JWT Signer

When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.

If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header’s value with this configuration parameter.

This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.

When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.

When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.

When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.

If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.

If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.

Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.

Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.

Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.

Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.

The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.

Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.

The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.

The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
This field is encrypted.
This field is referenceable.

The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
This field is referenceable.

Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.

The name of the keyset containing signing keys.

The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.

The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
This field is encrypted.
This field is referenceable.

The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
This field is referenceable.

Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.

Adjusts clock skew between the token issuer and Kong. The value is added to the token’s exp claim before checking token expiry against Kong servers’ current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.

If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn’t send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect

This parameter tells the name of the header where to look for the access token.

Specify the claim in an access token to verify against values of config.access_token_scopes_required.

Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.

When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.

Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don’t specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.

If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token’s exp claim.

Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim’s value.

Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim’s value.

Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim’s value.

Whether to cache access token introspection results.

Whether to cache channel token introspection results.

When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.

When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there’s a non-existent Kong consumer, the plugin responds with 403 Forbidden.

When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.

If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.

When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.

When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity

When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.

If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn’t sent with channel token introspection.

If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.

You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.

Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.

Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.

Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.

The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.

If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don’t specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.

The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.

The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
This field is encrypted.
This field is referenceable.

The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
This field is referenceable.

Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.

The name of the keyset containing signing keys.

The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.

The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
This field is encrypted.
This field is referenceable.

The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
This field is referenceable.

Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.

Adjusts clock skew between the token issuer and Kong. The value will be added to token’s exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.

If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn’t send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect

This parameter tells the name of the header where to look for the channel token. If you don’t want to do anything with the channel token, then you can set this to null or "" (empty string).

Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.

Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.

When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.

This plugin removes the config.channel_token_request_header from the request after reading its value.

If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token’s exp claim.

If you don’t want to support opaque access tokens, change this configuration parameter to false to disable introspection.

If you don’t want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.

Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.

Writes log entries with some added information using ngx.CRIT (CRITICAL) level.

The HTTP header name used to store the original access token.

The HTTP header name used to store the original channel token.

When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.

remove claims. It should be an array, and each element is a claim key string.

remove claims. It should be an array, and each element is a claim key string.

Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim’s value.

Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim’s value.

Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim’s value.

Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.

Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload’s expiry or scopes aren’t checked.

Quickly turn access token expiry verification off and on as needed.

Quickly turn access token introspection expiry verification off and on as needed.

Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.

Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.

Quickly turn access token signature verification off and on as needed.

Quickly turn on/off the channel token introspection expiry verification.

Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.

Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.

Quickly turn on/off the channel token signature verification.