You are browsing documentation for an outdated plugin version.
Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The OpenID Connect plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
string required
The name of the plugin, in this case
openid-connect
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
string
The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
string
The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
boolean default:
true
Whether this plugin will be applied.
-
record required
-
string required
The discovery endpoint (or the issuer identifier).
When using Kong with the database, the discovery information and the JWKS are cached to the Kong configuration database.
-
array of type
string
Extra header names passed to the discovery endpoint.
-
array of type
string
Extra header values passed to the discovery endpoint.
-
set of type
string
JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
-
number default:
30
Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
The re-discovery usually happens when the plugin cannot find a key for verifying the signature. For example, if a token is presented for which Kong does not have a JWK cached, it will poll the discovery endpoint for new JWK data. If that discovery attempt does not yield a JWK that can validate the token, Kong will wait the specified number of seconds before retrying the discovery.
-
array of type
string
default:password, client_credentials, authorization_code, bearer, introspection, userinfo, kong_oauth2, refresh_token, session
Must be one of:password
,client_credentials
,authorization_code
,bearer
,introspection
,userinfo
,kong_oauth2
,refresh_token
,session
Types of credentials/grants to enable:
-
password
: OAuth legacy password grant -
client_credentials
: OAuth client credentials grant -
authorization_code
: authorization code flow -
bearer
: JWT access token verification -
introspection
: OAuth introspection -
userinfo
: OpenID Connect user info endpoint authentication -
kong_oauth2
: Kong OAuth plugin issued tokens verification -
refresh_token
: OAuth refresh token grant -
session
: session cookie authentication
-
-
array of type
string
referenceable encryptedThe client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider. Other settings that are associated with the client are:
config.client_secret
config.client_auth
config.client_jwk
config.client_alg
config.redirect_uri
config.login_redirect_uri
config.logout_redirect_uri
config.unauthorized_redirect_uri
config.forbidden_redirect_uri
config.unexpected_redirect_uri
Use the same array index when configuring related settings for the client.
-
array of type
string
referenceable encryptedThe client secret.
Specify one if using
client_secret_*
authentication with the client on the identity provider endpoints.
-
array of type
string
Must be one of:client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The authentication method used by the client (plugin) when calling the endpoints:
-
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -
client_secret_post
: sendclient_id
andclient_secret
as part of the body -
client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -
private_key_jwt
: send client assertion signed with theprivate key
as part of the body -
none
: do not authenticatePrivate keys can be stored in a database, and they are by the default automatically generated in the database. It is also possible to specify private keys with
config.client_jwk
directly in the plugin configuration.
-
-
array of type
record
The JWK used for the
private_key_jwt
authentication.-
string
-
string
-
string
-
array of type
string
-
string
-
string
-
string
-
array of type
string
-
string
-
string
-
string referenceable encrypted
-
string
-
string
-
string
-
string
-
string
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
string referenceable encrypted
-
-
array of type
string
Must be one of:HS256
,HS384
,HS512
,RS256
,RS384
,RS512
,ES256
,ES384
,ES512
,PS256
,PS384
,PS512
,EdDSA
The algorithm to use for
client_secret_jwt
(onlyHS***
) orprivate_key_jwt
authentication:-
HS256
: HMAC using SHA-256 -
HS384
: HMAC using SHA-384 -
HS512
: HMAC using SHA-512 -
RS256
: RSASSA-PKCS1-v1_5 using SHA-256 -
RS512
: RSASSA-PKCS1-v1_5 using SHA-512 -
ES256
: ECDSA using P-256 and SHA-256 -
ES384
: ECDSA using P-384 and SHA-384 -
ES512
: ECDSA using P-521 and SHA-512 -
PS256
: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 -
PS384
: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 -
PS512
: RSASSA-PSS using SHA-512 and MGF1 with SHA-512 -
EdDSA
: EdDSA with Ed25519
-
-
string default:
client_id
The client to use for this request (the selection is made with a request parameter with the same name). For example, setting this value to
Client
, and sending the request headerClient: 1
will cause the plugin to use the first client (see:config.client_id
) from the client array.
-
array of type
string
The redirect URI passed to the authorization and token endpoints.
-
array of type
string
Where to redirect the client when
login_action
is set toredirect
.Tip: Leave this empty and the plugin will redirect the client to the URL that originally initiated the flow with possible query args preserved from the original request when
config.preserve_query_args
is enabled.
-
array of type
string
Where to redirect the client after the logout.
-
array of type
string
Where to redirect the client on forbidden requests.
-
string default:
Forbidden
The error message for the forbidden requests (when not using the redirection).
-
boolean default:
true
Destroy any active session for the forbidden requests.
-
array of type
string
Where to redirect the client on unauthorized requests.
-
string default:
Unauthorized
The error message for the unauthorized requests (when not using the redirection).
-
array of type
string
Where to redirect the client when unexpected errors happen with the requests.
-
string default:
query
Must be one of:query
,form_post
,fragment
The response mode passed to the authorization endpoint:
-
query
: Instructs the identity provider to pass parameters in query string -
form_post
: Instructs the identity provider to pass parameters in request body -
fragment
: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)
-
-
array of type
string
default:code
The response type passed to the authorization endpoint.
-
array of type
string
default:openid
The scopes passed to the authorization and token endpoints.
-
array of type
string
The audience passed to the authorization endpoint.
-
array of type
string
The issuers allowed to be present in the tokens (
iss
claim).
-
array of type
string
The scopes (
scopes_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.- When
["scope1 scope2"]
are in the same array indices, bothscope1
ANDscope2
need to be present in access token (or introspection results). - When
["scope1", "scope2"]
are in different array indices, eitherscope1
ORscope2
need to be present in access token (or introspection results).
- When
-
array of type
string
default:scope
The claim that contains the scopes.
-
array of type
string
The audiences (
audience_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.- When
["audience1 audience2"]
are in the same array indices, bothaudience1
ANDaudience2
need to be present in access token (or introspection results). - When
["audience1", "audience2"]
are in different array indices, eitheraudience1
ORaudience2
need to be present in access token (or introspection results).
- When
-
array of type
string
default:aud
The claim that contains the audience.
-
array of type
string
The groups (
groups_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.- When
["group1 group2"]
are in the same array indices, bothgroup1
ANDgroup2
need to be present in access token (or introspection results). - When
["group1", "group2"]
are in different array indices, eithergroup1
ORgroup2
need to be present in access token (or introspection results).
- When
-
array of type
string
default:groups
The claim that contains the groups.
-
array of type
string
The roles (
roles_claim
claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.- When
["role1 role2"]
are in the same array indices, bothrole1
ANDrole2
need to be present in access token (or introspection results). - When
["role1", "role2"]
are in different array indices, eitherrole1
ORrole2
need to be present in access token (or introspection results).
- When
-
array of type
string
default:roles
The claim that contains the roles.
-
array of type
string
The allowed values for the
hd
claim.
-
number
The maximum age (in seconds) compared to the
auth_time
claim.
-
array of type
string
The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations (for example, Kong Manager and Dev Portal). The OpenID Connect plugin itself does not do anything other than set the context value.
-
string
The authorization endpoint.
-
array of type
string
Extra query argument names passed to the authorization endpoint.
-
array of type
string
Extra query argument values passed to the authorization endpoint.
-
array of type
string
Extra query arguments passed from the client to the authorization endpoint.
-
string default:
authorization
The authorization cookie name.
-
number default:
600
The authorization cookie lifetime in seconds.
-
string default:
/
starts_with:/
The authorization cookie Path flag.
-
string
The authorization cookie Domain flag.
-
string default:
off
Must be one of:Strict
,Lax
,None
,off
Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks:
-
Strict
: Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites. -
Lax
: Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (for instance, when following a link). -
None
: Cookies will be sent in all contexts, for example in responses to both first-party and cross-origin requests. IfSameSite=None
is set, the cookie Secure attribute must also be set (or the cookie will be blocked). -
off
: Do not set the SameSite flag.
-
-
boolean default:
true
Forbids JavaScript from accessing the cookie, for example, through the
Document.cookie
property.
-
boolean
Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
-
boolean default:
false
With this parameter, you can preserve request query arguments even when doing authorization code flow.
When this parameter is used with the
config.login_action=redirect
parameter, the browser location will change and display the original query arguments. Otherwise, the upstream request is modified to include the original query arguments, and the browser will not display them in the location field.
-
string
The token endpoint.
-
string Must be one of:
client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The token endpoint authentication method:
-
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -
client_secret_post
: sendclient_id
andclient_secret
as part of the body -
client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -
private_key_jwt
: send client assertion signed with theprivate key
as part of the body -
none
: do not authenticate
-
-
array of type
string
Extra header names passed to the token endpoint.
-
array of type
string
Extra header values passed to the token endpoint.
-
array of type
string
Extra headers passed from the client to the token endpoint.
-
array of type
string
The names of token endpoint response headers to forward to the downstream client.
-
string
Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
-
array of type
string
Must be one of:password
,client_credentials
,authorization_code
,refresh_token
Enable the sending of the token endpoint response headers only with certain grants:
-
password
: with OAuth password grant -
client_credentials
: with OAuth client credentials grant -
authorization_code
: with authorization code flow -
refresh_token
with refresh token grant
-
-
array of type
string
Extra post argument names passed to the token endpoint.
-
array of type
string
Extra post argument values passed to the token endpoint.
-
array of type
string
Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using:
- Request Body
- Query parameters
This parameter can be used with
scope
values, like this:config.token_post_args_client=scope
In this case, the token would take the
scope
value from the query parameter or from the request body and send it to the token endpoint.
-
string
The introspection endpoint.
-
string Must be one of:
client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The introspection endpoint authentication method:
-
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -
client_secret_post
: sendclient_id
andclient_secret
as part of the body -
client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -
private_key_jwt
: send client assertion signed with theprivate key
as part of the body -
none
: do not authenticate
-
-
string default:
access_token
Introspection hint parameter value passed to the introspection endpoint.
-
boolean default:
true
Check that the introspection response has an
active
claim with a value oftrue
.
-
string default:
application/json
Must be one of:application/json
,application/token-introspection+jwt
,application/jwt
The value of
Accept
header for introspection requests:-
application/json
: introspection response as JSON -
application/token-introspection+jwt
: introspection response as JWT (from the current IETF draft document) -
application/jwt
: introspection response as JWT (from the obsolete IETF draft document)
-
-
array of type
string
Extra header names passed to the introspection endpoint.
-
array of type
string
Extra header values passed to the introspection endpoint.
-
array of type
string
Extra headers passed from the client to the introspection endpoint.
-
array of type
string
Extra post argument names passed to the introspection endpoint.
-
array of type
string
Extra post argument values passed to the introspection endpoint.
-
array of type
string
Extra post arguments passed from the client to the introspection endpoint.
-
boolean default:
false
Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
-
string
The revocation endpoint.
-
string Must be one of:
client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
,none
The revocation endpoint authentication method:
-
client_secret_basic
: sendclient_id
andclient_secret
inAuthorization: Basic
header -
client_secret_post
: sendclient_id
andclient_secret
as part of the body -
client_secret_jwt
: send client assertion signed with theclient_secret
as part of the body -
private_key_jwt
: send client assertion signed with theprivate key
as part of the body -
none
: do not authenticate
-
-
string
The end session endpoint.
-
string
The user info endpoint.
-
string default:
application/json
Must be one of:application/json
,application/jwt
The value of
Accept
header for user info requests:-
application/json
: user info response as JSON -
application/jwt
: user info response as JWT (from the obsolete IETF draft document)
-
-
array of type
string
Extra header names passed to the user info endpoint.
-
array of type
string
Extra header values passed to the user info endpoint.
-
array of type
string
Extra headers passed from the client to the user info endpoint.
-
array of type
string
Extra query argument names passed to the user info endpoint.
-
array of type
string
Extra query argument values passed to the user info endpoint.
-
array of type
string
Extra query arguments passed from the client to the user info endpoint.
-
string
The token exchange endpoint.
-
string referenceable encrypted
The session secret.
-
string default:
session
The session cookie name.
-
number default:
3600
The session cookie lifetime in seconds.
-
number
The session cookie idle time in seconds.
-
number default:
600
The number of seconds prior to the
session_cookie_lifetime
that the session cookie will be renewed.
-
string default:
/
starts_with:/
The session cookie Path flag.
-
string
The session cookie Domain flag.
-
string default:
Lax
Must be one of:Strict
,Lax
,None
,off
Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks:
-
Strict
: Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites. -
Lax
: Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (for example, when following a link). -
None
: Cookies will be sent in all contexts, for example in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked) -
off
: Do not set the SameSite flag.
-
-
boolean default:
true
Forbids JavaScript from accessing the cookie, for example, through the
Document.cookie
property.
-
boolean
Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
-
integer default:
4000
The maximum size of each cookie chunk in bytes.
-
string default:
default
Must be one of:default
,regenerate
The session strategy:
-
default
: reuses session identifiers over modifications (but can be problematic with single-page applications with a lot of concurrent asynchronous requests) -
regenerate
: generates a new session identifier on each modification and does not use expiry for signature verification (useful in single-page applications or SPAs)
-
-
string default:
none
Must be one of:none
,zlib
The session strategy:
-
none
: no compression -
zlib
: use zlib to compress cookie data
-
-
string default:
cookie
Must be one of:cookie
,memcache
,redis
The session storage for session data:
-
cookie
: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn’t require a database) -
memcache
: stores session data in memcached -
redis
: stores session data in Redis
-
-
string default:
sessions
The memcached session key prefix.
-
string
The memcached unix socket path.
-
string default:
127.0.0.1
The memcached host.
-
integer default:
11211
between:0
65535
The memcached port.
-
string default:
sessions
The Redis session key prefix.
-
string
The Redis unix socket path.
-
string default:
127.0.0.1
The Redis host
-
integer default:
6379
between:0
65535
The Redis port.
-
string referenceable
Username to use for Redis connection when the
redis
session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username cannot be set todefault
.
-
string referenceable encrypted
Password to use for Redis connection when the
redis
session storage is defined. If undefined, no AUTH commands are sent to Redis.
-
integer
The Redis connection timeout in milliseconds.
-
integer
The Redis read timeout in milliseconds.
-
integer
The Redis send timeout in milliseconds.
-
boolean default:
false
Use SSL/TLS for Redis connection.
-
boolean default:
false
Verify Redis server certificate.
-
string
The SNI used for connecting the Redis server.
-
array of type
record
-
integer
The Redis cluster maximum redirects.
-
boolean default:
false
Specifies whether to always verify tokens stored in the session.
-
string default:
sid
The claim to match against the JWT session cookie.
-
string
The name of the JWT session cookie.
-
array of type
string
default:header, query, body
Must be one of:header
,cookie
,query
,body
Where to look for the bearer token:
-
header
: search the HTTP headers -
query
: search the URL’s query string -
body
: search the HTTP request body -
cookie
: search the HTTP request cookies specified withconfig.bearer_token_cookie_name
-
-
string
The name of the cookie in which the bearer token is passed.
-
array of type
string
default:header, query, body
Must be one of:header
,query
,body
Where to look for the client credentials:
-
header
: search the HTTP headers -
query
: search the URL’s query string -
body
: search from the HTTP request body
-
-
array of type
string
default:header, query, body
Must be one of:header
,query
,body
Where to look for the username and password:
-
header
: search the HTTP headers -
query
: search the URL’s query string -
body
: search the HTTP request body
-
-
array of type
string
default:header, query, body
Must be one of:header
,query
,body
Where to look for the id token:
-
header
: search the HTTP headers -
query
: search the URL’s query string -
body
: search the HTTP request body
-
-
string
The name of the parameter used to pass the id token.
-
array of type
string
default:header, query, body
Must be one of:header
,query
,body
Where to look for the refresh token:
-
header
: search the HTTP headers -
query
: search the URL’s query string -
body
: search the HTTP request body
-
-
string
The name of the parameter used to pass the refresh token.
-
boolean default:
true
Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a
refresh_token
available.
-
array of type
string
The upstream header claims.
-
array of type
string
The upstream header names for the claim values.
-
string default:
authorization:bearer
The upstream access token header.
-
string
The upstream access token JWK header.
-
string
The upstream id token header.
-
string
The upstream id token JWK header.
-
string
The upstream refresh token header.
-
string
The upstream user info header.
-
string
The upstream user info JWT header (in case the user info returns a JWT response).
-
string
The upstream introspection header.
-
string
-
string
The upstream session id header.
-
array of type
string
The downstream header claims.
-
array of type
string
The downstream header names for the claim values.
-
string
The downstream access token header.
-
string
The downstream access token JWK header.
-
string
The downstream id token header.
-
string
The downstream id token JWK header.
-
string
The downstream refresh token header.
-
string
The downstream user info header.
-
string
The downstream user info JWT header (in case the user info returns a JWT response).
-
string
The downstream introspection header.
-
string
-
string
The downstream session id header.
-
array of type
string
default:authorization_code
Must be one of:password
,client_credentials
,authorization_code
,bearer
,introspection
,userinfo
,kong_oauth2
,refresh_token
,session
Enable login functionality with specified grants:
-
password
: enable for OAuth password grant -
client_credentials
: enable OAuth client credentials grant -
authorization_code
: enable for authorization code flow -
bearer
: enable for JWT access token authentication -
introspection
: enable for OAuth introspection authentication -
userinfo
: enable for OpenID Connect user info endpoint authentication -
kong_oauth2
: enable for Kong OAuth Plugin authentication -
refresh_token
: enable for OAuth refresh token grant -
session
: enable for session cookie authentication
-
-
string default:
upstream
Must be one of:upstream
,response
,redirect
What to do after successful login:
-
upstream
: proxy request to upstream service -
response
: terminate request with a response -
redirect
: redirect to a different location
-
-
array of type
string
default:id_token
Must be one of:id_token
,access_token
,refresh_token
,tokens
,introspection
What tokens to include in
response
body orredirect
query string or fragment:-
id_token
: include id token -
access_token
: include access token -
refresh_token
: include refresh token -
tokens
: include the full token endpoint response -
introspection
: include introspection response
-
-
string default:
fragment
Must be one of:query
,fragment
Where to place
login_tokens
when usingredirect
login_action
:-
query
: place tokens in query string -
fragment
: place tokens in url fragment (not readable by servers)
-
-
string
The request query argument that activates the logout.
-
string
The request body argument that activates the logout.
-
string
The request URI suffix that activates the logout.
-
array of type
string
default:POST, DELETE
Must be one of:POST
,GET
,DELETE
The request methods that can activate the logout:
-
POST
: HTTP POST method -
GET
: HTTP GET method -
DELETE
: HTTP DELETE method
-
-
boolean default:
false
Revoke tokens as part of the logout.
-
boolean default:
true
Revoke the access token as part of the logout.
-
boolean default:
true
Revoke the refresh token as part of the logout.
-
array of type
string
The claim used for consumer mapping.
-
array of type
string
default:username, custom_id
Must be one of:id
,username
,custom_id
Consumer fields used for mapping:
-
id
: try to find the matching Consumer byid
-
username
: try to find the matching Consumer byusername
-
custom_id
: try to find the matching Consumer bycustom_id
-
-
boolean default:
false
Do not terminate the request if consumer mapping fails.
-
array of type
string
default:sub
The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.
-
string
An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a
4xx
HTTP status code. This value must refer to the consumerid
orusername
attribute, and not itscustom_id
.
-
boolean default:
true
Specifies whether to run this plugin on pre-flight (
OPTIONS
) requests.
-
number default:
0
Allow some leeway on the ttl / expiry verification.
-
boolean default:
false
Verify plugin configuration against discovery.
-
boolean default:
true
Verify nonce on authorization code flow.
-
boolean default:
true
Verify tokens for standard claims.
-
boolean default:
true
Verify signature of tokens.
-
array of type
string
Must be one of:password
,client_credentials
,authorization_code
,refresh_token
,session
,introspection
,userinfo
Skip the token signature verification on certain grants:
-
password
: OAuth password grant -
client_credentials
: OAuth client credentials grant -
authorization_code
: authorization code flow -
refresh_token
: OAuth refresh token grant -
session
: session cookie authentication -
introspection
: OAuth introspection -
userinfo
: OpenID Connect user info endpoint authentication
-
-
boolean default:
false
Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
-
array of type
string
Must be one of:password
,client_credentials
,authorization_code
,bearer
,introspection
,userinfo
,kong_oauth2
,refresh_token
,session
Disable issuing the session cookie with the specified grants:
-
password
: do not start a session with the password grant -
client_credentials
: do not start a session with the client credentials grant -
authorization_code
: do not start a session after authorization code flow -
bearer
: do not start session with JWT access token authentication -
introspection
: do not start session with introspection authentication -
userinfo
: do not start session with user info authentication -
kong_oauth2
: do not start session with Kong OAuth authentication -
refresh_token
do not start session with refresh token grant -
session
: do not renew the session with session cookie authentication
-
-
number default:
3600
The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
-
number
The maximum cache ttl in seconds (enforced).
-
number
The minimum cache ttl in seconds (enforced).
-
number
The negative cache ttl in seconds.
-
number
The resurrection ttl in seconds.
-
boolean default:
true
Cache the token endpoint requests.
-
string
Salt used for generating the cache key that us used for caching the token endpoint requests.
If you use multiple plugin instances of the OpenID Connect plugin and want to share token endpoint caches between the plugin instances, set the salt to the same value on each plugin instance.
-
boolean default:
true
Cache the introspection endpoint requests.
-
boolean default:
true
Cache the token exchange endpoint requests.
-
boolean default:
true
Cache the user info requests.
-
boolean default:
false
Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
This requires an extra round-trip and can add latency, but the plugin can also cache user info requests (see:
config.cache_user_info
).
-
boolean default:
false
Remove the credentials used for authentication from the request.
If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
-
number default:
1.1
The HTTP version used for the requests by this plugin:
-
1.1
: HTTP 1.1 (the default) -
1.0
: HTTP 1.0
-
-
string
The HTTP proxy
-
string
The HTTP proxy authorization.
-
string
The HTTPS proxy
-
string
The HTTPS proxy authorization.
-
string
Do not use proxy with these hosts.
-
boolean default:
true
Use keepalive with the HTTP client.
-
boolean default:
false
Verify identity provider server certificate.
-
number default:
10000
Network IO timeout in milliseconds.
-
boolean default:
false
Display errors on failure responses.
-
boolean default:
false
If
consumer_by
is set tousername
, specify whetherusername
can match consumers case-insensitively.
-
boolean default:
false
Distributed claims are represented by the
_claim_names
and_claim_sources
members of the JSON object containing the claims. If this parameter is set totrue
, the plugin explicitly resolves these distributed claims.
-