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- bool
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- Session
Enforce boolSame Subject - When set to
true, audiences are forced to share the same subject. - Session
Hash boolStorage Key - When set to
true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie. - Session
Hash boolSubject - When set to
true, the value of subject is hashed before being stored. Only applies whensession_store_metadatais enabled. - Session
Idling float64Timeout - Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
- Session
Memcached stringHost - The memcached host.
- Session
Memcached float64Port - The memcached port.
- Session
Memcached stringPrefix - The memcached session key prefix.
- Session
Memcached stringSocket - The memcached unix socket path.
- Session
Remember bool - Enables or disables persistent sessions.
- Session
Remember float64Absolute Timeout - Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- string
- Persistent session cookie name. Use with the
rememberconfiguration parameter. - Session
Remember float64Rolling Timeout - Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
- Session
Request []stringHeaders - Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout request headers. - Session
Response []stringHeaders - Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout response headers. - Session
Rolling float64Timeout - Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- Session
Secret string - The session secret.
- Session
Storage string - The session storage for session data: -
cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) -memcache: stores session data in memcached -redis: stores session data in Redis. must be one of ["cookie", "memcache", "memcached", "redis"] - Session
Store boolMetadata - Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
- Ssl
Verify bool - Verify identity provider server certificate. If set to
true, the plugin uses the CA certificate set in thekong.confconfig parameterlua_ssl_trusted_certificate. - Timeout float64
- Network IO timeout in milliseconds.
- Tls
Client stringAuth Cert Id - ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
- Tls
Client boolAuth Ssl Verify - Verify identity provider server certificate during mTLS client authentication.
- Token
Cache boolKey Include Scope - Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
- Token
Endpoint string - The token endpoint. If set it overrides the value in
token_endpointreturned by the discovery endpoint. - Token
Endpoint stringAuth Method - The token endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - Token
Exchange stringEndpoint - The token exchange endpoint.
- Token
Headers []stringClients - Extra headers passed from the client to the token endpoint.
- Token
Headers []stringGrants - Enable the sending of the token endpoint response headers only with certain grants: -
password: with OAuth password grant -client_credentials: with OAuth client credentials grant -authorization_code: with authorization code flow -refresh_tokenwith refresh token grant. - Token
Headers []stringNames - Extra header names passed to the token endpoint.
- Token
Headers stringPrefix - Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
- Token
Headers []stringReplays - The names of token endpoint response headers to forward to the downstream client.
- Token
Headers []stringValues - Extra header values passed to the token endpoint.
- Token
Post []stringArgs Clients - Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scopevalues, like this:config.token_post_args_client=scopeIn this case, the token would take thescopevalue from the query parameter or from the request body or from the header and send it to the token endpoint. - Token
Post []stringArgs Names - Extra post argument names passed to the token endpoint.
- Token
Post []stringArgs Values - Extra post argument values passed to the token endpoint.
- bool
- Destroy any active session for the unauthorized requests.
- string
- The error message for the unauthorized requests (when not using the redirection).
- []string
- Where to redirect the client on unauthorized requests.
- Unexpected
Redirect []stringUris - Where to redirect the client when unexpected errors happen with the requests.
- Upstream
Access stringToken Header - The upstream access token header.
- Upstream
Access stringToken Jwk Header - The upstream access token JWK header.
- Upstream
Headers []stringClaims - The upstream header claims. Only top level claims are supported.
- Upstream
Headers []stringNames - The upstream header names for the claim values.
- Upstream
Id stringToken Header - The upstream id token header.
- Upstream
Id stringToken Jwk Header - The upstream id token JWK header.
- Upstream
Introspection stringHeader - The upstream introspection header.
- Upstream
Introspection stringJwt Header - The upstream introspection JWT header.
- Upstream
Refresh stringToken Header - The upstream refresh token header.
- Upstream
Session stringId Header - The upstream session id header.
- Upstream
User stringInfo Header - The upstream user info header.
- Upstream
User stringInfo Jwt Header - The upstream user info JWT header (in case the user info returns a JWT response).
- Userinfo
Accept string - The value of
Acceptheader for user info requests: -application/json: user info response as JSON -application/jwt: user info response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt"] - Userinfo
Endpoint string - The user info endpoint. If set it overrides the value in
userinfo_endpointreturned by the discovery endpoint. - Userinfo
Headers []stringClients - Extra headers passed from the client to the user info endpoint.
- Userinfo
Headers []stringNames - Extra header names passed to the user info endpoint.
- Userinfo
Headers []stringValues - Extra header values passed to the user info endpoint.
- Userinfo
Query []stringArgs Clients - Extra query arguments passed from the client to the user info endpoint.
- Userinfo
Query []stringArgs Names - Extra query argument names passed to the user info endpoint.
- Userinfo
Query []stringArgs Values - Extra query argument values passed to the user info endpoint.
- Using
Pseudo boolIssuer - If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with
config.issuer. - Verify
Claims bool - Verify tokens for standard claims.
- Verify
Nonce bool - Verify nonce on authorization code flow.
- Verify
Parameters bool - Verify plugin configuration against discovery.
- Verify
Signature bool - Verify signature of tokens.
- scopes List<String>
- The scopes passed to the authorization and token endpoints.
- anonymous String
- An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xxHTTP status code. This value must refer to the consumeridorusernameattribute, and not itscustom_id. - audience
Claims List<String> - The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
- audience
Requireds List<String> - The audiences (
audience_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - audiences List<String>
- The audience passed to the authorization endpoint.
- auth
Methods List<String> - Types of credentials/grants to enable.
- authenticated
Groups List<String>Claims - The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
- String
- The authorization cookie Domain flag.
- Boolean
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - String
- The authorization cookie name.
- String
- The authorization cookie Path flag.
- String
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- Boolean
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- String
- The authorization endpoint. If set it overrides the value in
authorization_endpointreturned by the discovery endpoint. - List<String>
- Extra query arguments passed from the client to the authorization endpoint.
- List<String>
- Extra query argument names passed to the authorization endpoint.
- List<String>
- Extra query argument values passed to the authorization endpoint.
- Double
- Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- String
- The name of the cookie in which the bearer token is passed.
- bearer
Token List<String>Param Types - Where to look for the bearer token: -
header: search theAuthorization,access-token, andx-access-tokenHTTP headers -query: search the URL's query string -body: search the HTTP request body -cookie: search the HTTP request cookies specified withconfig.bearer_token_cookie_name. - by
Username BooleanIgnore Case - If
consumer_byis set tousername, specify whetherusernamecan match consumers case-insensitively. - cache
Introspection Boolean - Cache the introspection endpoint requests.
- cache
Token BooleanExchange - Cache the token exchange endpoint requests.
- cache
Tokens Boolean - Cache the token endpoint requests.
- cache
Tokens StringSalt - Salt used for generating the cache key that is used for caching the token endpoint requests.
- cache
Ttl Double - The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
- cache
Ttl DoubleMax - The maximum cache ttl in seconds (enforced).
- cache
Ttl DoubleMin - The minimum cache ttl in seconds (enforced).
- cache
Ttl DoubleNeg - The negative cache ttl in seconds.
- cache
Ttl DoubleResurrect - The resurrection ttl in seconds.
- cache
User BooleanInfo - Cache the user info requests.
- claims
Forbiddens List<String> - If given, these claims are forbidden in the token payload.
- client
Algs List<String> - The algorithm to use for clientsecretjwt (only HS***) or private*key*jwt authentication.
- client
Arg String - The client to use for this request (the selection is made with a request parameter with the same name).
- client
Auths List<String> - The default OpenID Connect client authentication method is 'clientsecretbasic' (using 'Authorization: Basic' header), 'clientsecretpost' (credentials in body), 'clientsecretjwt' (signed client assertion in body), 'privatekeyjwt' (private key-signed assertion), 'tlsclientauth' (client certificate), 'selfsignedtlsclientauth' (self-signed client certificate), and 'none' (no authentication).
- client
Credentials List<String>Param Types - Where to look for the client credentials: -
header: search the HTTP headers -query: search the URL's query string -body: search from the HTTP request body. - client
Ids List<String> - The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
- client
Jwks List<GatewayPlugin Openid Connect Config Client Jwk> - The JWK used for the privatekeyjwt authentication.
- client
Secrets List<String> - The client secret.
- cluster
Cache GatewayRedis Plugin Openid Connect Config Cluster Cache Redis - cluster
Cache StringStrategy - The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared. must be one of ["off", "redis"]
- consumer
Bies List<String> - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. - consumer
Claims List<String> - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Optional Boolean - Do not terminate the request if consumer mapping fails.
- credential
Claims List<String> - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
- disable
Sessions List<String> - Disable issuing the session cookie with the specified grants.
- discovery
Headers List<String>Names - Extra header names passed to the discovery endpoint.
- discovery
Headers List<String>Values - Extra header values passed to the discovery endpoint.
- display
Errors Boolean - Display errors on failure responses.
- domains List<String>
- The allowed values for the
hdclaim. - downstream
Access StringToken Header - The downstream access token header.
- downstream
Access StringToken Jwk Header - The downstream access token JWK header.
- downstream
Headers List<String>Claims - The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
- downstream
Headers List<String>Names - The downstream header names for the claim values.
- downstream
Id StringToken Header - The downstream id token header.
- downstream
Id StringToken Jwk Header - The downstream id token JWK header.
- downstream
Introspection StringHeader - The downstream introspection header.
- downstream
Introspection StringJwt Header - The downstream introspection JWT header.
- downstream
Refresh StringToken Header - The downstream refresh token header.
- downstream
Session StringId Header - The downstream session id header.
- downstream
User StringInfo Header - The downstream user info header.
- downstream
User StringInfo Jwt Header - The downstream user info JWT header (in case the user info returns a JWT response).
- dpop
Proof DoubleLifetime - Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
- dpop
Use BooleanNonce - Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
- enable
Hs BooleanSignatures - Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
- end
Session StringEndpoint - The end session endpoint. If set it overrides the value in
end_session_endpointreturned by the discovery endpoint. - expose
Error BooleanCode - Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to
falseto disable. - extra
Jwks List<String>Uris - JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
- forbidden
Destroy BooleanSession - Destroy any active session for the forbidden requests.
- forbidden
Error StringMessage - The error message for the forbidden requests (when not using the redirection).
- forbidden
Redirect List<String>Uris - Where to redirect the client on forbidden requests.
- groups
Claims List<String> - The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
- groups
Requireds List<String> - The groups (
groups_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - hide
Credentials Boolean - Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
- http
Proxy String - The HTTP proxy.
- String
- The HTTP proxy authorization.
- http
Version Double - The HTTP version used for the requests by this plugin: -
1.1: HTTP 1.1 (the default) -1.0: HTTP 1.0. - https
Proxy String - The HTTPS proxy.
- String
- The HTTPS proxy authorization.
- id
Token StringParam Name - The name of the parameter used to pass the id token.
- id
Token List<String>Param Types - Where to look for the id token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - ignore
Signatures List<String> - Skip the token signature verification on certain grants: -
password: OAuth password grant -client_credentials: OAuth client credentials grant -authorization_code: authorization code flow -refresh_token: OAuth refresh token grant -session: session cookie authentication -introspection: OAuth introspection -userinfo: OpenID Connect user info endpoint authentication. - introspect
Jwt BooleanTokens - Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
- introspection
Accept String - The value of
Acceptheader for introspection requests: -application/json: introspection response as JSON -application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) -application/jwt: introspection response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt", "application/token-introspection+jwt"] - introspection
Check BooleanActive - Check that the introspection response has an
activeclaim with a value oftrue. - introspection
Endpoint String - The introspection endpoint. If set it overrides the value in
introspection_endpointreturned by the discovery endpoint. - introspection
Endpoint StringAuth Method - The introspection endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"] - introspection
Headers List<String>Clients - Extra headers passed from the client to the introspection endpoint.
- introspection
Headers List<String>Names - Extra header names passed to the introspection endpoint.
- introspection
Headers List<String>Values - Extra header values passed to the introspection endpoint.
- introspection
Hint String - Introspection hint parameter value passed to the introspection endpoint.
- introspection
Post List<String>Args Client Headers - Extra post arguments passed from the client headers to the introspection endpoint.
- introspection
Post List<String>Args Clients - Extra post arguments passed from the client to the introspection endpoint.
- introspection
Post List<String>Args Names - Extra post argument names passed to the introspection endpoint.
- introspection
Post List<String>Args Values - Extra post argument values passed to the introspection endpoint.
- introspection
Token StringParam Name - Designate token's parameter name for introspection.
- issuer String
- The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure
config.using_pseudo_issuer=true. - issuers
Alloweds List<String> - The issuers allowed to be present in the tokens (
issclaim). - jwt
Session StringClaim - The claim to match against the JWT session cookie.
- String
- The name of the JWT session cookie.
- keepalive Boolean
- Use keepalive with the HTTP client.
- leeway Double
- Defines leeway time (in seconds) for
auth_time,exp,iat, andnbfclaims - login
Action String - What to do after successful login: -
upstream: proxy request to upstream service -response: terminate request with a response -redirect: redirect to a different location. must be one of ["redirect", "response", "upstream"] - login
Methods List<String> - Enable login functionality with specified grants.
- login
Redirect StringMode - Where to place
login_tokenswhen usingredirectlogin_action: -query: place tokens in query string -fragment: place tokens in url fragment (not readable by servers). must be one of ["fragment", "query"] - login
Redirect List<String>Uris - Where to redirect the client when
login_actionis set toredirect. - login
Tokens List<String> - What tokens to include in
responsebody orredirectquery string or fragment: -id_token: include id token -access_token: include access token -refresh_token: include refresh token -tokens: include the full token endpoint response -introspection: include introspection response. - logout
Methods List<String> - The request methods that can activate the logout: -
POST: HTTP POST method -GET: HTTP GET method -DELETE: HTTP DELETE method. - logout
Post StringArg - The request body argument that activates the logout.
- logout
Query StringArg - The request query argument that activates the logout.
- logout
Redirect List<String>Uris - Where to redirect the client after the logout.
- logout
Revoke Boolean - Revoke tokens as part of the logout.
- logout
Revoke BooleanAccess Token - Revoke the access token as part of the logout. Requires
logout_revoketo be set totrue. - logout
Revoke BooleanRefresh Token - Revoke the refresh token as part of the logout. Requires
logout_revoketo be set totrue. - logout
Uri StringSuffix - The request URI suffix that activates the logout.
- max
Age Double - The maximum age (in seconds) compared to the
auth_timeclaim. - mtls
Introspection StringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls
Revocation StringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls
Token StringEndpoint - Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - no
Proxy String - Do not use proxy with these hosts.
- password
Param List<String>Types - Where to look for the username and password: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - preserve
Query BooleanArgs - With this parameter, you can preserve request query arguments even when doing authorization code flow.
- proof
Of BooleanPossession Auth Methods Validation - If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
- proof
Of StringPossession Dpop - Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof. must be one of ["off", "optional", "strict"]
- proof
Of StringPossession Mtls - Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401. must be one of ["off", "optional", "strict"]
- String
- The pushed authorization endpoint. If set it overrides the value in
pushed_authorization_request_endpointreturned by the discovery endpoint. - String
- The pushed authorization request endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - redirect
Uris List<String> - The redirect URI passed to the authorization and token endpoints.
- redis
Gateway
Plugin Openid Connect Config Redis - rediscovery
Lifetime Double - Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
- refresh
Token StringParam Name - The name of the parameter used to pass the refresh token.
- refresh
Token List<String>Param Types - Where to look for the refresh token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - refresh
Tokens Boolean - Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_tokenavailable. - require
Proof BooleanKey For Code Exchange - Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of
code_challenge_methods_supported, and enabled automatically (in case thecode_challenge_methods_supportedis missing, the PKCE will not be enabled). - Boolean
- Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of
require_pushed_authorization_requests(which defaults tofalse). - require
Signed BooleanRequest Object - Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of
require_signed_request_object, and enabled automatically (in case therequire_signed_request_objectis missing, the feature will not be enabled). - resolve
Distributed BooleanClaims - Distributed claims are represented by the
_claim_namesand_claim_sourcesmembers of the JSON object containing the claims. If this parameter is set totrue, the plugin explicitly resolves these distributed claims. - response
Mode String - Response mode passed to the authorization endpoint: -
query: for parameters in query string -form_post: for parameters in request body -fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) -query.jwt,form_post.jwt,fragment.jwt: similar toquery,form_postandfragmentbut the parameters are encoded in a JWT -jwt: shortcut that indicates the default encoding for the requested response type. must be one of ["form_post", "form_post.jwt", "fragment", "fragment.jwt", "jwt", "query", "query.jwt"] - response
Types List<String> - The response type passed to the authorization endpoint.
- reverify Boolean
- Specifies whether to always verify tokens stored in the session.
- revocation
Endpoint String - The revocation endpoint. If set it overrides the value in
revocation_endpointreturned by the discovery endpoint. - revocation
Endpoint StringAuth Method - The revocation endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - revocation
Token StringParam Name - Designate token's parameter name for revocation.
- roles
Claims List<String> - The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
- roles
Requireds List<String> - The roles (
roles_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - run
On BooleanPreflight - Specifies whether to run this plugin on pre-flight (
OPTIONS) requests. - scopes
Claims List<String> - The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
- scopes
Requireds List<String> - The scopes (
scopes_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - search
User BooleanInfo - Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
- session
Absolute DoubleTimeout - Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- session
Audience String - The session audience, which is the intended target application. For example
"my-application". - String
- The session cookie Domain flag.
- Boolean
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - String
- The session cookie name.
- String
- The session cookie Path flag.
- String
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- Boolean
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- session
Enforce BooleanSame Subject - When set to
true, audiences are forced to share the same subject. - session
Hash BooleanStorage Key - When set to
true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie. - session
Hash BooleanSubject - When set to
true, the value of subject is hashed before being stored. Only applies whensession_store_metadatais enabled. - session
Idling DoubleTimeout - Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
- session
Memcached StringHost - The memcached host.
- session
Memcached DoublePort - The memcached port.
- session
Memcached StringPrefix - The memcached session key prefix.
- session
Memcached StringSocket - The memcached unix socket path.
- session
Remember Boolean - Enables or disables persistent sessions.
- session
Remember DoubleAbsolute Timeout - Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- String
- Persistent session cookie name. Use with the
rememberconfiguration parameter. - session
Remember DoubleRolling Timeout - Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
- session
Request List<String>Headers - Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout request headers. - session
Response List<String>Headers - Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout response headers. - session
Rolling DoubleTimeout - Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- session
Secret String - The session secret.
- session
Storage String - The session storage for session data: -
cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) -memcache: stores session data in memcached -redis: stores session data in Redis. must be one of ["cookie", "memcache", "memcached", "redis"] - session
Store BooleanMetadata - Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
- ssl
Verify Boolean - Verify identity provider server certificate. If set to
true, the plugin uses the CA certificate set in thekong.confconfig parameterlua_ssl_trusted_certificate. - timeout Double
- Network IO timeout in milliseconds.
- tls
Client StringAuth Cert Id - ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
- tls
Client BooleanAuth Ssl Verify - Verify identity provider server certificate during mTLS client authentication.
- token
Cache BooleanKey Include Scope - Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
- token
Endpoint String - The token endpoint. If set it overrides the value in
token_endpointreturned by the discovery endpoint. - token
Endpoint StringAuth Method - The token endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - token
Exchange StringEndpoint - The token exchange endpoint.
- token
Headers List<String>Clients - Extra headers passed from the client to the token endpoint.
- token
Headers List<String>Grants - Enable the sending of the token endpoint response headers only with certain grants: -
password: with OAuth password grant -client_credentials: with OAuth client credentials grant -authorization_code: with authorization code flow -refresh_tokenwith refresh token grant. - token
Headers List<String>Names - Extra header names passed to the token endpoint.
- token
Headers StringPrefix - Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
- token
Headers List<String>Replays - The names of token endpoint response headers to forward to the downstream client.
- token
Headers List<String>Values - Extra header values passed to the token endpoint.
- token
Post List<String>Args Clients - Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scopevalues, like this:config.token_post_args_client=scopeIn this case, the token would take thescopevalue from the query parameter or from the request body or from the header and send it to the token endpoint. - token
Post List<String>Args Names - Extra post argument names passed to the token endpoint.
- token
Post List<String>Args Values - Extra post argument values passed to the token endpoint.
- Boolean
- Destroy any active session for the unauthorized requests.
- String
- The error message for the unauthorized requests (when not using the redirection).
- List<String>
- Where to redirect the client on unauthorized requests.
- unexpected
Redirect List<String>Uris - Where to redirect the client when unexpected errors happen with the requests.
- upstream
Access StringToken Header - The upstream access token header.
- upstream
Access StringToken Jwk Header - The upstream access token JWK header.
- upstream
Headers List<String>Claims - The upstream header claims. Only top level claims are supported.
- upstream
Headers List<String>Names - The upstream header names for the claim values.
- upstream
Id StringToken Header - The upstream id token header.
- upstream
Id StringToken Jwk Header - The upstream id token JWK header.
- upstream
Introspection StringHeader - The upstream introspection header.
- upstream
Introspection StringJwt Header - The upstream introspection JWT header.
- upstream
Refresh StringToken Header - The upstream refresh token header.
- upstream
Session StringId Header - The upstream session id header.
- upstream
User StringInfo Header - The upstream user info header.
- upstream
User StringInfo Jwt Header - The upstream user info JWT header (in case the user info returns a JWT response).
- userinfo
Accept String - The value of
Acceptheader for user info requests: -application/json: user info response as JSON -application/jwt: user info response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt"] - userinfo
Endpoint String - The user info endpoint. If set it overrides the value in
userinfo_endpointreturned by the discovery endpoint. - userinfo
Headers List<String>Clients - Extra headers passed from the client to the user info endpoint.
- userinfo
Headers List<String>Names - Extra header names passed to the user info endpoint.
- userinfo
Headers List<String>Values - Extra header values passed to the user info endpoint.
- userinfo
Query List<String>Args Clients - Extra query arguments passed from the client to the user info endpoint.
- userinfo
Query List<String>Args Names - Extra query argument names passed to the user info endpoint.
- userinfo
Query List<String>Args Values - Extra query argument values passed to the user info endpoint.
- using
Pseudo BooleanIssuer - If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with
config.issuer. - verify
Claims Boolean - Verify tokens for standard claims.
- verify
Nonce Boolean - Verify nonce on authorization code flow.
- verify
Parameters Boolean - Verify plugin configuration against discovery.
- verify
Signature Boolean - Verify signature of tokens.
- scopes string[]
- The scopes passed to the authorization and token endpoints.
- anonymous string
- An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xxHTTP status code. This value must refer to the consumeridorusernameattribute, and not itscustom_id. - audience
Claims string[] - The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
- audience
Requireds string[] - The audiences (
audience_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - audiences string[]
- The audience passed to the authorization endpoint.
- auth
Methods string[] - Types of credentials/grants to enable.
- authenticated
Groups string[]Claims - The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
- string
- The authorization cookie Domain flag.
- boolean
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - string
- The authorization cookie name.
- string
- The authorization cookie Path flag.
- string
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- boolean
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- string
- The authorization endpoint. If set it overrides the value in
authorization_endpointreturned by the discovery endpoint. - string[]
- Extra query arguments passed from the client to the authorization endpoint.
- string[]
- Extra query argument names passed to the authorization endpoint.
- string[]
- Extra query argument values passed to the authorization endpoint.
- number
- Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- string
- The name of the cookie in which the bearer token is passed.
- bearer
Token string[]Param Types - Where to look for the bearer token: -
header: search theAuthorization,access-token, andx-access-tokenHTTP headers -query: search the URL's query string -body: search the HTTP request body -cookie: search the HTTP request cookies specified withconfig.bearer_token_cookie_name. - by
Username booleanIgnore Case - If
consumer_byis set tousername, specify whetherusernamecan match consumers case-insensitively. - cache
Introspection boolean - Cache the introspection endpoint requests.
- cache
Token booleanExchange - Cache the token exchange endpoint requests.
- cache
Tokens boolean - Cache the token endpoint requests.
- cache
Tokens stringSalt - Salt used for generating the cache key that is used for caching the token endpoint requests.
- cache
Ttl number - The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
- cache
Ttl numberMax - The maximum cache ttl in seconds (enforced).
- cache
Ttl numberMin - The minimum cache ttl in seconds (enforced).
- cache
Ttl numberNeg - The negative cache ttl in seconds.
- cache
Ttl numberResurrect - The resurrection ttl in seconds.
- cache
User booleanInfo - Cache the user info requests.
- claims
Forbiddens string[] - If given, these claims are forbidden in the token payload.
- client
Algs string[] - The algorithm to use for clientsecretjwt (only HS***) or private*key*jwt authentication.
- client
Arg string - The client to use for this request (the selection is made with a request parameter with the same name).
- client
Auths string[] - The default OpenID Connect client authentication method is 'clientsecretbasic' (using 'Authorization: Basic' header), 'clientsecretpost' (credentials in body), 'clientsecretjwt' (signed client assertion in body), 'privatekeyjwt' (private key-signed assertion), 'tlsclientauth' (client certificate), 'selfsignedtlsclientauth' (self-signed client certificate), and 'none' (no authentication).
- client
Credentials string[]Param Types - Where to look for the client credentials: -
header: search the HTTP headers -query: search the URL's query string -body: search from the HTTP request body. - client
Ids string[] - The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
- client
Jwks GatewayPlugin Openid Connect Config Client Jwk[] - The JWK used for the privatekeyjwt authentication.
- client
Secrets string[] - The client secret.
- cluster
Cache GatewayRedis Plugin Openid Connect Config Cluster Cache Redis - cluster
Cache stringStrategy - The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared. must be one of ["off", "redis"]
- consumer
Bies string[] - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. - consumer
Claims string[] - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Optional boolean - Do not terminate the request if consumer mapping fails.
- credential
Claims string[] - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
- disable
Sessions string[] - Disable issuing the session cookie with the specified grants.
- discovery
Headers string[]Names - Extra header names passed to the discovery endpoint.
- discovery
Headers string[]Values - Extra header values passed to the discovery endpoint.
- display
Errors boolean - Display errors on failure responses.
- domains string[]
- The allowed values for the
hdclaim. - downstream
Access stringToken Header - The downstream access token header.
- downstream
Access stringToken Jwk Header - The downstream access token JWK header.
- downstream
Headers string[]Claims - The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
- downstream
Headers string[]Names - The downstream header names for the claim values.
- downstream
Id stringToken Header - The downstream id token header.
- downstream
Id stringToken Jwk Header - The downstream id token JWK header.
- downstream
Introspection stringHeader - The downstream introspection header.
- downstream
Introspection stringJwt Header - The downstream introspection JWT header.
- downstream
Refresh stringToken Header - The downstream refresh token header.
- downstream
Session stringId Header - The downstream session id header.
- downstream
User stringInfo Header - The downstream user info header.
- downstream
User stringInfo Jwt Header - The downstream user info JWT header (in case the user info returns a JWT response).
- dpop
Proof numberLifetime - Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
- dpop
Use booleanNonce - Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
- enable
Hs booleanSignatures - Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
- end
Session stringEndpoint - The end session endpoint. If set it overrides the value in
end_session_endpointreturned by the discovery endpoint. - expose
Error booleanCode - Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to
falseto disable. - extra
Jwks string[]Uris - JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
- forbidden
Destroy booleanSession - Destroy any active session for the forbidden requests.
- forbidden
Error stringMessage - The error message for the forbidden requests (when not using the redirection).
- forbidden
Redirect string[]Uris - Where to redirect the client on forbidden requests.
- groups
Claims string[] - The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
- groups
Requireds string[] - The groups (
groups_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - hide
Credentials boolean - Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
- http
Proxy string - The HTTP proxy.
- string
- The HTTP proxy authorization.
- http
Version number - The HTTP version used for the requests by this plugin: -
1.1: HTTP 1.1 (the default) -1.0: HTTP 1.0. - https
Proxy string - The HTTPS proxy.
- string
- The HTTPS proxy authorization.
- id
Token stringParam Name - The name of the parameter used to pass the id token.
- id
Token string[]Param Types - Where to look for the id token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - ignore
Signatures string[] - Skip the token signature verification on certain grants: -
password: OAuth password grant -client_credentials: OAuth client credentials grant -authorization_code: authorization code flow -refresh_token: OAuth refresh token grant -session: session cookie authentication -introspection: OAuth introspection -userinfo: OpenID Connect user info endpoint authentication. - introspect
Jwt booleanTokens - Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
- introspection
Accept string - The value of
Acceptheader for introspection requests: -application/json: introspection response as JSON -application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) -application/jwt: introspection response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt", "application/token-introspection+jwt"] - introspection
Check booleanActive - Check that the introspection response has an
activeclaim with a value oftrue. - introspection
Endpoint string - The introspection endpoint. If set it overrides the value in
introspection_endpointreturned by the discovery endpoint. - introspection
Endpoint stringAuth Method - The introspection endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"] - introspection
Headers string[]Clients - Extra headers passed from the client to the introspection endpoint.
- introspection
Headers string[]Names - Extra header names passed to the introspection endpoint.
- introspection
Headers string[]Values - Extra header values passed to the introspection endpoint.
- introspection
Hint string - Introspection hint parameter value passed to the introspection endpoint.
- introspection
Post string[]Args Client Headers - Extra post arguments passed from the client headers to the introspection endpoint.
- introspection
Post string[]Args Clients - Extra post arguments passed from the client to the introspection endpoint.
- introspection
Post string[]Args Names - Extra post argument names passed to the introspection endpoint.
- introspection
Post string[]Args Values - Extra post argument values passed to the introspection endpoint.
- introspection
Token stringParam Name - Designate token's parameter name for introspection.
- issuer string
- The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure
config.using_pseudo_issuer=true. - issuers
Alloweds string[] - The issuers allowed to be present in the tokens (
issclaim). - jwt
Session stringClaim - The claim to match against the JWT session cookie.
- string
- The name of the JWT session cookie.
- keepalive boolean
- Use keepalive with the HTTP client.
- leeway number
- Defines leeway time (in seconds) for
auth_time,exp,iat, andnbfclaims - login
Action string - What to do after successful login: -
upstream: proxy request to upstream service -response: terminate request with a response -redirect: redirect to a different location. must be one of ["redirect", "response", "upstream"] - login
Methods string[] - Enable login functionality with specified grants.
- login
Redirect stringMode - Where to place
login_tokenswhen usingredirectlogin_action: -query: place tokens in query string -fragment: place tokens in url fragment (not readable by servers). must be one of ["fragment", "query"] - login
Redirect string[]Uris - Where to redirect the client when
login_actionis set toredirect. - login
Tokens string[] - What tokens to include in
responsebody orredirectquery string or fragment: -id_token: include id token -access_token: include access token -refresh_token: include refresh token -tokens: include the full token endpoint response -introspection: include introspection response. - logout
Methods string[] - The request methods that can activate the logout: -
POST: HTTP POST method -GET: HTTP GET method -DELETE: HTTP DELETE method. - logout
Post stringArg - The request body argument that activates the logout.
- logout
Query stringArg - The request query argument that activates the logout.
- logout
Redirect string[]Uris - Where to redirect the client after the logout.
- logout
Revoke boolean - Revoke tokens as part of the logout.
- logout
Revoke booleanAccess Token - Revoke the access token as part of the logout. Requires
logout_revoketo be set totrue. - logout
Revoke booleanRefresh Token - Revoke the refresh token as part of the logout. Requires
logout_revoketo be set totrue. - logout
Uri stringSuffix - The request URI suffix that activates the logout.
- max
Age number - The maximum age (in seconds) compared to the
auth_timeclaim. - mtls
Introspection stringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls
Revocation stringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls
Token stringEndpoint - Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - no
Proxy string - Do not use proxy with these hosts.
- password
Param string[]Types - Where to look for the username and password: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - preserve
Query booleanArgs - With this parameter, you can preserve request query arguments even when doing authorization code flow.
- proof
Of booleanPossession Auth Methods Validation - If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
- proof
Of stringPossession Dpop - Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof. must be one of ["off", "optional", "strict"]
- proof
Of stringPossession Mtls - Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401. must be one of ["off", "optional", "strict"]
- string
- The pushed authorization endpoint. If set it overrides the value in
pushed_authorization_request_endpointreturned by the discovery endpoint. - string
- The pushed authorization request endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - redirect
Uris string[] - The redirect URI passed to the authorization and token endpoints.
- redis
Gateway
Plugin Openid Connect Config Redis - rediscovery
Lifetime number - Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
- refresh
Token stringParam Name - The name of the parameter used to pass the refresh token.
- refresh
Token string[]Param Types - Where to look for the refresh token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - refresh
Tokens boolean - Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_tokenavailable. - require
Proof booleanKey For Code Exchange - Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of
code_challenge_methods_supported, and enabled automatically (in case thecode_challenge_methods_supportedis missing, the PKCE will not be enabled). - boolean
- Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of
require_pushed_authorization_requests(which defaults tofalse). - require
Signed booleanRequest Object - Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of
require_signed_request_object, and enabled automatically (in case therequire_signed_request_objectis missing, the feature will not be enabled). - resolve
Distributed booleanClaims - Distributed claims are represented by the
_claim_namesand_claim_sourcesmembers of the JSON object containing the claims. If this parameter is set totrue, the plugin explicitly resolves these distributed claims. - response
Mode string - Response mode passed to the authorization endpoint: -
query: for parameters in query string -form_post: for parameters in request body -fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) -query.jwt,form_post.jwt,fragment.jwt: similar toquery,form_postandfragmentbut the parameters are encoded in a JWT -jwt: shortcut that indicates the default encoding for the requested response type. must be one of ["form_post", "form_post.jwt", "fragment", "fragment.jwt", "jwt", "query", "query.jwt"] - response
Types string[] - The response type passed to the authorization endpoint.
- reverify boolean
- Specifies whether to always verify tokens stored in the session.
- revocation
Endpoint string - The revocation endpoint. If set it overrides the value in
revocation_endpointreturned by the discovery endpoint. - revocation
Endpoint stringAuth Method - The revocation endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - revocation
Token stringParam Name - Designate token's parameter name for revocation.
- roles
Claims string[] - The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
- roles
Requireds string[] - The roles (
roles_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - run
On booleanPreflight - Specifies whether to run this plugin on pre-flight (
OPTIONS) requests. - scopes
Claims string[] - The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
- scopes
Requireds string[] - The scopes (
scopes_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - search
User booleanInfo - Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
- session
Absolute numberTimeout - Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- session
Audience string - The session audience, which is the intended target application. For example
"my-application". - string
- The session cookie Domain flag.
- boolean
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - string
- The session cookie name.
- string
- The session cookie Path flag.
- string
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- boolean
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- session
Enforce booleanSame Subject - When set to
true, audiences are forced to share the same subject. - session
Hash booleanStorage Key - When set to
true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie. - session
Hash booleanSubject - When set to
true, the value of subject is hashed before being stored. Only applies whensession_store_metadatais enabled. - session
Idling numberTimeout - Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
- session
Memcached stringHost - The memcached host.
- session
Memcached numberPort - The memcached port.
- session
Memcached stringPrefix - The memcached session key prefix.
- session
Memcached stringSocket - The memcached unix socket path.
- session
Remember boolean - Enables or disables persistent sessions.
- session
Remember numberAbsolute Timeout - Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- string
- Persistent session cookie name. Use with the
rememberconfiguration parameter. - session
Remember numberRolling Timeout - Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
- session
Request string[]Headers - Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout request headers. - session
Response string[]Headers - Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout response headers. - session
Rolling numberTimeout - Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- session
Secret string - The session secret.
- session
Storage string - The session storage for session data: -
cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) -memcache: stores session data in memcached -redis: stores session data in Redis. must be one of ["cookie", "memcache", "memcached", "redis"] - session
Store booleanMetadata - Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
- ssl
Verify boolean - Verify identity provider server certificate. If set to
true, the plugin uses the CA certificate set in thekong.confconfig parameterlua_ssl_trusted_certificate. - timeout number
- Network IO timeout in milliseconds.
- tls
Client stringAuth Cert Id - ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
- tls
Client booleanAuth Ssl Verify - Verify identity provider server certificate during mTLS client authentication.
- token
Cache booleanKey Include Scope - Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
- token
Endpoint string - The token endpoint. If set it overrides the value in
token_endpointreturned by the discovery endpoint. - token
Endpoint stringAuth Method - The token endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - token
Exchange stringEndpoint - The token exchange endpoint.
- token
Headers string[]Clients - Extra headers passed from the client to the token endpoint.
- token
Headers string[]Grants - Enable the sending of the token endpoint response headers only with certain grants: -
password: with OAuth password grant -client_credentials: with OAuth client credentials grant -authorization_code: with authorization code flow -refresh_tokenwith refresh token grant. - token
Headers string[]Names - Extra header names passed to the token endpoint.
- token
Headers stringPrefix - Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
- token
Headers string[]Replays - The names of token endpoint response headers to forward to the downstream client.
- token
Headers string[]Values - Extra header values passed to the token endpoint.
- token
Post string[]Args Clients - Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scopevalues, like this:config.token_post_args_client=scopeIn this case, the token would take thescopevalue from the query parameter or from the request body or from the header and send it to the token endpoint. - token
Post string[]Args Names - Extra post argument names passed to the token endpoint.
- token
Post string[]Args Values - Extra post argument values passed to the token endpoint.
- boolean
- Destroy any active session for the unauthorized requests.
- string
- The error message for the unauthorized requests (when not using the redirection).
- string[]
- Where to redirect the client on unauthorized requests.
- unexpected
Redirect string[]Uris - Where to redirect the client when unexpected errors happen with the requests.
- upstream
Access stringToken Header - The upstream access token header.
- upstream
Access stringToken Jwk Header - The upstream access token JWK header.
- upstream
Headers string[]Claims - The upstream header claims. Only top level claims are supported.
- upstream
Headers string[]Names - The upstream header names for the claim values.
- upstream
Id stringToken Header - The upstream id token header.
- upstream
Id stringToken Jwk Header - The upstream id token JWK header.
- upstream
Introspection stringHeader - The upstream introspection header.
- upstream
Introspection stringJwt Header - The upstream introspection JWT header.
- upstream
Refresh stringToken Header - The upstream refresh token header.
- upstream
Session stringId Header - The upstream session id header.
- upstream
User stringInfo Header - The upstream user info header.
- upstream
User stringInfo Jwt Header - The upstream user info JWT header (in case the user info returns a JWT response).
- userinfo
Accept string - The value of
Acceptheader for user info requests: -application/json: user info response as JSON -application/jwt: user info response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt"] - userinfo
Endpoint string - The user info endpoint. If set it overrides the value in
userinfo_endpointreturned by the discovery endpoint. - userinfo
Headers string[]Clients - Extra headers passed from the client to the user info endpoint.
- userinfo
Headers string[]Names - Extra header names passed to the user info endpoint.
- userinfo
Headers string[]Values - Extra header values passed to the user info endpoint.
- userinfo
Query string[]Args Clients - Extra query arguments passed from the client to the user info endpoint.
- userinfo
Query string[]Args Names - Extra query argument names passed to the user info endpoint.
- userinfo
Query string[]Args Values - Extra query argument values passed to the user info endpoint.
- using
Pseudo booleanIssuer - If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with
config.issuer. - verify
Claims boolean - Verify tokens for standard claims.
- verify
Nonce boolean - Verify nonce on authorization code flow.
- verify
Parameters boolean - Verify plugin configuration against discovery.
- verify
Signature boolean - Verify signature of tokens.
- scopes Sequence[str]
- The scopes passed to the authorization and token endpoints.
- anonymous str
- An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xxHTTP status code. This value must refer to the consumeridorusernameattribute, and not itscustom_id. - audience_
claims Sequence[str] - The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
- audience_
requireds Sequence[str] - The audiences (
audience_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - audiences Sequence[str]
- The audience passed to the authorization endpoint.
- auth_
methods Sequence[str] - Types of credentials/grants to enable.
- authenticated_
groups_ Sequence[str]claims - The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
- str
- The authorization cookie Domain flag.
- bool
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - str
- The authorization cookie name.
- str
- The authorization cookie Path flag.
- str
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- bool
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- str
- The authorization endpoint. If set it overrides the value in
authorization_endpointreturned by the discovery endpoint. - Sequence[str]
- Extra query arguments passed from the client to the authorization endpoint.
- Sequence[str]
- Extra query argument names passed to the authorization endpoint.
- Sequence[str]
- Extra query argument values passed to the authorization endpoint.
- float
- Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- str
- The name of the cookie in which the bearer token is passed.
- bearer_
token_ Sequence[str]param_ types - Where to look for the bearer token: -
header: search theAuthorization,access-token, andx-access-tokenHTTP headers -query: search the URL's query string -body: search the HTTP request body -cookie: search the HTTP request cookies specified withconfig.bearer_token_cookie_name. - by_
username_ boolignore_ case - If
consumer_byis set tousername, specify whetherusernamecan match consumers case-insensitively. - cache_
introspection bool - Cache the introspection endpoint requests.
- cache_
token_ boolexchange - Cache the token exchange endpoint requests.
- cache_
tokens bool - Cache the token endpoint requests.
- cache_
tokens_ strsalt - Salt used for generating the cache key that is used for caching the token endpoint requests.
- cache_
ttl float - The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
- cache_
ttl_ floatmax - The maximum cache ttl in seconds (enforced).
- cache_
ttl_ floatmin - The minimum cache ttl in seconds (enforced).
- cache_
ttl_ floatneg - The negative cache ttl in seconds.
- cache_
ttl_ floatresurrect - The resurrection ttl in seconds.
- cache_
user_ boolinfo - Cache the user info requests.
- claims_
forbiddens Sequence[str] - If given, these claims are forbidden in the token payload.
- client_
algs Sequence[str] - The algorithm to use for clientsecretjwt (only HS***) or private*key*jwt authentication.
- client_
arg str - The client to use for this request (the selection is made with a request parameter with the same name).
- client_
auths Sequence[str] - The default OpenID Connect client authentication method is 'clientsecretbasic' (using 'Authorization: Basic' header), 'clientsecretpost' (credentials in body), 'clientsecretjwt' (signed client assertion in body), 'privatekeyjwt' (private key-signed assertion), 'tlsclientauth' (client certificate), 'selfsignedtlsclientauth' (self-signed client certificate), and 'none' (no authentication).
- client_
credentials_ Sequence[str]param_ types - Where to look for the client credentials: -
header: search the HTTP headers -query: search the URL's query string -body: search from the HTTP request body. - client_
ids Sequence[str] - The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
- client_
jwks Sequence[GatewayPlugin Openid Connect Config Client Jwk] - The JWK used for the privatekeyjwt authentication.
- client_
secrets Sequence[str] - The client secret.
- cluster_
cache_ Gatewayredis Plugin Openid Connect Config Cluster Cache Redis - cluster_
cache_ strstrategy - The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared. must be one of ["off", "redis"]
- consumer_
bies Sequence[str] - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. - consumer_
claims Sequence[str] - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer_
optional bool - Do not terminate the request if consumer mapping fails.
- credential_
claims Sequence[str] - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
- disable_
sessions Sequence[str] - Disable issuing the session cookie with the specified grants.
- discovery_
headers_ Sequence[str]names - Extra header names passed to the discovery endpoint.
- discovery_
headers_ Sequence[str]values - Extra header values passed to the discovery endpoint.
- display_
errors bool - Display errors on failure responses.
- domains Sequence[str]
- The allowed values for the
hdclaim. - downstream_
access_ strtoken_ header - The downstream access token header.
- downstream_
access_ strtoken_ jwk_ header - The downstream access token JWK header.
- downstream_
headers_ Sequence[str]claims - The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
- downstream_
headers_ Sequence[str]names - The downstream header names for the claim values.
- downstream_
id_ strtoken_ header - The downstream id token header.
- downstream_
id_ strtoken_ jwk_ header - The downstream id token JWK header.
- downstream_
introspection_ strheader - The downstream introspection header.
- downstream_
introspection_ strjwt_ header - The downstream introspection JWT header.
- downstream_
refresh_ strtoken_ header - The downstream refresh token header.
- downstream_
session_ strid_ header - The downstream session id header.
- downstream_
user_ strinfo_ header - The downstream user info header.
- downstream_
user_ strinfo_ jwt_ header - The downstream user info JWT header (in case the user info returns a JWT response).
- dpop_
proof_ floatlifetime - Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
- dpop_
use_ boolnonce - Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
- enable_
hs_ boolsignatures - Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
- end_
session_ strendpoint - The end session endpoint. If set it overrides the value in
end_session_endpointreturned by the discovery endpoint. - expose_
error_ boolcode - Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to
falseto disable. - extra_
jwks_ Sequence[str]uris - JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
- forbidden_
destroy_ boolsession - Destroy any active session for the forbidden requests.
- forbidden_
error_ strmessage - The error message for the forbidden requests (when not using the redirection).
- forbidden_
redirect_ Sequence[str]uris - Where to redirect the client on forbidden requests.
- groups_
claims Sequence[str] - The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
- groups_
requireds Sequence[str] - The groups (
groups_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - hide_
credentials bool - Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
- http_
proxy str - The HTTP proxy.
- str
- The HTTP proxy authorization.
- http_
version float - The HTTP version used for the requests by this plugin: -
1.1: HTTP 1.1 (the default) -1.0: HTTP 1.0. - https_
proxy str - The HTTPS proxy.
- str
- The HTTPS proxy authorization.
- id_
token_ strparam_ name - The name of the parameter used to pass the id token.
- id_
token_ Sequence[str]param_ types - Where to look for the id token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - ignore_
signatures Sequence[str] - Skip the token signature verification on certain grants: -
password: OAuth password grant -client_credentials: OAuth client credentials grant -authorization_code: authorization code flow -refresh_token: OAuth refresh token grant -session: session cookie authentication -introspection: OAuth introspection -userinfo: OpenID Connect user info endpoint authentication. - introspect_
jwt_ booltokens - Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
- introspection_
accept str - The value of
Acceptheader for introspection requests: -application/json: introspection response as JSON -application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) -application/jwt: introspection response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt", "application/token-introspection+jwt"] - introspection_
check_ boolactive - Check that the introspection response has an
activeclaim with a value oftrue. - introspection_
endpoint str - The introspection endpoint. If set it overrides the value in
introspection_endpointreturned by the discovery endpoint. - introspection_
endpoint_ strauth_ method - The introspection endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"] - introspection_
headers_ Sequence[str]clients - Extra headers passed from the client to the introspection endpoint.
- introspection_
headers_ Sequence[str]names - Extra header names passed to the introspection endpoint.
- introspection_
headers_ Sequence[str]values - Extra header values passed to the introspection endpoint.
- introspection_
hint str - Introspection hint parameter value passed to the introspection endpoint.
- introspection_
post_ Sequence[str]args_ client_ headers - Extra post arguments passed from the client headers to the introspection endpoint.
- introspection_
post_ Sequence[str]args_ clients - Extra post arguments passed from the client to the introspection endpoint.
- introspection_
post_ Sequence[str]args_ names - Extra post argument names passed to the introspection endpoint.
- introspection_
post_ Sequence[str]args_ values - Extra post argument values passed to the introspection endpoint.
- introspection_
token_ strparam_ name - Designate token's parameter name for introspection.
- issuer str
- The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure
config.using_pseudo_issuer=true. - issuers_
alloweds Sequence[str] - The issuers allowed to be present in the tokens (
issclaim). - jwt_
session_ strclaim - The claim to match against the JWT session cookie.
- str
- The name of the JWT session cookie.
- keepalive bool
- Use keepalive with the HTTP client.
- leeway float
- Defines leeway time (in seconds) for
auth_time,exp,iat, andnbfclaims - login_
action str - What to do after successful login: -
upstream: proxy request to upstream service -response: terminate request with a response -redirect: redirect to a different location. must be one of ["redirect", "response", "upstream"] - login_
methods Sequence[str] - Enable login functionality with specified grants.
- login_
redirect_ strmode - Where to place
login_tokenswhen usingredirectlogin_action: -query: place tokens in query string -fragment: place tokens in url fragment (not readable by servers). must be one of ["fragment", "query"] - login_
redirect_ Sequence[str]uris - Where to redirect the client when
login_actionis set toredirect. - login_
tokens Sequence[str] - What tokens to include in
responsebody orredirectquery string or fragment: -id_token: include id token -access_token: include access token -refresh_token: include refresh token -tokens: include the full token endpoint response -introspection: include introspection response. - logout_
methods Sequence[str] - The request methods that can activate the logout: -
POST: HTTP POST method -GET: HTTP GET method -DELETE: HTTP DELETE method. - logout_
post_ strarg - The request body argument that activates the logout.
- logout_
query_ strarg - The request query argument that activates the logout.
- logout_
redirect_ Sequence[str]uris - Where to redirect the client after the logout.
- logout_
revoke bool - Revoke tokens as part of the logout.
- logout_
revoke_ boolaccess_ token - Revoke the access token as part of the logout. Requires
logout_revoketo be set totrue. - logout_
revoke_ boolrefresh_ token - Revoke the refresh token as part of the logout. Requires
logout_revoketo be set totrue. - logout_
uri_ strsuffix - The request URI suffix that activates the logout.
- max_
age float - The maximum age (in seconds) compared to the
auth_timeclaim. - mtls_
introspection_ strendpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls_
revocation_ strendpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls_
token_ strendpoint - Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - no_
proxy str - Do not use proxy with these hosts.
- password_
param_ Sequence[str]types - Where to look for the username and password: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - preserve_
query_ boolargs - With this parameter, you can preserve request query arguments even when doing authorization code flow.
- proof_
of_ boolpossession_ auth_ methods_ validation - If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
- proof_
of_ strpossession_ dpop - Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof. must be one of ["off", "optional", "strict"]
- proof_
of_ strpossession_ mtls - Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401. must be one of ["off", "optional", "strict"]
- str
- The pushed authorization endpoint. If set it overrides the value in
pushed_authorization_request_endpointreturned by the discovery endpoint. - str
- The pushed authorization request endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - redirect_
uris Sequence[str] - The redirect URI passed to the authorization and token endpoints.
- redis
Gateway
Plugin Openid Connect Config Redis - rediscovery_
lifetime float - Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
- refresh_
token_ strparam_ name - The name of the parameter used to pass the refresh token.
- refresh_
token_ Sequence[str]param_ types - Where to look for the refresh token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - refresh_
tokens bool - Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_tokenavailable. - require_
proof_ boolkey_ for_ code_ exchange - Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of
code_challenge_methods_supported, and enabled automatically (in case thecode_challenge_methods_supportedis missing, the PKCE will not be enabled). - bool
- Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of
require_pushed_authorization_requests(which defaults tofalse). - require_
signed_ boolrequest_ object - Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of
require_signed_request_object, and enabled automatically (in case therequire_signed_request_objectis missing, the feature will not be enabled). - resolve_
distributed_ boolclaims - Distributed claims are represented by the
_claim_namesand_claim_sourcesmembers of the JSON object containing the claims. If this parameter is set totrue, the plugin explicitly resolves these distributed claims. - response_
mode str - Response mode passed to the authorization endpoint: -
query: for parameters in query string -form_post: for parameters in request body -fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) -query.jwt,form_post.jwt,fragment.jwt: similar toquery,form_postandfragmentbut the parameters are encoded in a JWT -jwt: shortcut that indicates the default encoding for the requested response type. must be one of ["form_post", "form_post.jwt", "fragment", "fragment.jwt", "jwt", "query", "query.jwt"] - response_
types Sequence[str] - The response type passed to the authorization endpoint.
- reverify bool
- Specifies whether to always verify tokens stored in the session.
- revocation_
endpoint str - The revocation endpoint. If set it overrides the value in
revocation_endpointreturned by the discovery endpoint. - revocation_
endpoint_ strauth_ method - The revocation endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - revocation_
token_ strparam_ name - Designate token's parameter name for revocation.
- roles_
claims Sequence[str] - The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
- roles_
requireds Sequence[str] - The roles (
roles_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - run_
on_ boolpreflight - Specifies whether to run this plugin on pre-flight (
OPTIONS) requests. - scopes_
claims Sequence[str] - The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
- scopes_
requireds Sequence[str] - The scopes (
scopes_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - search_
user_ boolinfo - Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
- session_
absolute_ floattimeout - Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- session_
audience str - The session audience, which is the intended target application. For example
"my-application". - str
- The session cookie Domain flag.
- bool
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - str
- The session cookie name.
- str
- The session cookie Path flag.
- str
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- bool
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- session_
enforce_ boolsame_ subject - When set to
true, audiences are forced to share the same subject. - session_
hash_ boolstorage_ key - When set to
true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie. - session_
hash_ boolsubject - When set to
true, the value of subject is hashed before being stored. Only applies whensession_store_metadatais enabled. - session_
idling_ floattimeout - Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
- session_
memcached_ strhost - The memcached host.
- session_
memcached_ floatport - The memcached port.
- session_
memcached_ strprefix - The memcached session key prefix.
- session_
memcached_ strsocket - The memcached unix socket path.
- session_
remember bool - Enables or disables persistent sessions.
- session_
remember_ floatabsolute_ timeout - Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- str
- Persistent session cookie name. Use with the
rememberconfiguration parameter. - session_
remember_ floatrolling_ timeout - Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
- session_
request_ Sequence[str]headers - Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout request headers. - session_
response_ Sequence[str]headers - Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout response headers. - session_
rolling_ floattimeout - Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- session_
secret str - The session secret.
- session_
storage str - The session storage for session data: -
cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) -memcache: stores session data in memcached -redis: stores session data in Redis. must be one of ["cookie", "memcache", "memcached", "redis"] - session_
store_ boolmetadata - Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
- ssl_
verify bool - Verify identity provider server certificate. If set to
true, the plugin uses the CA certificate set in thekong.confconfig parameterlua_ssl_trusted_certificate. - timeout float
- Network IO timeout in milliseconds.
- tls_
client_ strauth_ cert_ id - ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
- tls_
client_ boolauth_ ssl_ verify - Verify identity provider server certificate during mTLS client authentication.
- token_
cache_ boolkey_ include_ scope - Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
- token_
endpoint str - The token endpoint. If set it overrides the value in
token_endpointreturned by the discovery endpoint. - token_
endpoint_ strauth_ method - The token endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - token_
exchange_ strendpoint - The token exchange endpoint.
- token_
headers_ Sequence[str]clients - Extra headers passed from the client to the token endpoint.
- token_
headers_ Sequence[str]grants - Enable the sending of the token endpoint response headers only with certain grants: -
password: with OAuth password grant -client_credentials: with OAuth client credentials grant -authorization_code: with authorization code flow -refresh_tokenwith refresh token grant. - token_
headers_ Sequence[str]names - Extra header names passed to the token endpoint.
- token_
headers_ strprefix - Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
- token_
headers_ Sequence[str]replays - The names of token endpoint response headers to forward to the downstream client.
- token_
headers_ Sequence[str]values - Extra header values passed to the token endpoint.
- token_
post_ Sequence[str]args_ clients - Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scopevalues, like this:config.token_post_args_client=scopeIn this case, the token would take thescopevalue from the query parameter or from the request body or from the header and send it to the token endpoint. - token_
post_ Sequence[str]args_ names - Extra post argument names passed to the token endpoint.
- token_
post_ Sequence[str]args_ values - Extra post argument values passed to the token endpoint.
- bool
- Destroy any active session for the unauthorized requests.
- str
- The error message for the unauthorized requests (when not using the redirection).
- Sequence[str]
- Where to redirect the client on unauthorized requests.
- unexpected_
redirect_ Sequence[str]uris - Where to redirect the client when unexpected errors happen with the requests.
- upstream_
access_ strtoken_ header - The upstream access token header.
- upstream_
access_ strtoken_ jwk_ header - The upstream access token JWK header.
- upstream_
headers_ Sequence[str]claims - The upstream header claims. Only top level claims are supported.
- upstream_
headers_ Sequence[str]names - The upstream header names for the claim values.
- upstream_
id_ strtoken_ header - The upstream id token header.
- upstream_
id_ strtoken_ jwk_ header - The upstream id token JWK header.
- upstream_
introspection_ strheader - The upstream introspection header.
- upstream_
introspection_ strjwt_ header - The upstream introspection JWT header.
- upstream_
refresh_ strtoken_ header - The upstream refresh token header.
- upstream_
session_ strid_ header - The upstream session id header.
- upstream_
user_ strinfo_ header - The upstream user info header.
- upstream_
user_ strinfo_ jwt_ header - The upstream user info JWT header (in case the user info returns a JWT response).
- userinfo_
accept str - The value of
Acceptheader for user info requests: -application/json: user info response as JSON -application/jwt: user info response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt"] - userinfo_
endpoint str - The user info endpoint. If set it overrides the value in
userinfo_endpointreturned by the discovery endpoint. - userinfo_
headers_ Sequence[str]clients - Extra headers passed from the client to the user info endpoint.
- userinfo_
headers_ Sequence[str]names - Extra header names passed to the user info endpoint.
- userinfo_
headers_ Sequence[str]values - Extra header values passed to the user info endpoint.
- userinfo_
query_ Sequence[str]args_ clients - Extra query arguments passed from the client to the user info endpoint.
- userinfo_
query_ Sequence[str]args_ names - Extra query argument names passed to the user info endpoint.
- userinfo_
query_ Sequence[str]args_ values - Extra query argument values passed to the user info endpoint.
- using_
pseudo_ boolissuer - If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with
config.issuer. - verify_
claims bool - Verify tokens for standard claims.
- verify_
nonce bool - Verify nonce on authorization code flow.
- verify_
parameters bool - Verify plugin configuration against discovery.
- verify_
signature bool - Verify signature of tokens.
- scopes List<String>
- The scopes passed to the authorization and token endpoints.
- anonymous String
- An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xxHTTP status code. This value must refer to the consumeridorusernameattribute, and not itscustom_id. - audience
Claims List<String> - The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
- audience
Requireds List<String> - The audiences (
audience_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - audiences List<String>
- The audience passed to the authorization endpoint.
- auth
Methods List<String> - Types of credentials/grants to enable.
- authenticated
Groups List<String>Claims - The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
- String
- The authorization cookie Domain flag.
- Boolean
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - String
- The authorization cookie name.
- String
- The authorization cookie Path flag.
- String
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- Boolean
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- String
- The authorization endpoint. If set it overrides the value in
authorization_endpointreturned by the discovery endpoint. - List<String>
- Extra query arguments passed from the client to the authorization endpoint.
- List<String>
- Extra query argument names passed to the authorization endpoint.
- List<String>
- Extra query argument values passed to the authorization endpoint.
- Number
- Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- String
- The name of the cookie in which the bearer token is passed.
- bearer
Token List<String>Param Types - Where to look for the bearer token: -
header: search theAuthorization,access-token, andx-access-tokenHTTP headers -query: search the URL's query string -body: search the HTTP request body -cookie: search the HTTP request cookies specified withconfig.bearer_token_cookie_name. - by
Username BooleanIgnore Case - If
consumer_byis set tousername, specify whetherusernamecan match consumers case-insensitively. - cache
Introspection Boolean - Cache the introspection endpoint requests.
- cache
Token BooleanExchange - Cache the token exchange endpoint requests.
- cache
Tokens Boolean - Cache the token endpoint requests.
- cache
Tokens StringSalt - Salt used for generating the cache key that is used for caching the token endpoint requests.
- cache
Ttl Number - The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
- cache
Ttl NumberMax - The maximum cache ttl in seconds (enforced).
- cache
Ttl NumberMin - The minimum cache ttl in seconds (enforced).
- cache
Ttl NumberNeg - The negative cache ttl in seconds.
- cache
Ttl NumberResurrect - The resurrection ttl in seconds.
- cache
User BooleanInfo - Cache the user info requests.
- claims
Forbiddens List<String> - If given, these claims are forbidden in the token payload.
- client
Algs List<String> - The algorithm to use for clientsecretjwt (only HS***) or private*key*jwt authentication.
- client
Arg String - The client to use for this request (the selection is made with a request parameter with the same name).
- client
Auths List<String> - The default OpenID Connect client authentication method is 'clientsecretbasic' (using 'Authorization: Basic' header), 'clientsecretpost' (credentials in body), 'clientsecretjwt' (signed client assertion in body), 'privatekeyjwt' (private key-signed assertion), 'tlsclientauth' (client certificate), 'selfsignedtlsclientauth' (self-signed client certificate), and 'none' (no authentication).
- client
Credentials List<String>Param Types - Where to look for the client credentials: -
header: search the HTTP headers -query: search the URL's query string -body: search from the HTTP request body. - client
Ids List<String> - The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
- client
Jwks List<Property Map> - The JWK used for the privatekeyjwt authentication.
- client
Secrets List<String> - The client secret.
- cluster
Cache Property MapRedis - cluster
Cache StringStrategy - The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared. must be one of ["off", "redis"]
- consumer
Bies List<String> - Consumer fields used for mapping: -
id: try to find the matching Consumer byid-username: try to find the matching Consumer byusername-custom_id: try to find the matching Consumer bycustom_id. - consumer
Claims List<String> - The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
- consumer
Optional Boolean - Do not terminate the request if consumer mapping fails.
- credential
Claims List<String> - The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
- disable
Sessions List<String> - Disable issuing the session cookie with the specified grants.
- discovery
Headers List<String>Names - Extra header names passed to the discovery endpoint.
- discovery
Headers List<String>Values - Extra header values passed to the discovery endpoint.
- display
Errors Boolean - Display errors on failure responses.
- domains List<String>
- The allowed values for the
hdclaim. - downstream
Access StringToken Header - The downstream access token header.
- downstream
Access StringToken Jwk Header - The downstream access token JWK header.
- downstream
Headers List<String>Claims - The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
- downstream
Headers List<String>Names - The downstream header names for the claim values.
- downstream
Id StringToken Header - The downstream id token header.
- downstream
Id StringToken Jwk Header - The downstream id token JWK header.
- downstream
Introspection StringHeader - The downstream introspection header.
- downstream
Introspection StringJwt Header - The downstream introspection JWT header.
- downstream
Refresh StringToken Header - The downstream refresh token header.
- downstream
Session StringId Header - The downstream session id header.
- downstream
User StringInfo Header - The downstream user info header.
- downstream
User StringInfo Jwt Header - The downstream user info JWT header (in case the user info returns a JWT response).
- dpop
Proof NumberLifetime - Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
- dpop
Use BooleanNonce - Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
- enable
Hs BooleanSignatures - Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
- end
Session StringEndpoint - The end session endpoint. If set it overrides the value in
end_session_endpointreturned by the discovery endpoint. - expose
Error BooleanCode - Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to
falseto disable. - extra
Jwks List<String>Uris - JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
- forbidden
Destroy BooleanSession - Destroy any active session for the forbidden requests.
- forbidden
Error StringMessage - The error message for the forbidden requests (when not using the redirection).
- forbidden
Redirect List<String>Uris - Where to redirect the client on forbidden requests.
- groups
Claims List<String> - The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
- groups
Requireds List<String> - The groups (
groups_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - hide
Credentials Boolean - Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
- http
Proxy String - The HTTP proxy.
- String
- The HTTP proxy authorization.
- http
Version Number - The HTTP version used for the requests by this plugin: -
1.1: HTTP 1.1 (the default) -1.0: HTTP 1.0. - https
Proxy String - The HTTPS proxy.
- String
- The HTTPS proxy authorization.
- id
Token StringParam Name - The name of the parameter used to pass the id token.
- id
Token List<String>Param Types - Where to look for the id token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - ignore
Signatures List<String> - Skip the token signature verification on certain grants: -
password: OAuth password grant -client_credentials: OAuth client credentials grant -authorization_code: authorization code flow -refresh_token: OAuth refresh token grant -session: session cookie authentication -introspection: OAuth introspection -userinfo: OpenID Connect user info endpoint authentication. - introspect
Jwt BooleanTokens - Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
- introspection
Accept String - The value of
Acceptheader for introspection requests: -application/json: introspection response as JSON -application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) -application/jwt: introspection response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt", "application/token-introspection+jwt"] - introspection
Check BooleanActive - Check that the introspection response has an
activeclaim with a value oftrue. - introspection
Endpoint String - The introspection endpoint. If set it overrides the value in
introspection_endpointreturned by the discovery endpoint. - introspection
Endpoint StringAuth Method - The introspection endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["clientsecretbasic", "clientsecretjwt", "clientsecretpost", "none", "privatekeyjwt", "selfsignedtlsclientauth", "tlsclientauth"] - introspection
Headers List<String>Clients - Extra headers passed from the client to the introspection endpoint.
- introspection
Headers List<String>Names - Extra header names passed to the introspection endpoint.
- introspection
Headers List<String>Values - Extra header values passed to the introspection endpoint.
- introspection
Hint String - Introspection hint parameter value passed to the introspection endpoint.
- introspection
Post List<String>Args Client Headers - Extra post arguments passed from the client headers to the introspection endpoint.
- introspection
Post List<String>Args Clients - Extra post arguments passed from the client to the introspection endpoint.
- introspection
Post List<String>Args Names - Extra post argument names passed to the introspection endpoint.
- introspection
Post List<String>Args Values - Extra post argument values passed to the introspection endpoint.
- introspection
Token StringParam Name - Designate token's parameter name for introspection.
- issuer String
- The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure
config.using_pseudo_issuer=true. - issuers
Alloweds List<String> - The issuers allowed to be present in the tokens (
issclaim). - jwt
Session StringClaim - The claim to match against the JWT session cookie.
- String
- The name of the JWT session cookie.
- keepalive Boolean
- Use keepalive with the HTTP client.
- leeway Number
- Defines leeway time (in seconds) for
auth_time,exp,iat, andnbfclaims - login
Action String - What to do after successful login: -
upstream: proxy request to upstream service -response: terminate request with a response -redirect: redirect to a different location. must be one of ["redirect", "response", "upstream"] - login
Methods List<String> - Enable login functionality with specified grants.
- login
Redirect StringMode - Where to place
login_tokenswhen usingredirectlogin_action: -query: place tokens in query string -fragment: place tokens in url fragment (not readable by servers). must be one of ["fragment", "query"] - login
Redirect List<String>Uris - Where to redirect the client when
login_actionis set toredirect. - login
Tokens List<String> - What tokens to include in
responsebody orredirectquery string or fragment: -id_token: include id token -access_token: include access token -refresh_token: include refresh token -tokens: include the full token endpoint response -introspection: include introspection response. - logout
Methods List<String> - The request methods that can activate the logout: -
POST: HTTP POST method -GET: HTTP GET method -DELETE: HTTP DELETE method. - logout
Post StringArg - The request body argument that activates the logout.
- logout
Query StringArg - The request query argument that activates the logout.
- logout
Redirect List<String>Uris - Where to redirect the client after the logout.
- logout
Revoke Boolean - Revoke tokens as part of the logout.
- logout
Revoke BooleanAccess Token - Revoke the access token as part of the logout. Requires
logout_revoketo be set totrue. - logout
Revoke BooleanRefresh Token - Revoke the refresh token as part of the logout. Requires
logout_revoketo be set totrue. - logout
Uri StringSuffix - The request URI suffix that activates the logout.
- max
Age Number - The maximum age (in seconds) compared to the
auth_timeclaim. - mtls
Introspection StringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls
Revocation StringEndpoint - Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - mtls
Token StringEndpoint - Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in
mtls_endpoint_aliasesreturned by the discovery endpoint. - no
Proxy String - Do not use proxy with these hosts.
- password
Param List<String>Types - Where to look for the username and password: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - preserve
Query BooleanArgs - With this parameter, you can preserve request query arguments even when doing authorization code flow.
- proof
Of BooleanPossession Auth Methods Validation - If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
- proof
Of StringPossession Dpop - Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof. must be one of ["off", "optional", "strict"]
- proof
Of StringPossession Mtls - Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401. must be one of ["off", "optional", "strict"]
- String
- The pushed authorization endpoint. If set it overrides the value in
pushed_authorization_request_endpointreturned by the discovery endpoint. - String
- The pushed authorization request endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - redirect
Uris List<String> - The redirect URI passed to the authorization and token endpoints.
- redis Property Map
- rediscovery
Lifetime Number - Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
- refresh
Token StringParam Name - The name of the parameter used to pass the refresh token.
- refresh
Token List<String>Param Types - Where to look for the refresh token: -
header: search the HTTP headers -query: search the URL's query string -body: search the HTTP request body. - refresh
Tokens Boolean - Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_tokenavailable. - require
Proof BooleanKey For Code Exchange - Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of
code_challenge_methods_supported, and enabled automatically (in case thecode_challenge_methods_supportedis missing, the PKCE will not be enabled). - Boolean
- Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of
require_pushed_authorization_requests(which defaults tofalse). - require
Signed BooleanRequest Object - Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of
require_signed_request_object, and enabled automatically (in case therequire_signed_request_objectis missing, the feature will not be enabled). - resolve
Distributed BooleanClaims - Distributed claims are represented by the
_claim_namesand_claim_sourcesmembers of the JSON object containing the claims. If this parameter is set totrue, the plugin explicitly resolves these distributed claims. - response
Mode String - Response mode passed to the authorization endpoint: -
query: for parameters in query string -form_post: for parameters in request body -fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) -query.jwt,form_post.jwt,fragment.jwt: similar toquery,form_postandfragmentbut the parameters are encoded in a JWT -jwt: shortcut that indicates the default encoding for the requested response type. must be one of ["form_post", "form_post.jwt", "fragment", "fragment.jwt", "jwt", "query", "query.jwt"] - response
Types List<String> - The response type passed to the authorization endpoint.
- reverify Boolean
- Specifies whether to always verify tokens stored in the session.
- revocation
Endpoint String - The revocation endpoint. If set it overrides the value in
revocation_endpointreturned by the discovery endpoint. - revocation
Endpoint StringAuth Method - The revocation endpoint authentication method: :
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - revocation
Token StringParam Name - Designate token's parameter name for revocation.
- roles
Claims List<String> - The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
- roles
Requireds List<String> - The roles (
roles_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - run
On BooleanPreflight - Specifies whether to run this plugin on pre-flight (
OPTIONS) requests. - scopes
Claims List<String> - The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
- scopes
Requireds List<String> - The scopes (
scopes_claimclaim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases. - search
User BooleanInfo - Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
- session
Absolute NumberTimeout - Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- session
Audience String - The session audience, which is the intended target application. For example
"my-application". - String
- The session cookie Domain flag.
- Boolean
- Forbids JavaScript from accessing the cookie, for example, through the
Document.cookieproperty. - String
- The session cookie name.
- String
- The session cookie Path flag.
- String
- Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. must be one of ["Default", "Lax", "None", "Strict"]
- Boolean
- Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
- session
Enforce BooleanSame Subject - When set to
true, audiences are forced to share the same subject. - session
Hash BooleanStorage Key - When set to
true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie. - session
Hash BooleanSubject - When set to
true, the value of subject is hashed before being stored. Only applies whensession_store_metadatais enabled. - session
Idling NumberTimeout - Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
- session
Memcached StringHost - The memcached host.
- session
Memcached NumberPort - The memcached port.
- session
Memcached StringPrefix - The memcached session key prefix.
- session
Memcached StringSocket - The memcached unix socket path.
- session
Remember Boolean - Enables or disables persistent sessions.
- session
Remember NumberAbsolute Timeout - Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
- String
- Persistent session cookie name. Use with the
rememberconfiguration parameter. - session
Remember NumberRolling Timeout - Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
- session
Request List<String>Headers - Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout request headers. - session
Response List<String>Headers - Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g.
[ "id", "timeout" ]will set Session-Id and Session-Timeout response headers. - session
Rolling NumberTimeout - Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
- session
Secret String - The session secret.
- session
Storage String - The session storage for session data: -
cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) -memcache: stores session data in memcached -redis: stores session data in Redis. must be one of ["cookie", "memcache", "memcached", "redis"] - session
Store BooleanMetadata - Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
- ssl
Verify Boolean - Verify identity provider server certificate. If set to
true, the plugin uses the CA certificate set in thekong.confconfig parameterlua_ssl_trusted_certificate. - timeout Number
- Network IO timeout in milliseconds.
- tls
Client StringAuth Cert Id - ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
- tls
Client BooleanAuth Ssl Verify - Verify identity provider server certificate during mTLS client authentication.
- token
Cache BooleanKey Include Scope - Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
- token
Endpoint String - The token endpoint. If set it overrides the value in
token_endpointreturned by the discovery endpoint. - token
Endpoint StringAuth Method - The token endpoint authentication method:
client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt,tls_client_auth,self_signed_tls_client_auth, ornone: do not authenticate. must be one of ["client_secret_basic", "client_secret_jwt", "client_secret_post", "none", "private_key_jwt", "self_signed_tls_client_auth", "tls_client_auth"] - token
Exchange StringEndpoint - The token exchange endpoint.
- token
Headers List<String>Clients - Extra headers passed from the client to the token endpoint.
- token
Headers List<String>Grants - Enable the sending of the token endpoint response headers only with certain grants: -
password: with OAuth password grant -client_credentials: with OAuth client credentials grant -authorization_code: with authorization code flow -refresh_tokenwith refresh token grant. - token
Headers List<String>Names - Extra header names passed to the token endpoint.
- token
Headers StringPrefix - Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
- token
Headers List<String>Replays - The names of token endpoint response headers to forward to the downstream client.
- token
Headers List<String>Values - Extra header values passed to the token endpoint.
- token
Post List<String>Args Clients - Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with
scopevalues, like this:config.token_post_args_client=scopeIn this case, the token would take thescopevalue from the query parameter or from the request body or from the header and send it to the token endpoint. - token
Post List<String>Args Names - Extra post argument names passed to the token endpoint.
- token
Post List<String>Args Values - Extra post argument values passed to the token endpoint.
- Boolean
- Destroy any active session for the unauthorized requests.
- String
- The error message for the unauthorized requests (when not using the redirection).
- List<String>
- Where to redirect the client on unauthorized requests.
- unexpected
Redirect List<String>Uris - Where to redirect the client when unexpected errors happen with the requests.
- upstream
Access StringToken Header - The upstream access token header.
- upstream
Access StringToken Jwk Header - The upstream access token JWK header.
- upstream
Headers List<String>Claims - The upstream header claims. Only top level claims are supported.
- upstream
Headers List<String>Names - The upstream header names for the claim values.
- upstream
Id StringToken Header - The upstream id token header.
- upstream
Id StringToken Jwk Header - The upstream id token JWK header.
- upstream
Introspection StringHeader - The upstream introspection header.
- upstream
Introspection StringJwt Header - The upstream introspection JWT header.
- upstream
Refresh StringToken Header - The upstream refresh token header.
- upstream
Session StringId Header - The upstream session id header.
- upstream
User StringInfo Header - The upstream user info header.
- upstream
User StringInfo Jwt Header - The upstream user info JWT header (in case the user info returns a JWT response).
- userinfo
Accept String - The value of
Acceptheader for user info requests: -application/json: user info response as JSON -application/jwt: user info response as JWT (from the obsolete IETF draft document). must be one of ["application/json", "application/jwt"] - userinfo
Endpoint String - The user info endpoint. If set it overrides the value in
userinfo_endpointreturned by the discovery endpoint. - userinfo
Headers List<String>Clients - Extra headers passed from the client to the user info endpoint.
- userinfo
Headers List<String>Names - Extra header names passed to the user info endpoint.
- userinfo
Headers List<String>Values - Extra header values passed to the user info endpoint.
- userinfo
Query List<String>Args Clients - Extra query arguments passed from the client to the user info endpoint.
- userinfo
Query List<String>Args Names - Extra query argument names passed to the user info endpoint.
- userinfo
Query List<String>Args Values - Extra query argument values passed to the user info endpoint.
- using
Pseudo BooleanIssuer - If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with
config.issuer. - verify
Claims Boolean - Verify tokens for standard claims.
- verify
Nonce Boolean - Verify nonce on authorization code flow.
- verify
Parameters Boolean - Verify plugin configuration against discovery.
- verify
Signature Boolean - Verify signature of tokens.
GatewayPluginOpenidConnectConfigClientJwk, GatewayPluginOpenidConnectConfigClientJwkArgs
GatewayPluginOpenidConnectConfigClusterCacheRedis, GatewayPluginOpenidConnectConfigClusterCacheRedisArgs
- Cluster
Max doubleRedirections - Maximum retry attempts for redirection.
- Cluster
Nodes List<GatewayPlugin Openid Connect Config Cluster Cache Redis Cluster Node> - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - Connect
Timeout double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Connection
Is boolProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - Database double
- Database to use for the Redis connection when using the
redisstrategy - Host string
- A string representing a host name, such as example.com.
- Keepalive
Backlog double - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - Keepalive
Pool doubleSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - Password string
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- Port double
- An integer representing a port number between 0 and 65535, inclusive.
- Read
Timeout double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Send
Timeout double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Sentinel
Master string - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- Sentinel
Nodes List<GatewayPlugin Openid Connect Config Cluster Cache Redis Sentinel Node> - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - Sentinel
Password string - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- Sentinel
Role string - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - Sentinel
Username string - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- Server
Name string - A string representing an SNI (server name indication) value for TLS.
- Ssl bool
- If set to true, uses SSL to connect to Redis.
- Ssl
Verify bool - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - Username string
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- Cluster
Max float64Redirections - Maximum retry attempts for redirection.
- Cluster
Nodes []GatewayPlugin Openid Connect Config Cluster Cache Redis Cluster Node - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - Connect
Timeout float64 - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Connection
Is boolProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - Database float64
- Database to use for the Redis connection when using the
redisstrategy - Host string
- A string representing a host name, such as example.com.
- Keepalive
Backlog float64 - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - Keepalive
Pool float64Size - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - Password string
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- Port float64
- An integer representing a port number between 0 and 65535, inclusive.
- Read
Timeout float64 - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Send
Timeout float64 - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Sentinel
Master string - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- Sentinel
Nodes []GatewayPlugin Openid Connect Config Cluster Cache Redis Sentinel Node - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - Sentinel
Password string - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- Sentinel
Role string - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - Sentinel
Username string - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- Server
Name string - A string representing an SNI (server name indication) value for TLS.
- Ssl bool
- If set to true, uses SSL to connect to Redis.
- Ssl
Verify bool - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - Username string
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster
Max DoubleRedirections - Maximum retry attempts for redirection.
- cluster
Nodes List<GatewayPlugin Openid Connect Config Cluster Cache Redis Cluster Node> - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect
Timeout Double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection
Is BooleanProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database Double
- Database to use for the Redis connection when using the
redisstrategy - host String
- A string representing a host name, such as example.com.
- keepalive
Backlog Double - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive
Pool DoubleSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password String
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port Double
- An integer representing a port number between 0 and 65535, inclusive.
- read
Timeout Double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send
Timeout Double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel
Master String - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel
Nodes List<GatewayPlugin Openid Connect Config Cluster Cache Redis Sentinel Node> - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel
Password String - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel
Role String - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel
Username String - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server
Name String - A string representing an SNI (server name indication) value for TLS.
- ssl Boolean
- If set to true, uses SSL to connect to Redis.
- ssl
Verify Boolean - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username String
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster
Max numberRedirections - Maximum retry attempts for redirection.
- cluster
Nodes GatewayPlugin Openid Connect Config Cluster Cache Redis Cluster Node[] - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect
Timeout number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection
Is booleanProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database number
- Database to use for the Redis connection when using the
redisstrategy - host string
- A string representing a host name, such as example.com.
- keepalive
Backlog number - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive
Pool numberSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password string
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port number
- An integer representing a port number between 0 and 65535, inclusive.
- read
Timeout number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send
Timeout number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel
Master string - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel
Nodes GatewayPlugin Openid Connect Config Cluster Cache Redis Sentinel Node[] - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel
Password string - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel
Role string - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel
Username string - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server
Name string - A string representing an SNI (server name indication) value for TLS.
- ssl boolean
- If set to true, uses SSL to connect to Redis.
- ssl
Verify boolean - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username string
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster_
max_ floatredirections - Maximum retry attempts for redirection.
- cluster_
nodes Sequence[GatewayPlugin Openid Connect Config Cluster Cache Redis Cluster Node] - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect_
timeout float - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection_
is_ boolproxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database float
- Database to use for the Redis connection when using the
redisstrategy - host str
- A string representing a host name, such as example.com.
- keepalive_
backlog float - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive_
pool_ floatsize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password str
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port float
- An integer representing a port number between 0 and 65535, inclusive.
- read_
timeout float - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send_
timeout float - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel_
master str - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel_
nodes Sequence[GatewayPlugin Openid Connect Config Cluster Cache Redis Sentinel Node] - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel_
password str - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel_
role str - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel_
username str - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server_
name str - A string representing an SNI (server name indication) value for TLS.
- ssl bool
- If set to true, uses SSL to connect to Redis.
- ssl_
verify bool - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username str
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster
Max NumberRedirections - Maximum retry attempts for redirection.
- cluster
Nodes List<Property Map> - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect
Timeout Number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection
Is BooleanProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database Number
- Database to use for the Redis connection when using the
redisstrategy - host String
- A string representing a host name, such as example.com.
- keepalive
Backlog Number - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive
Pool NumberSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password String
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port Number
- An integer representing a port number between 0 and 65535, inclusive.
- read
Timeout Number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send
Timeout Number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel
Master String - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel
Nodes List<Property Map> - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel
Password String - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel
Role String - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel
Username String - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server
Name String - A string representing an SNI (server name indication) value for TLS.
- ssl Boolean
- If set to true, uses SSL to connect to Redis.
- ssl
Verify Boolean - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username String
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
GatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode, GatewayPluginOpenidConnectConfigClusterCacheRedisClusterNodeArgs
GatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode, GatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNodeArgs
GatewayPluginOpenidConnectConfigRedis, GatewayPluginOpenidConnectConfigRedisArgs
- Cluster
Max doubleRedirections - Maximum retry attempts for redirection.
- Cluster
Nodes List<GatewayPlugin Openid Connect Config Redis Cluster Node> - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - Connect
Timeout double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Connection
Is boolProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - Database double
- Database to use for the Redis connection when using the
redisstrategy - Host string
- A string representing a host name, such as example.com.
- Keepalive
Backlog double - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - Keepalive
Pool doubleSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - Password string
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- Port double
- An integer representing a port number between 0 and 65535, inclusive.
- Prefix string
- The Redis session key prefix.
- Read
Timeout double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Send
Timeout double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Sentinel
Master string - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- Sentinel
Nodes List<GatewayPlugin Openid Connect Config Redis Sentinel Node> - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - Sentinel
Password string - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- Sentinel
Role string - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - Sentinel
Username string - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- Server
Name string - A string representing an SNI (server name indication) value for TLS.
- Socket string
- The Redis unix socket path.
- Ssl bool
- If set to true, uses SSL to connect to Redis.
- Ssl
Verify bool - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - Username string
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- Cluster
Max float64Redirections - Maximum retry attempts for redirection.
- Cluster
Nodes []GatewayPlugin Openid Connect Config Redis Cluster Node - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - Connect
Timeout float64 - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Connection
Is boolProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - Database float64
- Database to use for the Redis connection when using the
redisstrategy - Host string
- A string representing a host name, such as example.com.
- Keepalive
Backlog float64 - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - Keepalive
Pool float64Size - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - Password string
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- Port float64
- An integer representing a port number between 0 and 65535, inclusive.
- Prefix string
- The Redis session key prefix.
- Read
Timeout float64 - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Send
Timeout float64 - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- Sentinel
Master string - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- Sentinel
Nodes []GatewayPlugin Openid Connect Config Redis Sentinel Node - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - Sentinel
Password string - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- Sentinel
Role string - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - Sentinel
Username string - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- Server
Name string - A string representing an SNI (server name indication) value for TLS.
- Socket string
- The Redis unix socket path.
- Ssl bool
- If set to true, uses SSL to connect to Redis.
- Ssl
Verify bool - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - Username string
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster
Max DoubleRedirections - Maximum retry attempts for redirection.
- cluster
Nodes List<GatewayPlugin Openid Connect Config Redis Cluster Node> - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect
Timeout Double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection
Is BooleanProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database Double
- Database to use for the Redis connection when using the
redisstrategy - host String
- A string representing a host name, such as example.com.
- keepalive
Backlog Double - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive
Pool DoubleSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password String
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port Double
- An integer representing a port number between 0 and 65535, inclusive.
- prefix String
- The Redis session key prefix.
- read
Timeout Double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send
Timeout Double - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel
Master String - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel
Nodes List<GatewayPlugin Openid Connect Config Redis Sentinel Node> - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel
Password String - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel
Role String - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel
Username String - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server
Name String - A string representing an SNI (server name indication) value for TLS.
- socket String
- The Redis unix socket path.
- ssl Boolean
- If set to true, uses SSL to connect to Redis.
- ssl
Verify Boolean - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username String
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster
Max numberRedirections - Maximum retry attempts for redirection.
- cluster
Nodes GatewayPlugin Openid Connect Config Redis Cluster Node[] - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect
Timeout number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection
Is booleanProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database number
- Database to use for the Redis connection when using the
redisstrategy - host string
- A string representing a host name, such as example.com.
- keepalive
Backlog number - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive
Pool numberSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password string
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port number
- An integer representing a port number between 0 and 65535, inclusive.
- prefix string
- The Redis session key prefix.
- read
Timeout number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send
Timeout number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel
Master string - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel
Nodes GatewayPlugin Openid Connect Config Redis Sentinel Node[] - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel
Password string - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel
Role string - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel
Username string - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server
Name string - A string representing an SNI (server name indication) value for TLS.
- socket string
- The Redis unix socket path.
- ssl boolean
- If set to true, uses SSL to connect to Redis.
- ssl
Verify boolean - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username string
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster_
max_ floatredirections - Maximum retry attempts for redirection.
- cluster_
nodes Sequence[GatewayPlugin Openid Connect Config Redis Cluster Node] - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect_
timeout float - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection_
is_ boolproxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database float
- Database to use for the Redis connection when using the
redisstrategy - host str
- A string representing a host name, such as example.com.
- keepalive_
backlog float - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive_
pool_ floatsize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password str
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port float
- An integer representing a port number between 0 and 65535, inclusive.
- prefix str
- The Redis session key prefix.
- read_
timeout float - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send_
timeout float - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel_
master str - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel_
nodes Sequence[GatewayPlugin Openid Connect Config Redis Sentinel Node] - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel_
password str - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel_
role str - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel_
username str - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server_
name str - A string representing an SNI (server name indication) value for TLS.
- socket str
- The Redis unix socket path.
- ssl bool
- If set to true, uses SSL to connect to Redis.
- ssl_
verify bool - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username str
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
- cluster
Max NumberRedirections - Maximum retry attempts for redirection.
- cluster
Nodes List<Property Map> - Cluster addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element. - connect
Timeout Number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- connection
Is BooleanProxied - If the connection to Redis is proxied (e.g. Envoy), set it
true. Set thehostandportto point to the proxy address. - database Number
- Database to use for the Redis connection when using the
redisstrategy - host String
- A string representing a host name, such as example.com.
- keepalive
Backlog Number - Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return
nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less thankeepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger thankeepalive_pool_size. - keepalive
Pool NumberSize - The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither
keepalive_pool_sizenorkeepalive_backlogis specified, no pool is created. Ifkeepalive_pool_sizeisn't specified butkeepalive_backlogis specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low. - password String
- Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
- port Number
- An integer representing a port number between 0 and 65535, inclusive.
- prefix String
- The Redis session key prefix.
- read
Timeout Number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- send
Timeout Number - An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
- sentinel
Master String - Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
- sentinel
Nodes List<Property Map> - Sentinel node addresses to use for Redis connections when the
redisstrategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element. - sentinel
Password String - Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
- sentinel
Role String - Sentinel role to use for Redis connections when the
redisstrategy is defined. Defining this value implies using Redis Sentinel. must be one of ["any", "master", "slave"] - sentinel
Username String - Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
- server
Name String - A string representing an SNI (server name indication) value for TLS.
- socket String
- The Redis unix socket path.
- ssl Boolean
- If set to true, uses SSL to connect to Redis.
- ssl
Verify Boolean - If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure
lua_ssl_trusted_certificateinkong.confto specify the CA (or server) certificate used by your Redis server. You may also need to configurelua_ssl_verify_depthaccordingly. - username String
- Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to
default.
GatewayPluginOpenidConnectConfigRedisClusterNode, GatewayPluginOpenidConnectConfigRedisClusterNodeArgs
GatewayPluginOpenidConnectConfigRedisSentinelNode, GatewayPluginOpenidConnectConfigRedisSentinelNodeArgs
GatewayPluginOpenidConnectOrdering, GatewayPluginOpenidConnectOrderingArgs
GatewayPluginOpenidConnectOrderingAfter, GatewayPluginOpenidConnectOrderingAfterArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginOpenidConnectOrderingBefore, GatewayPluginOpenidConnectOrderingBeforeArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginOpenidConnectRoute, GatewayPluginOpenidConnectRouteArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginOpenidConnectService, GatewayPluginOpenidConnectServiceArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
Import
$ pulumi import konnect:index/gatewayPluginOpenidConnect:GatewayPluginOpenidConnect my_konnect_gateway_plugin_openid_connect "{ \"control_plane_id\": \"9524ec7d-36d9-465d-a8c5-83a3c9390458\", \"plugin_id\": \"3473c251-5b6c-4f45-b1ff-7ede735a366d\"}"
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- konnect kong/terraform-provider-konnect
- License
- Notes
- This Pulumi package is based on the
konnectTerraform Provider.