OpenID Connect

The audience passed to the authorization endpoint.

The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.

The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.

Types of credentials/grants to enable.

The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.

The authorization cookie Domain flag.

Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.

The authorization cookie name.

The authorization cookie Path flag.

Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.

Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.

The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.

Extra query arguments passed from the client to the authorization endpoint.

Extra query argument names passed to the authorization endpoint.

Extra query argument values passed to the authorization endpoint.

Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.

The name of the cookie in which the bearer token is passed.

Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL’s query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.

If consumer_by is set to username, specify whether username can match consumers case-insensitively.

Cache the introspection endpoint requests.

Cache the token exchange endpoint requests.

Cache the token endpoint requests.

Salt used for generating the cache key that is used for caching the token endpoint requests.

The default cache ttl in seconds that is used in case the cached object does not specify the expiry.

The maximum cache ttl in seconds (enforced).

The minimum cache ttl in seconds (enforced).

The negative cache ttl in seconds.

The resurrection ttl in seconds.

Cache the user info requests.

If given, these claims are forbidden in the token payload.

The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.

The client to use for this request (the selection is made with a request parameter with the same name).

The default OpenID Connect client authentication method is ‘client_secret_basic’ (using ‘Authorization: Basic’ header), ‘client_secret_post’ (credentials in body), ‘client_secret_jwt’ (signed client assertion in body), ‘private_key_jwt’ (private key-signed assertion), ‘tls_client_auth’ (client certificate), ‘self_signed_tls_client_auth’ (self-signed client certificate), and ‘none’ (no authentication).

Where to look for the client credentials: - header: search the HTTP headers - query: search the URL’s query string - body: search from the HTTP request body.

This field is referenceable.

The JWK used for the private_key_jwt authentication.

This field is referenceable.

The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.

Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.

The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.

Do not terminate the request if consumer mapping fails.

The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.

Disable issuing the session cookie with the specified grants.

Extra header names passed to the discovery endpoint.

Extra header values passed to the discovery endpoint.

Display errors on failure responses.

The allowed values for the hd claim.

The downstream access token header.

The downstream access token JWK header.

The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.

The downstream header names for the claim values.

The downstream id token header.

The downstream id token JWK header.

The downstream introspection header.

The downstream introspection JWT header.

The downstream refresh token header.

The downstream session id header.

The downstream user info header.

The downstream user info JWT header (in case the user info returns a JWT response).

Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.

Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.

Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).

The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.

Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.

A string representing a URL, such as https://example.com/path/to/resource?q=search.

Destroy any active session for the forbidden requests.

The error message for the forbidden requests (when not using the redirection).

A string representing a URL, such as https://example.com/path/to/resource?q=search.

The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.

The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.

Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.

The HTTP proxy.

The HTTP proxy authorization.
This field is referenceable.

The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.

The HTTPS proxy.

The HTTPS proxy authorization.
This field is referenceable.

The name of the parameter used to pass the id token.

Where to look for the id token: - header: search the HTTP headers - query: search the URL’s query string - body: search the HTTP request body.

Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.

Specifies whether to introspect the JWT access tokens (can be used to check for revocations).

The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).

Check that the introspection response has an active claim with a value of true.

The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.

The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate

Extra headers passed from the client to the introspection endpoint.

Extra header names passed to the introspection endpoint.

This field is referenceable.

Introspection hint parameter value passed to the introspection endpoint.

Extra post arguments passed from the client to the introspection endpoint.

Extra post arguments passed from the client headers to the introspection endpoint.

Extra post argument names passed to the introspection endpoint.

Extra post argument values passed to the introspection endpoint.

Designate token’s parameter name for introspection.

The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.

The issuers allowed to be present in the tokens (iss claim).

The claim to match against the JWT session cookie.

The name of the JWT session cookie.

Use keepalive with the HTTP client.

Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims

What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.

Enable login functionality with specified grants.

Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).

A string representing a URL, such as https://example.com/path/to/resource?q=search.
This field is referenceable.

What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.

The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.

The request body argument that activates the logout.

The request query argument that activates the logout.

A string representing a URL, such as https://example.com/path/to/resource?q=search.
This field is referenceable.

Revoke tokens as part of the logout.

For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

Revoke the access token as part of the logout. Requires logout_revoke to be set to true.

Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.

The request URI suffix that activates the logout.

The maximum age (in seconds) compared to the auth_time claim.

Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.

Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.

Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.

Do not use proxy with these hosts.

Where to look for the username and password: - header: search the HTTP headers - query: search the URL’s query string - body: search the HTTP request body.

With this parameter, you can preserve request query arguments even when doing authorization code flow.

If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.

Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP’s key are verified with the proof.

Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.

The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.

The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate

A string representing a URL, such as https://example.com/path/to/resource?q=search.

Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.

The name of the parameter used to pass the refresh token.

Where to look for the refresh token: - header: search the HTTP headers - query: search the URL’s query string - body: search the HTTP request body.

Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.

Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).

Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).

Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).

Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.

Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.

The response type passed to the authorization endpoint.

Specifies whether to always verify tokens stored in the session.

The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.

The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate

Designate token’s parameter name for revocation.

The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.

The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.

Specifies whether to run this plugin on pre-flight (OPTIONS) requests.

This field is referenceable.

The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.

The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.

Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.

Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.

The session audience, which is the intended target application. For example "my-application".

The session cookie Domain flag.

Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.

The session cookie name.

The session cookie Path flag.

Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.

Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.

When set to true, audiences are forced to share the same subject.

When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.

When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.

Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.

The memcached host.

The memcached port.

The memcached session key prefix.

The memcached unix socket path.

Enables or disables persistent sessions.

Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.

Persistent session cookie name. Use with the remember configuration parameter.

Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.

Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.

Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.

Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.

The session secret.
This field is encrypted.
This field is referenceable.

The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn’t require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.

Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.

Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.

Network IO timeout in milliseconds.

ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.

Verify identity provider server certificate during mTLS client authentication.

Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.

The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.

The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate

The token exchange endpoint.

Extra headers passed from the client to the token endpoint.

Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.

Extra header names passed to the token endpoint.

Add a prefix to the token endpoint response headers before forwarding them to the downstream client.

The names of token endpoint response headers to forward to the downstream client.

Extra header values passed to the token endpoint.

Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.

Extra post argument names passed to the token endpoint.

Extra post argument values passed to the token endpoint.

Destroy any active session for the unauthorized requests.

The error message for the unauthorized requests (when not using the redirection).

A string representing a URL, such as https://example.com/path/to/resource?q=search.

A string representing a URL, such as https://example.com/path/to/resource?q=search.

The upstream access token header.

The upstream access token JWK header.

The upstream header claims. Only top level claims are supported.

The upstream header names for the claim values.

The upstream id token header.

The upstream id token JWK header.

The upstream introspection header.

The upstream introspection JWT header.

The upstream refresh token header.

The upstream session id header.

The upstream user info header.

The upstream user info JWT header (in case the user info returns a JWT response).

The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).

The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.

Extra headers passed from the client to the user info endpoint.

Extra header names passed to the user info endpoint.

Extra header values passed to the user info endpoint.

Extra query arguments passed from the client to the user info endpoint.

Extra query argument names passed to the user info endpoint.

Extra query argument values passed to the user info endpoint.

If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.

Verify tokens for standard claims.

Verify nonce on authorization code flow.

Verify plugin configuration against discovery.

Verify signature of tokens.