Configuration

configobjectrequired
Hide Child Parameters
accept_http_if_already_terminatedboolean

Accepts HTTPs requests that have already been terminated by a proxy or load balancer.

Default:false

anonymousstring

An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.

auth_header_namestring

The name of the header that is supposed to carry the access token.

Default:authorization

enable_authorization_codeboolean

An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).

Default:false

enable_client_credentialsboolean

An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).

Default:false

enable_implicit_grantboolean

An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).

Default:false

enable_password_grantboolean

An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).

Default:false

global_credentialsboolean

An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has config.global_credentials=true.

Default:false

hide_credentialsboolean

An optional boolean value telling the plugin to show or hide the credential from the upstream service.

Default:false

mandatory_scopeboolean

An optional boolean value telling the plugin to require at least one scope to be authorized by the end user.

Default:false

persistent_refresh_tokenboolean

Default:false

pkcestring

Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.

Allowed values:laxnonestrict

Default:lax

provision_keystringrequired

The unique key the plugin has generated when it has been added to the Service.
This field is encrypted.

realmstring

When authentication fails the plugin sends WWW-Authenticate header with realm attribute value.

refresh_token_ttlnumber

Time-to-live value for data

Default:1209600

>= 0<= 100000000

reuse_refresh_tokenboolean

An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.

Default:false

scopesarray[string]

Describes an array of scope names that will be available to the end user. If mandatory_scope is set to true, then scopes are required.

token_expirationnumber

An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to 0 to disable the expiration.

Default:7200

protocolsarray[string]

A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.

Allowed values:grpcgrpcshttphttpswswss

Default:grpc, grpcs, http, https, ws, wss

routeobject

If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring
serviceobject

If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!