konnect 2.4.1, Mar 13 25

konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong

konnect.getGatewayPluginJwtSigner

Explore with Pulumi AI

konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong

Using getGatewayPluginJwtSigner

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getGatewayPluginJwtSigner(args: GetGatewayPluginJwtSignerArgs, opts?: InvokeOptions): Promise<GetGatewayPluginJwtSignerResult>
function getGatewayPluginJwtSignerOutput(args: GetGatewayPluginJwtSignerOutputArgs, opts?: InvokeOptions): Output<GetGatewayPluginJwtSignerResult>

def get_gateway_plugin_jwt_signer(control_plane_id: Optional[str] = None,
                                  opts: Optional[InvokeOptions] = None) -> GetGatewayPluginJwtSignerResult
def get_gateway_plugin_jwt_signer_output(control_plane_id: Optional[pulumi.Input[str]] = None,
                                  opts: Optional[InvokeOptions] = None) -> Output[GetGatewayPluginJwtSignerResult]

func LookupGatewayPluginJwtSigner(ctx *Context, args *LookupGatewayPluginJwtSignerArgs, opts ...InvokeOption) (*LookupGatewayPluginJwtSignerResult, error)
func LookupGatewayPluginJwtSignerOutput(ctx *Context, args *LookupGatewayPluginJwtSignerOutputArgs, opts ...InvokeOption) LookupGatewayPluginJwtSignerResultOutput

> Note: This function is named LookupGatewayPluginJwtSigner in the Go SDK.

public static class GetGatewayPluginJwtSigner 
{
    public static Task<GetGatewayPluginJwtSignerResult> InvokeAsync(GetGatewayPluginJwtSignerArgs args, InvokeOptions? opts = null)
    public static Output<GetGatewayPluginJwtSignerResult> Invoke(GetGatewayPluginJwtSignerInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetGatewayPluginJwtSignerResult> getGatewayPluginJwtSigner(GetGatewayPluginJwtSignerArgs args, InvokeOptions options)
public static Output<GetGatewayPluginJwtSignerResult> getGatewayPluginJwtSigner(GetGatewayPluginJwtSignerArgs args, InvokeOptions options)

fn::invoke:
  function: konnect:index/getGatewayPluginJwtSigner:getGatewayPluginJwtSigner
  arguments:
    # arguments dictionary

The following arguments are supported:

ControlPlaneId string

ControlPlaneId string

controlPlaneId String

controlPlaneId string

control_plane_id str

controlPlaneId String

getGatewayPluginJwtSigner Result

The following output properties are available:

Config GetGatewayPluginJwtSignerConfig
ControlPlaneId string
CreatedAt double
Enabled bool
Id string
InstanceName string
Ordering GetGatewayPluginJwtSignerOrdering
Protocols List<string>
Route GetGatewayPluginJwtSignerRoute
Service GetGatewayPluginJwtSignerService
Tags List<string>
UpdatedAt double

Config GetGatewayPluginJwtSignerConfig
ControlPlaneId string
CreatedAt float64
Enabled bool
Id string
InstanceName string
Ordering GetGatewayPluginJwtSignerOrdering
Protocols []string
Route GetGatewayPluginJwtSignerRoute
Service GetGatewayPluginJwtSignerService
Tags []string
UpdatedAt float64

config GetGatewayPluginJwtSignerConfig
controlPlaneId String
createdAt Double
enabled Boolean
id String
instanceName String
ordering GetGatewayPluginJwtSignerOrdering
protocols List<String>
route GetGatewayPluginJwtSignerRoute
service GetGatewayPluginJwtSignerService
tags List<String>
updatedAt Double

config GetGatewayPluginJwtSignerConfig
controlPlaneId string
createdAt number
enabled boolean
id string
instanceName string
ordering GetGatewayPluginJwtSignerOrdering
protocols string[]
route GetGatewayPluginJwtSignerRoute
service GetGatewayPluginJwtSignerService
tags string[]
updatedAt number

config GetGatewayPluginJwtSignerConfig
control_plane_id str
created_at float
enabled bool
id str
instance_name str
ordering GetGatewayPluginJwtSignerOrdering
protocols Sequence[str]
route GetGatewayPluginJwtSignerRoute
service GetGatewayPluginJwtSignerService
tags Sequence[str]
updated_at float

config Property Map
controlPlaneId String
createdAt Number
enabled Boolean
id String
instanceName String
ordering Property Map
protocols List<String>
route Property Map
service Property Map
tags List<String>
updatedAt Number

Supporting Types

GetGatewayPluginJwtSignerConfig

AccessTokenConsumerBies List<string>: When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are id, username, and custom_id.
AccessTokenConsumerClaims List<string>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.
AccessTokenIntrospectionAuthorization string: If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header's value with this configuration parameter.
AccessTokenIntrospectionBodyArgs string: This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.
AccessTokenIntrospectionConsumerBies List<string>: When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
AccessTokenIntrospectionConsumerClaims List<string>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.
AccessTokenIntrospectionEndpoint string: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.
AccessTokenIntrospectionHint string: If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.
AccessTokenIntrospectionJwtClaims List<string>: If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.
AccessTokenIntrospectionLeeway double: Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.
AccessTokenIntrospectionScopesClaims List<string>: Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.
AccessTokenIntrospectionScopesRequireds List<string>: Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.
AccessTokenIntrospectionTimeout double: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.
AccessTokenIssuer string: The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.
AccessTokenJwksUri string: Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
AccessTokenJwksUriClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
AccessTokenJwksUriClientPassword string: The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
AccessTokenJwksUriClientUsername string: The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
AccessTokenJwksUriRotatePeriod double: Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.
AccessTokenKeyset string: The name of the keyset containing signing keys.
AccessTokenKeysetClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.
AccessTokenKeysetClientPassword string: The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
AccessTokenKeysetClientUsername string: The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
AccessTokenKeysetRotatePeriod double: Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.
AccessTokenLeeway double: Adjusts clock skew between the token issuer and Kong. The value is added to the token's exp claim before checking token expiry against Kong servers' current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.
AccessTokenOptional bool: If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect
AccessTokenRequestHeader string: This parameter tells the name of the header where to look for the access token.
AccessTokenScopesClaims List<string>: Specify the claim in an access token to verify against values of config.access_token_scopes_required.
AccessTokenScopesRequireds List<string>: Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.
AccessTokenSigningAlgorithm string: When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.
AccessTokenUpstreamHeader string: Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.
AccessTokenUpstreamLeeway double: If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's exp claim.
AddAccessTokenClaims Dictionary<string, string>: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
AddChannelTokenClaims Dictionary<string, string>: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
AddClaims Dictionary<string, string>: Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
CacheAccessTokenIntrospection bool: Whether to cache access token introspection results.
CacheChannelTokenIntrospection bool: Whether to cache channel token introspection results.
ChannelTokenConsumerBies List<string>: When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.
ChannelTokenConsumerClaims List<string>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with 403 Forbidden.
ChannelTokenIntrospectionAuthorization string: When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.
ChannelTokenIntrospectionBodyArgs string: If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.
ChannelTokenIntrospectionConsumerBies List<string>: When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.
ChannelTokenIntrospectionConsumerClaims List<string>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity
ChannelTokenIntrospectionEndpoint string: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.
ChannelTokenIntrospectionHint string: If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn't sent with channel token introspection.
ChannelTokenIntrospectionJwtClaims List<string>: If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.
ChannelTokenIntrospectionLeeway double: You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.
ChannelTokenIntrospectionScopesClaims List<string>: Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.
ChannelTokenIntrospectionScopesRequireds List<string>: Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.
ChannelTokenIntrospectionTimeout double: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.
ChannelTokenIssuer string: The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.
ChannelTokenJwksUri string: If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.
ChannelTokenJwksUriClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
ChannelTokenJwksUriClientPassword string: The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
ChannelTokenJwksUriClientUsername string: The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
ChannelTokenJwksUriRotatePeriod double: Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.
ChannelTokenKeyset string: The name of the keyset containing signing keys.
ChannelTokenKeysetClientCertificate string: The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.
ChannelTokenKeysetClientPassword string: The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
ChannelTokenKeysetClientUsername string: The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
ChannelTokenKeysetRotatePeriod double: Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.
ChannelTokenLeeway double: Adjusts clock skew between the token issuer and Kong. The value will be added to token's exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.
ChannelTokenOptional bool: If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect
ChannelTokenRequestHeader string: This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to null or "" (empty string).
ChannelTokenScopesClaims List<string>: Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.
ChannelTokenScopesRequireds List<string>: Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.
ChannelTokenSigningAlgorithm string: When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.
ChannelTokenUpstreamHeader string: This plugin removes the config.channel_token_request_header from the request after reading its value.
ChannelTokenUpstreamLeeway double: If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's exp claim.
EnableAccessTokenIntrospection bool: If you don't want to support opaque access tokens, change this configuration parameter to false to disable introspection.
EnableChannelTokenIntrospection bool: If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.
EnableHsSignatures bool: Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.
EnableInstrumentation bool: Writes log entries with some added information using ngx.CRIT (CRITICAL) level.
OriginalAccessTokenUpstreamHeader string: The HTTP header name used to store the original access token.
OriginalChannelTokenUpstreamHeader string: The HTTP header name used to store the original channel token.
Realm string: When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.
RemoveAccessTokenClaims List<string>: remove claims. It should be an array, and each element is a claim key string.
RemoveChannelTokenClaims List<string>: remove claims. It should be an array, and each element is a claim key string.
SetAccessTokenClaims Dictionary<string, string>: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
SetChannelTokenClaims Dictionary<string, string>: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
SetClaims Dictionary<string, string>: Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
TrustAccessTokenIntrospection bool: Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.
TrustChannelTokenIntrospection bool: Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
VerifyAccessTokenExpiry bool: Quickly turn access token expiry verification off and on as needed.
VerifyAccessTokenIntrospectionExpiry bool: Quickly turn access token introspection expiry verification off and on as needed.
VerifyAccessTokenIntrospectionScopes bool: Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.
VerifyAccessTokenScopes bool: Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.
VerifyAccessTokenSignature bool: Quickly turn access token signature verification off and on as needed.
VerifyChannelTokenExpiry bool
VerifyChannelTokenIntrospectionExpiry bool: Quickly turn on/off the channel token introspection expiry verification.
VerifyChannelTokenIntrospectionScopes bool: Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.
VerifyChannelTokenScopes bool: Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.
VerifyChannelTokenSignature bool: Quickly turn on/off the channel token signature verification.

AccessTokenConsumerBies []string: When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are id, username, and custom_id.
AccessTokenConsumerClaims []string: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.
AccessTokenIntrospectionAuthorization string: If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header's value with this configuration parameter.
AccessTokenIntrospectionBodyArgs string: This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.
AccessTokenIntrospectionConsumerBies []string: When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
AccessTokenIntrospectionConsumerClaims []string: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.
AccessTokenIntrospectionEndpoint string: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.
AccessTokenIntrospectionHint string: If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.
AccessTokenIntrospectionJwtClaims []string: If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.
AccessTokenIntrospectionLeeway float64: Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.
AccessTokenIntrospectionScopesClaims []string: Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.
AccessTokenIntrospectionScopesRequireds []string: Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.
AccessTokenIntrospectionTimeout float64: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.
AccessTokenIssuer string: The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.
AccessTokenJwksUri string: Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
AccessTokenJwksUriClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
AccessTokenJwksUriClientPassword string: The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
AccessTokenJwksUriClientUsername string: The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
AccessTokenJwksUriRotatePeriod float64: Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.
AccessTokenKeyset string: The name of the keyset containing signing keys.
AccessTokenKeysetClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.
AccessTokenKeysetClientPassword string: The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
AccessTokenKeysetClientUsername string: The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
AccessTokenKeysetRotatePeriod float64: Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.
AccessTokenLeeway float64: Adjusts clock skew between the token issuer and Kong. The value is added to the token's exp claim before checking token expiry against Kong servers' current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.
AccessTokenOptional bool: If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect
AccessTokenRequestHeader string: This parameter tells the name of the header where to look for the access token.
AccessTokenScopesClaims []string: Specify the claim in an access token to verify against values of config.access_token_scopes_required.
AccessTokenScopesRequireds []string: Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.
AccessTokenSigningAlgorithm string: When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.
AccessTokenUpstreamHeader string: Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.
AccessTokenUpstreamLeeway float64: If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's exp claim.
AddAccessTokenClaims map[string]string: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
AddChannelTokenClaims map[string]string: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
AddClaims map[string]string: Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
CacheAccessTokenIntrospection bool: Whether to cache access token introspection results.
CacheChannelTokenIntrospection bool: Whether to cache channel token introspection results.
ChannelTokenConsumerBies []string: When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.
ChannelTokenConsumerClaims []string: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with 403 Forbidden.
ChannelTokenIntrospectionAuthorization string: When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.
ChannelTokenIntrospectionBodyArgs string: If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.
ChannelTokenIntrospectionConsumerBies []string: When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.
ChannelTokenIntrospectionConsumerClaims []string: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity
ChannelTokenIntrospectionEndpoint string: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.
ChannelTokenIntrospectionHint string: If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn't sent with channel token introspection.
ChannelTokenIntrospectionJwtClaims []string: If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.
ChannelTokenIntrospectionLeeway float64: You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.
ChannelTokenIntrospectionScopesClaims []string: Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.
ChannelTokenIntrospectionScopesRequireds []string: Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.
ChannelTokenIntrospectionTimeout float64: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.
ChannelTokenIssuer string: The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.
ChannelTokenJwksUri string: If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.
ChannelTokenJwksUriClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
ChannelTokenJwksUriClientPassword string: The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
ChannelTokenJwksUriClientUsername string: The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
ChannelTokenJwksUriRotatePeriod float64: Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.
ChannelTokenKeyset string: The name of the keyset containing signing keys.
ChannelTokenKeysetClientCertificate string: The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.
ChannelTokenKeysetClientPassword string: The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
ChannelTokenKeysetClientUsername string: The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
ChannelTokenKeysetRotatePeriod float64: Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.
ChannelTokenLeeway float64: Adjusts clock skew between the token issuer and Kong. The value will be added to token's exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.
ChannelTokenOptional bool: If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect
ChannelTokenRequestHeader string: This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to null or "" (empty string).
ChannelTokenScopesClaims []string: Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.
ChannelTokenScopesRequireds []string: Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.
ChannelTokenSigningAlgorithm string: When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.
ChannelTokenUpstreamHeader string: This plugin removes the config.channel_token_request_header from the request after reading its value.
ChannelTokenUpstreamLeeway float64: If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's exp claim.
EnableAccessTokenIntrospection bool: If you don't want to support opaque access tokens, change this configuration parameter to false to disable introspection.
EnableChannelTokenIntrospection bool: If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.
EnableHsSignatures bool: Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.
EnableInstrumentation bool: Writes log entries with some added information using ngx.CRIT (CRITICAL) level.
OriginalAccessTokenUpstreamHeader string: The HTTP header name used to store the original access token.
OriginalChannelTokenUpstreamHeader string: The HTTP header name used to store the original channel token.
Realm string: When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.
RemoveAccessTokenClaims []string: remove claims. It should be an array, and each element is a claim key string.
RemoveChannelTokenClaims []string: remove claims. It should be an array, and each element is a claim key string.
SetAccessTokenClaims map[string]string: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
SetChannelTokenClaims map[string]string: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
SetClaims map[string]string: Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
TrustAccessTokenIntrospection bool: Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.
TrustChannelTokenIntrospection bool: Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
VerifyAccessTokenExpiry bool: Quickly turn access token expiry verification off and on as needed.
VerifyAccessTokenIntrospectionExpiry bool: Quickly turn access token introspection expiry verification off and on as needed.
VerifyAccessTokenIntrospectionScopes bool: Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.
VerifyAccessTokenScopes bool: Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.
VerifyAccessTokenSignature bool: Quickly turn access token signature verification off and on as needed.
VerifyChannelTokenExpiry bool
VerifyChannelTokenIntrospectionExpiry bool: Quickly turn on/off the channel token introspection expiry verification.
VerifyChannelTokenIntrospectionScopes bool: Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.
VerifyChannelTokenScopes bool: Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.
VerifyChannelTokenSignature bool: Quickly turn on/off the channel token signature verification.

accessTokenConsumerBies List<String>: When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are id, username, and custom_id.
accessTokenConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.
accessTokenIntrospectionAuthorization String: If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header's value with this configuration parameter.
accessTokenIntrospectionBodyArgs String: This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.
accessTokenIntrospectionConsumerBies List<String>: When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
accessTokenIntrospectionConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.
accessTokenIntrospectionEndpoint String: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.
accessTokenIntrospectionHint String: If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.
accessTokenIntrospectionJwtClaims List<String>: If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.
accessTokenIntrospectionLeeway Double: Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.
accessTokenIntrospectionScopesClaims List<String>: Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.
accessTokenIntrospectionScopesRequireds List<String>: Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.
accessTokenIntrospectionTimeout Double: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.
accessTokenIssuer String: The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.
accessTokenJwksUri String: Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
accessTokenJwksUriClientCertificate String: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
accessTokenJwksUriClientPassword String: The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
accessTokenJwksUriClientUsername String: The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
accessTokenJwksUriRotatePeriod Double: Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.
accessTokenKeyset String: The name of the keyset containing signing keys.
accessTokenKeysetClientCertificate String: The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.
accessTokenKeysetClientPassword String: The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
accessTokenKeysetClientUsername String: The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
accessTokenKeysetRotatePeriod Double: Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.
accessTokenLeeway Double: Adjusts clock skew between the token issuer and Kong. The value is added to the token's exp claim before checking token expiry against Kong servers' current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.
accessTokenOptional Boolean: If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect
accessTokenRequestHeader String: This parameter tells the name of the header where to look for the access token.
accessTokenScopesClaims List<String>: Specify the claim in an access token to verify against values of config.access_token_scopes_required.
accessTokenScopesRequireds List<String>: Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.
accessTokenSigningAlgorithm String: When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.
accessTokenUpstreamHeader String: Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.
accessTokenUpstreamLeeway Double: If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's exp claim.
addAccessTokenClaims Map<String,String>: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
addChannelTokenClaims Map<String,String>: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
addClaims Map<String,String>: Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
cacheAccessTokenIntrospection Boolean: Whether to cache access token introspection results.
cacheChannelTokenIntrospection Boolean: Whether to cache channel token introspection results.
channelTokenConsumerBies List<String>: When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.
channelTokenConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with 403 Forbidden.
channelTokenIntrospectionAuthorization String: When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.
channelTokenIntrospectionBodyArgs String: If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.
channelTokenIntrospectionConsumerBies List<String>: When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.
channelTokenIntrospectionConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity
channelTokenIntrospectionEndpoint String: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.
channelTokenIntrospectionHint String: If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn't sent with channel token introspection.
channelTokenIntrospectionJwtClaims List<String>: If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.
channelTokenIntrospectionLeeway Double: You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.
channelTokenIntrospectionScopesClaims List<String>: Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.
channelTokenIntrospectionScopesRequireds List<String>: Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.
channelTokenIntrospectionTimeout Double: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.
channelTokenIssuer String: The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.
channelTokenJwksUri String: If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.
channelTokenJwksUriClientCertificate String: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
channelTokenJwksUriClientPassword String: The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
channelTokenJwksUriClientUsername String: The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
channelTokenJwksUriRotatePeriod Double: Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.
channelTokenKeyset String: The name of the keyset containing signing keys.
channelTokenKeysetClientCertificate String: The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.
channelTokenKeysetClientPassword String: The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
channelTokenKeysetClientUsername String: The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
channelTokenKeysetRotatePeriod Double: Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.
channelTokenLeeway Double: Adjusts clock skew between the token issuer and Kong. The value will be added to token's exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.
channelTokenOptional Boolean: If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect
channelTokenRequestHeader String: This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to null or "" (empty string).
channelTokenScopesClaims List<String>: Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.
channelTokenScopesRequireds List<String>: Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.
channelTokenSigningAlgorithm String: When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.
channelTokenUpstreamHeader String: This plugin removes the config.channel_token_request_header from the request after reading its value.
channelTokenUpstreamLeeway Double: If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's exp claim.
enableAccessTokenIntrospection Boolean: If you don't want to support opaque access tokens, change this configuration parameter to false to disable introspection.
enableChannelTokenIntrospection Boolean: If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.
enableHsSignatures Boolean: Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.
enableInstrumentation Boolean: Writes log entries with some added information using ngx.CRIT (CRITICAL) level.
originalAccessTokenUpstreamHeader String: The HTTP header name used to store the original access token.
originalChannelTokenUpstreamHeader String: The HTTP header name used to store the original channel token.
realm String: When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.
removeAccessTokenClaims List<String>: remove claims. It should be an array, and each element is a claim key string.
removeChannelTokenClaims List<String>: remove claims. It should be an array, and each element is a claim key string.
setAccessTokenClaims Map<String,String>: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
setChannelTokenClaims Map<String,String>: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
setClaims Map<String,String>: Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
trustAccessTokenIntrospection Boolean: Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.
trustChannelTokenIntrospection Boolean: Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
verifyAccessTokenExpiry Boolean: Quickly turn access token expiry verification off and on as needed.
verifyAccessTokenIntrospectionExpiry Boolean: Quickly turn access token introspection expiry verification off and on as needed.
verifyAccessTokenIntrospectionScopes Boolean: Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.
verifyAccessTokenScopes Boolean: Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.
verifyAccessTokenSignature Boolean: Quickly turn access token signature verification off and on as needed.
verifyChannelTokenExpiry Boolean
verifyChannelTokenIntrospectionExpiry Boolean: Quickly turn on/off the channel token introspection expiry verification.
verifyChannelTokenIntrospectionScopes Boolean: Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.
verifyChannelTokenScopes Boolean: Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.
verifyChannelTokenSignature Boolean: Quickly turn on/off the channel token signature verification.

accessTokenConsumerBies string[]: When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are id, username, and custom_id.
accessTokenConsumerClaims string[]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.
accessTokenIntrospectionAuthorization string: If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header's value with this configuration parameter.
accessTokenIntrospectionBodyArgs string: This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.
accessTokenIntrospectionConsumerBies string[]: When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
accessTokenIntrospectionConsumerClaims string[]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.
accessTokenIntrospectionEndpoint string: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.
accessTokenIntrospectionHint string: If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.
accessTokenIntrospectionJwtClaims string[]: If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.
accessTokenIntrospectionLeeway number: Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.
accessTokenIntrospectionScopesClaims string[]: Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.
accessTokenIntrospectionScopesRequireds string[]: Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.
accessTokenIntrospectionTimeout number: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.
accessTokenIssuer string: The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.
accessTokenJwksUri string: Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
accessTokenJwksUriClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
accessTokenJwksUriClientPassword string: The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
accessTokenJwksUriClientUsername string: The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
accessTokenJwksUriRotatePeriod number: Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.
accessTokenKeyset string: The name of the keyset containing signing keys.
accessTokenKeysetClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.
accessTokenKeysetClientPassword string: The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
accessTokenKeysetClientUsername string: The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
accessTokenKeysetRotatePeriod number: Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.
accessTokenLeeway number: Adjusts clock skew between the token issuer and Kong. The value is added to the token's exp claim before checking token expiry against Kong servers' current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.
accessTokenOptional boolean: If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect
accessTokenRequestHeader string: This parameter tells the name of the header where to look for the access token.
accessTokenScopesClaims string[]: Specify the claim in an access token to verify against values of config.access_token_scopes_required.
accessTokenScopesRequireds string[]: Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.
accessTokenSigningAlgorithm string: When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.
accessTokenUpstreamHeader string: Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.
accessTokenUpstreamLeeway number: If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's exp claim.
addAccessTokenClaims {[key: string]: string}: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
addChannelTokenClaims {[key: string]: string}: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
addClaims {[key: string]: string}: Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
cacheAccessTokenIntrospection boolean: Whether to cache access token introspection results.
cacheChannelTokenIntrospection boolean: Whether to cache channel token introspection results.
channelTokenConsumerBies string[]: When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.
channelTokenConsumerClaims string[]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with 403 Forbidden.
channelTokenIntrospectionAuthorization string: When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.
channelTokenIntrospectionBodyArgs string: If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.
channelTokenIntrospectionConsumerBies string[]: When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.
channelTokenIntrospectionConsumerClaims string[]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity
channelTokenIntrospectionEndpoint string: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.
channelTokenIntrospectionHint string: If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn't sent with channel token introspection.
channelTokenIntrospectionJwtClaims string[]: If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.
channelTokenIntrospectionLeeway number: You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.
channelTokenIntrospectionScopesClaims string[]: Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.
channelTokenIntrospectionScopesRequireds string[]: Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.
channelTokenIntrospectionTimeout number: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.
channelTokenIssuer string: The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.
channelTokenJwksUri string: If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.
channelTokenJwksUriClientCertificate string: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
channelTokenJwksUriClientPassword string: The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
channelTokenJwksUriClientUsername string: The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
channelTokenJwksUriRotatePeriod number: Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.
channelTokenKeyset string: The name of the keyset containing signing keys.
channelTokenKeysetClientCertificate string: The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.
channelTokenKeysetClientPassword string: The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
channelTokenKeysetClientUsername string: The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
channelTokenKeysetRotatePeriod number: Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.
channelTokenLeeway number: Adjusts clock skew between the token issuer and Kong. The value will be added to token's exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.
channelTokenOptional boolean: If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect
channelTokenRequestHeader string: This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to null or "" (empty string).
channelTokenScopesClaims string[]: Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.
channelTokenScopesRequireds string[]: Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.
channelTokenSigningAlgorithm string: When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.
channelTokenUpstreamHeader string: This plugin removes the config.channel_token_request_header from the request after reading its value.
channelTokenUpstreamLeeway number: If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's exp claim.
enableAccessTokenIntrospection boolean: If you don't want to support opaque access tokens, change this configuration parameter to false to disable introspection.
enableChannelTokenIntrospection boolean: If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.
enableHsSignatures boolean: Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.
enableInstrumentation boolean: Writes log entries with some added information using ngx.CRIT (CRITICAL) level.
originalAccessTokenUpstreamHeader string: The HTTP header name used to store the original access token.
originalChannelTokenUpstreamHeader string: The HTTP header name used to store the original channel token.
realm string: When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.
removeAccessTokenClaims string[]: remove claims. It should be an array, and each element is a claim key string.
removeChannelTokenClaims string[]: remove claims. It should be an array, and each element is a claim key string.
setAccessTokenClaims {[key: string]: string}: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
setChannelTokenClaims {[key: string]: string}: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
setClaims {[key: string]: string}: Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
trustAccessTokenIntrospection boolean: Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.
trustChannelTokenIntrospection boolean: Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
verifyAccessTokenExpiry boolean: Quickly turn access token expiry verification off and on as needed.
verifyAccessTokenIntrospectionExpiry boolean: Quickly turn access token introspection expiry verification off and on as needed.
verifyAccessTokenIntrospectionScopes boolean: Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.
verifyAccessTokenScopes boolean: Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.
verifyAccessTokenSignature boolean: Quickly turn access token signature verification off and on as needed.
verifyChannelTokenExpiry boolean
verifyChannelTokenIntrospectionExpiry boolean: Quickly turn on/off the channel token introspection expiry verification.
verifyChannelTokenIntrospectionScopes boolean: Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.
verifyChannelTokenScopes boolean: Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.
verifyChannelTokenSignature boolean: Quickly turn on/off the channel token signature verification.

access_token_consumer_bies Sequence[str]: When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are id, username, and custom_id.
access_token_consumer_claims Sequence[str]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.
access_token_introspection_authorization str: If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header's value with this configuration parameter.
access_token_introspection_body_args str: This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.
access_token_introspection_consumer_bies Sequence[str]: When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
access_token_introspection_consumer_claims Sequence[str]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.
access_token_introspection_endpoint str: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.
access_token_introspection_hint str: If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.
access_token_introspection_jwt_claims Sequence[str]: If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.
access_token_introspection_leeway float: Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.
access_token_introspection_scopes_claims Sequence[str]: Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.
access_token_introspection_scopes_requireds Sequence[str]: Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.
access_token_introspection_timeout float: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.
access_token_issuer str: The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.
access_token_jwks_uri str: Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
access_token_jwks_uri_client_certificate str: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
access_token_jwks_uri_client_password str: The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
access_token_jwks_uri_client_username str: The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
access_token_jwks_uri_rotate_period float: Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.
access_token_keyset str: The name of the keyset containing signing keys.
access_token_keyset_client_certificate str: The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.
access_token_keyset_client_password str: The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
access_token_keyset_client_username str: The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
access_token_keyset_rotate_period float: Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.
access_token_leeway float: Adjusts clock skew between the token issuer and Kong. The value is added to the token's exp claim before checking token expiry against Kong servers' current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.
access_token_optional bool: If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect
access_token_request_header str: This parameter tells the name of the header where to look for the access token.
access_token_scopes_claims Sequence[str]: Specify the claim in an access token to verify against values of config.access_token_scopes_required.
access_token_scopes_requireds Sequence[str]: Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.
access_token_signing_algorithm str: When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.
access_token_upstream_header str: Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.
access_token_upstream_leeway float: If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's exp claim.
add_access_token_claims Mapping[str, str]: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
add_channel_token_claims Mapping[str, str]: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
add_claims Mapping[str, str]: Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
cache_access_token_introspection bool: Whether to cache access token introspection results.
cache_channel_token_introspection bool: Whether to cache channel token introspection results.
channel_token_consumer_bies Sequence[str]: When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.
channel_token_consumer_claims Sequence[str]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with 403 Forbidden.
channel_token_introspection_authorization str: When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.
channel_token_introspection_body_args str: If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.
channel_token_introspection_consumer_bies Sequence[str]: When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.
channel_token_introspection_consumer_claims Sequence[str]: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity
channel_token_introspection_endpoint str: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.
channel_token_introspection_hint str: If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn't sent with channel token introspection.
channel_token_introspection_jwt_claims Sequence[str]: If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.
channel_token_introspection_leeway float: You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.
channel_token_introspection_scopes_claims Sequence[str]: Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.
channel_token_introspection_scopes_requireds Sequence[str]: Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.
channel_token_introspection_timeout float: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.
channel_token_issuer str: The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.
channel_token_jwks_uri str: If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.
channel_token_jwks_uri_client_certificate str: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
channel_token_jwks_uri_client_password str: The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
channel_token_jwks_uri_client_username str: The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
channel_token_jwks_uri_rotate_period float: Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.
channel_token_keyset str: The name of the keyset containing signing keys.
channel_token_keyset_client_certificate str: The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.
channel_token_keyset_client_password str: The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
channel_token_keyset_client_username str: The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
channel_token_keyset_rotate_period float: Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.
channel_token_leeway float: Adjusts clock skew between the token issuer and Kong. The value will be added to token's exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.
channel_token_optional bool: If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect
channel_token_request_header str: This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to null or "" (empty string).
channel_token_scopes_claims Sequence[str]: Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.
channel_token_scopes_requireds Sequence[str]: Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.
channel_token_signing_algorithm str: When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.
channel_token_upstream_header str: This plugin removes the config.channel_token_request_header from the request after reading its value.
channel_token_upstream_leeway float: If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's exp claim.
enable_access_token_introspection bool: If you don't want to support opaque access tokens, change this configuration parameter to false to disable introspection.
enable_channel_token_introspection bool: If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.
enable_hs_signatures bool: Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.
enable_instrumentation bool: Writes log entries with some added information using ngx.CRIT (CRITICAL) level.
original_access_token_upstream_header str: The HTTP header name used to store the original access token.
original_channel_token_upstream_header str: The HTTP header name used to store the original channel token.
realm str: When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.
remove_access_token_claims Sequence[str]: remove claims. It should be an array, and each element is a claim key string.
remove_channel_token_claims Sequence[str]: remove claims. It should be an array, and each element is a claim key string.
set_access_token_claims Mapping[str, str]: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
set_channel_token_claims Mapping[str, str]: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
set_claims Mapping[str, str]: Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
trust_access_token_introspection bool: Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.
trust_channel_token_introspection bool: Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
verify_access_token_expiry bool: Quickly turn access token expiry verification off and on as needed.
verify_access_token_introspection_expiry bool: Quickly turn access token introspection expiry verification off and on as needed.
verify_access_token_introspection_scopes bool: Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.
verify_access_token_scopes bool: Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.
verify_access_token_signature bool: Quickly turn access token signature verification off and on as needed.
verify_channel_token_expiry bool
verify_channel_token_introspection_expiry bool: Quickly turn on/off the channel token introspection expiry verification.
verify_channel_token_introspection_scopes bool: Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.
verify_channel_token_scopes bool: Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.
verify_channel_token_signature bool: Quickly turn on/off the channel token signature verification.

accessTokenConsumerBies List<String>: When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are id, username, and custom_id.
accessTokenConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, sub or username) in an access token to Kong consumer entity.
accessTokenIntrospectionAuthorization String: If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the Authorization header's value with this configuration parameter.
accessTokenIntrospectionBodyArgs String: This parameter allows you to pass URL encoded request body arguments. For example: resource= or a=1&b=&c.
accessTokenIntrospectionConsumerBies List<String>: When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
accessTokenIntrospectionConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in access token introspection results to the Kong consumer entity.
accessTokenIntrospectionEndpoint String: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.
accessTokenIntrospectionHint String: If you need to give hint parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends hint=access_token.
accessTokenIntrospectionJwtClaims List<String>: If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (JSON). If the key cannot be found, the plugin responds with 401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with 401 Unauthorized.
accessTokenIntrospectionLeeway Number: Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection expiry verification altogether with config.verify_access_token_introspection_expiry.
accessTokenIntrospectionScopesClaims List<String>: Specify the claim/property in access token introspection results (JSON) to be verified against values of config.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use [ "realm_access", "roles" ], hich can be given as realm_access,roles (form post). If the claim is not found in access token introspection results, and you have specified config.access_token_introspection_scopes_required, the plugin responds with 403 Forbidden.
accessTokenIntrospectionScopesRequireds List<String>: Specify the required values (or scopes) that are checked by an introspection claim/property specified by config.access_token_introspection_scopes_claim.
accessTokenIntrospectionTimeout Number: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on access token introspection.
accessTokenIssuer String: The iss claim of a signed or re-signed access token is set to this value. Original iss claim of the incoming token (possibly introspected) is stored in original_iss claim of the newly signed access token.
accessTokenJwksUri String: Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
accessTokenJwksUriClientCertificate String: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
accessTokenJwksUriClientPassword String: The client password that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_username
accessTokenJwksUriClientUsername String: The client username that will be used to authenticate Kong if access_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with access_token_jwks_uri_client_password
accessTokenJwksUriRotatePeriod Number: Specify the period (in seconds) to auto-rotate the jwks for access_token_jwks_uri. The default value 0 means no auto-rotation.
accessTokenKeyset String: The name of the keyset containing signing keys.
accessTokenKeysetClientCertificate String: The client certificate that will be used to authenticate Kong if access_token_keyset is an https uri that requires mTLS Auth.
accessTokenKeysetClientPassword String: The client password that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_username
accessTokenKeysetClientUsername String: The client username that will be used to authenticate Kong if access_token_keyset is a uri that requires Basic Auth. Should be configured together with access_token_keyset_client_password
accessTokenKeysetRotatePeriod Number: Specify the period (in seconds) to auto-rotate the jwks for access_token_keyset. The default value 0 means no auto-rotation.
accessTokenLeeway Number: Adjusts clock skew between the token issuer and Kong. The value is added to the token's exp claim before checking token expiry against Kong servers' current time in seconds. You can disable access token expiry verification altogether with config.verify_access_token_expiry.
accessTokenOptional Boolean: If an access token is not provided or no config.access_token_request_header is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect
accessTokenRequestHeader String: This parameter tells the name of the header where to look for the access token.
accessTokenScopesClaims List<String>: Specify the claim in an access token to verify against values of config.access_token_scopes_required.
accessTokenScopesRequireds List<String>: Specify the required values (or scopes) that are checked by a claim specified by config.access_token_scopes_claim.
accessTokenSigningAlgorithm String: When this plugin sets the upstream header as specified with config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The config.access_token_issuer specifies which keyset is used to sign the new token issued by Kong using the specified signing algorithm.
accessTokenUpstreamHeader String: Removes the config.access_token_request_header from the request after reading its value. With config.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use null or "" (empty string), the plugin does not even try to sign or re-sign the token.
accessTokenUpstreamLeeway Number: If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's exp claim.
addAccessTokenClaims Map<String>: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
addChannelTokenClaims Map<String>: Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
addClaims Map<String>: Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
cacheAccessTokenIntrospection Boolean: Whether to cache access token introspection results.
cacheChannelTokenIntrospection Boolean: Whether to cache channel token introspection results.
channelTokenConsumerBies List<String>: When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: id, username, and custom_id.
channelTokenConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an id, a username, and a custom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with 403 Forbidden.
channelTokenIntrospectionAuthorization String: When using opaque channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns 401 Unauthorized when using opaque channel tokens.
channelTokenIntrospectionBodyArgs String: If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: resource= or a=1&b=&c.
channelTokenIntrospectionConsumerBies List<String>: When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are id, username and custom_id.
channelTokenIntrospectionConsumerClaims List<String>: When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as sub or username) in channel token introspection results to Kong consumer entity
channelTokenIntrospectionEndpoint String: When you use opaque access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns 401 Unauthorized instead.
channelTokenIntrospectionHint String: If you need to give hint parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a hint isn't sent with channel token introspection.
channelTokenIntrospectionJwtClaims List<String>: If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.
channelTokenIntrospectionLeeway Number: You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (JSON) exp claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection expiry verification altogether with config.verify_channel_token_introspection_expiry.
channelTokenIntrospectionScopesClaims List<String>: Use this parameter to specify the claim/property in channel token introspection results (JSON) to be verified against values of config.channel_token_introspection_scopes_required. This supports nested claims.
channelTokenIntrospectionScopesRequireds List<String>: Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by config.channel_token_introspection_scopes_claim.
channelTokenIntrospectionTimeout Number: Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the config.access_token_introspection_timeout on channel token introspection.
channelTokenIssuer String: The iss claim of the re-signed channel token is set to this value, which is kong by default. The original iss claim of the incoming token (possibly introspected) is stored in the original_iss claim of the newly signed channel token.
channelTokenJwksUri String: If you want to use config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with 401 Unauthorized.
channelTokenJwksUriClientCertificate String: The client certificate that will be used to authenticate Kong if access_token_jwks_uri is an https uri that requires mTLS Auth.
channelTokenJwksUriClientPassword String: The client password that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_username
channelTokenJwksUriClientUsername String: The client username that will be used to authenticate Kong if channel_token_jwks_uri is a uri that requires Basic Auth. Should be configured together with channel_token_jwks_uri_client_password
channelTokenJwksUriRotatePeriod Number: Specify the period (in seconds) to auto-rotate the jwks for channel_token_jwks_uri. The default value 0 means no auto-rotation.
channelTokenKeyset String: The name of the keyset containing signing keys.
channelTokenKeysetClientCertificate String: The client certificate that will be used to authenticate Kong if channel_token_keyset is an https uri that requires mTLS Auth.
channelTokenKeysetClientPassword String: The client password that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_username
channelTokenKeysetClientUsername String: The client username that will be used to authenticate Kong if channel_token_keyset is a uri that requires Basic Auth. Should be configured together with channel_token_keyset_client_password
channelTokenKeysetRotatePeriod Number: Specify the period (in seconds) to auto-rotate the jwks for channel_token_keyset. The default value 0 means no auto-rotation.
channelTokenLeeway Number: Adjusts clock skew between the token issuer and Kong. The value will be added to token's exp claim before checking token expiry against Kong servers current time in seconds. You can disable channel token expiry verification altogether with config.verify_channel_token_expiry.
channelTokenOptional Boolean: If a channel token is not provided or no config.channel_token_request_header is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with 401 Unauthorized (client didn't send a token) or 500 Unexpected (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect
channelTokenRequestHeader String: This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to null or "" (empty string).
channelTokenScopesClaims List<String>: Specify the claim in a channel token to verify against values of config.channel_token_scopes_required. This supports nested claims.
channelTokenScopesRequireds List<String>: Specify the required values (or scopes) that are checked by a claim specified by config.channel_token_scopes_claim.
channelTokenSigningAlgorithm String: When this plugin sets the upstream header as specified with config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.
channelTokenUpstreamHeader String: This plugin removes the config.channel_token_request_header from the request after reading its value.
channelTokenUpstreamLeeway Number: If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's exp claim.
enableAccessTokenIntrospection Boolean: If you don't want to support opaque access tokens, change this configuration parameter to false to disable introspection.
enableChannelTokenIntrospection Boolean: If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to false.
enableHsSignatures Boolean: Tokens signed with HMAC algorithms such as HS256, HS384, or HS512 are not accepted by default. If you need to accept such tokens for verification, enable this setting.
enableInstrumentation Boolean: Writes log entries with some added information using ngx.CRIT (CRITICAL) level.
originalAccessTokenUpstreamHeader String: The HTTP header name used to store the original access token.
originalChannelTokenUpstreamHeader String: The HTTP header name used to store the original channel token.
realm String: When authentication or authorization fails, or there is an unexpected error, the plugin sends an WWW-Authenticate header with the realm attribute value.
removeAccessTokenClaims List<String>: remove claims. It should be an array, and each element is a claim key string.
removeChannelTokenClaims List<String>: remove claims. It should be an array, and each element is a claim key string.
setAccessTokenClaims Map<String>: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
setChannelTokenClaims Map<String>: Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
setClaims Map<String>: Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
trustAccessTokenIntrospection Boolean: Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to true, the expiry or scopes are not checked on a payload.
trustChannelTokenIntrospection Boolean: Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
verifyAccessTokenExpiry Boolean: Quickly turn access token expiry verification off and on as needed.
verifyAccessTokenIntrospectionExpiry Boolean: Quickly turn access token introspection expiry verification off and on as needed.
verifyAccessTokenIntrospectionScopes Boolean: Quickly turn off and on the access token introspection scopes verification, specified with config.access_token_introspection_scopes_required.
verifyAccessTokenScopes Boolean: Quickly turn off and on the access token required scopes verification, specified with config.access_token_scopes_required.
verifyAccessTokenSignature Boolean: Quickly turn access token signature verification off and on as needed.
verifyChannelTokenExpiry Boolean
verifyChannelTokenIntrospectionExpiry Boolean: Quickly turn on/off the channel token introspection expiry verification.
verifyChannelTokenIntrospectionScopes Boolean: Quickly turn on/off the channel token introspection scopes verification specified with config.channel_token_introspection_scopes_required.
verifyChannelTokenScopes Boolean: Quickly turn on/off the channel token required scopes verification specified with config.channel_token_scopes_required.
verifyChannelTokenSignature Boolean: Quickly turn on/off the channel token signature verification.

GetGatewayPluginJwtSignerOrdering

After GetGatewayPluginJwtSignerOrderingAfter
Before GetGatewayPluginJwtSignerOrderingBefore

After GetGatewayPluginJwtSignerOrderingAfter
Before GetGatewayPluginJwtSignerOrderingBefore

after GetGatewayPluginJwtSignerOrderingAfter
before GetGatewayPluginJwtSignerOrderingBefore

after GetGatewayPluginJwtSignerOrderingAfter
before GetGatewayPluginJwtSignerOrderingBefore

after GetGatewayPluginJwtSignerOrderingAfter
before GetGatewayPluginJwtSignerOrderingBefore

after Property Map
before Property Map

GetGatewayPluginJwtSignerOrderingAfter

Accesses List<string>

Accesses []string

accesses List<String>

accesses string[]

accesses Sequence[str]

accesses List<String>

GetGatewayPluginJwtSignerOrderingBefore

Accesses List<string>

Accesses []string

accesses List<String>

accesses string[]

accesses Sequence[str]

accesses List<String>

GetGatewayPluginJwtSignerRoute

Id string

Id string

id String

id string

id str

id String

GetGatewayPluginJwtSignerService

Id string

Id string

id String

id string

id str

id String

Package Details

Repository: konnect kong/terraform-provider-konnect
License
Notes: This Pulumi package is based on the konnect Terraform Provider.

konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong

kong/terraform-provider-konnect

konnect.getGatewayPluginJwtSigner

On this page

On this page

Using getGatewayPluginJwtSigner

getGatewayPluginJwtSigner Result

Supporting Types

GetGatewayPluginJwtSignerConfig

GetGatewayPluginJwtSignerOrdering

GetGatewayPluginJwtSignerOrderingAfter

GetGatewayPluginJwtSignerOrderingBefore

GetGatewayPluginJwtSignerRoute

GetGatewayPluginJwtSignerService

Package Details

On this page

On this page