Home / Kong Plugin Hub
Edit
Report

OAuth 2.0 Introspection

Overview Examples Configuration reference Changelog

Configuration

configobjectrequired
Hide Child Parameters
anonymousstring

An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure 4xx. Note that this value must refer to the consumer id or username attribute, and not its custom_id.

Default:

>= 0 characters

authorization_valuestringrequired

The value to set as the Authorization header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the client_id and client_secret as a Base64-encoded Basic Auth string (Basic MG9hNWl...).
This field is encrypted.
This field is referenceable.

consumer_bystring

A string indicating whether to associate OAuth2 username or client_id with the consumer’s username. OAuth2 username is mapped to a consumer’s username field, while an OAuth2 client_id maps to a consumer’s custom_id.

Allowed values:client_idusername

Default:username

custom_claims_forwardarray[string]

A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix X-Credential-{claim-name}.

Default:[]

custom_introspection_headersobject

A list of custom headers to be added in the introspection request.

* Additional properties are allowed.
hide_credentialsboolean

An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.

Default:false

introspect_requestboolean

A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers X-Request-Path and X-Request-Http-Method will be inserted into the introspect request.

Default:false

introspection_urlstringrequired

A string representing a URL, such as https://example.com/path/to/resource?q=search.

keepaliveinteger

An optional value in milliseconds that defines how long an idle connection lives before being closed.

Default:60000

run_on_preflightboolean

A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.

Default:true

timeoutinteger

An optional timeout in milliseconds when sending data to the upstream server.

Default:10000

token_type_hintstring

The token_type_hint value to associate to introspection requests.

ttlnumber

The TTL in seconds for the introspection response. Set to 0 to disable the expiration.

Default:30

protocolsarray[string]

A set of strings representing HTTP protocols.

Allowed values:grpcgrpcshttphttps

Default:grpc, grpcs, http, https

routeobject

If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring
serviceobject

If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring

Did this doc help?

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support