Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. Konnect Provider
  3. API Docs
  4. getGatewayPluginOpenidConnect
konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong
kong/terraform-provider-konnect

konnect.getGatewayPluginOpenidConnect

Explore with Pulumi AI

konnect logo
konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong
kong/terraform-provider-konnect

    Using getGatewayPluginOpenidConnect

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getGatewayPluginOpenidConnect(args: GetGatewayPluginOpenidConnectArgs, opts?: InvokeOptions): Promise<GetGatewayPluginOpenidConnectResult>
function getGatewayPluginOpenidConnectOutput(args: GetGatewayPluginOpenidConnectOutputArgs, opts?: InvokeOptions): Output<GetGatewayPluginOpenidConnectResult>
    def get_gateway_plugin_openid_connect(control_plane_id: Optional[str] = None,
                                      opts: Optional[InvokeOptions] = None) -> GetGatewayPluginOpenidConnectResult
def get_gateway_plugin_openid_connect_output(control_plane_id: Optional[pulumi.Input[str]] = None,
                                      opts: Optional[InvokeOptions] = None) -> Output[GetGatewayPluginOpenidConnectResult]
    func LookupGatewayPluginOpenidConnect(ctx *Context, args *LookupGatewayPluginOpenidConnectArgs, opts ...InvokeOption) (*LookupGatewayPluginOpenidConnectResult, error)
func LookupGatewayPluginOpenidConnectOutput(ctx *Context, args *LookupGatewayPluginOpenidConnectOutputArgs, opts ...InvokeOption) LookupGatewayPluginOpenidConnectResultOutput

    > Note: This function is named LookupGatewayPluginOpenidConnect in the Go SDK.

    public static class GetGatewayPluginOpenidConnect 
{
    public static Task<GetGatewayPluginOpenidConnectResult> InvokeAsync(GetGatewayPluginOpenidConnectArgs args, InvokeOptions? opts = null)
    public static Output<GetGatewayPluginOpenidConnectResult> Invoke(GetGatewayPluginOpenidConnectInvokeArgs args, InvokeOptions? opts = null)
}
    public static CompletableFuture<GetGatewayPluginOpenidConnectResult> getGatewayPluginOpenidConnect(GetGatewayPluginOpenidConnectArgs args, InvokeOptions options)
public static Output<GetGatewayPluginOpenidConnectResult> getGatewayPluginOpenidConnect(GetGatewayPluginOpenidConnectArgs args, InvokeOptions options)

    fn::invoke:
  function: konnect:index/getGatewayPluginOpenidConnect:getGatewayPluginOpenidConnect
  arguments:
    # arguments dictionary

    The following arguments are supported:

    getGatewayPluginOpenidConnect Result

    The following output properties are available:

    Supporting Types

    GetGatewayPluginOpenidConnectConfig

    Anonymous string
    An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a 4xx HTTP status code. This value must refer to the consumer id or username attribute, and not its custom_id.
    AudienceClaims List<string>
    The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
    AudienceRequireds List<string>
    The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    Audiences List<string>
    The audience passed to the authorization endpoint.
    AuthMethods List<string>
    Types of credentials/grants to enable.
    AuthenticatedGroupsClaims List<string>
    The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
    AuthorizationCookieDomain string
    The authorization cookie Domain flag.
    AuthorizationCookieHttpOnly bool
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    AuthorizationCookieName string
    The authorization cookie name.
    AuthorizationCookiePath string
    The authorization cookie Path flag.
    AuthorizationCookieSameSite string
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    AuthorizationCookieSecure bool
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    AuthorizationEndpoint string
    The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.
    AuthorizationQueryArgsClients List<string>
    Extra query arguments passed from the client to the authorization endpoint.
    AuthorizationQueryArgsNames List<string>
    Extra query argument names passed to the authorization endpoint.
    AuthorizationQueryArgsValues List<string>
    Extra query argument values passed to the authorization endpoint.
    AuthorizationRollingTimeout double
    Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    BearerTokenCookieName string
    The name of the cookie in which the bearer token is passed.
    BearerTokenParamTypes List<string>
    Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL's query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.
    ByUsernameIgnoreCase bool
    If consumer_by is set to username, specify whether username can match consumers case-insensitively.
    CacheIntrospection bool
    Cache the introspection endpoint requests.
    CacheTokenExchange bool
    Cache the token exchange endpoint requests.
    CacheTokens bool
    Cache the token endpoint requests.
    CacheTokensSalt string
    Salt used for generating the cache key that is used for caching the token endpoint requests.
    CacheTtl double
    The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
    CacheTtlMax double
    The maximum cache ttl in seconds (enforced).
    CacheTtlMin double
    The minimum cache ttl in seconds (enforced).
    CacheTtlNeg double
    The negative cache ttl in seconds.
    CacheTtlResurrect double
    The resurrection ttl in seconds.
    CacheUserInfo bool
    Cache the user info requests.
    ClaimsForbiddens List<string>
    If given, these claims are forbidden in the token payload.
    ClientAlgs List<string>
    The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.
    ClientArg string
    The client to use for this request (the selection is made with a request parameter with the same name).
    ClientAuths List<string>
    The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).
    ClientCredentialsParamTypes List<string>
    Where to look for the client credentials: - header: search the HTTP headers - query: search the URL's query string - body: search from the HTTP request body.
    ClientIds List<string>
    The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
    ClientJwks List<GetGatewayPluginOpenidConnectConfigClientJwk>
    The JWK used for the private_key_jwt authentication.
    ClientSecrets List<string>
    The client secret.
    ClusterCacheRedis GetGatewayPluginOpenidConnectConfigClusterCacheRedis
    ClusterCacheStrategy string
    The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.
    ConsumerBies List<string>
    Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.
    ConsumerClaims List<string>
    The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
    ConsumerOptional bool
    Do not terminate the request if consumer mapping fails.
    CredentialClaims List<string>
    The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
    DisableSessions List<string>
    Disable issuing the session cookie with the specified grants.
    DiscoveryHeadersNames List<string>
    Extra header names passed to the discovery endpoint.
    DiscoveryHeadersValues List<string>
    Extra header values passed to the discovery endpoint.
    DisplayErrors bool
    Display errors on failure responses.
    Domains List<string>
    The allowed values for the hd claim.
    DownstreamAccessTokenHeader string
    The downstream access token header.
    DownstreamAccessTokenJwkHeader string
    The downstream access token JWK header.
    DownstreamHeadersClaims List<string>
    The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
    DownstreamHeadersNames List<string>
    The downstream header names for the claim values.
    DownstreamIdTokenHeader string
    The downstream id token header.
    DownstreamIdTokenJwkHeader string
    The downstream id token JWK header.
    DownstreamIntrospectionHeader string
    The downstream introspection header.
    DownstreamIntrospectionJwtHeader string
    The downstream introspection JWT header.
    DownstreamRefreshTokenHeader string
    The downstream refresh token header.
    DownstreamSessionIdHeader string
    The downstream session id header.
    DownstreamUserInfoHeader string
    The downstream user info header.
    DownstreamUserInfoJwtHeader string
    The downstream user info JWT header (in case the user info returns a JWT response).
    DpopProofLifetime double
    Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
    DpopUseNonce bool
    Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
    EnableHsSignatures bool
    Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
    EndSessionEndpoint string
    The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.
    ExposeErrorCode bool
    Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.
    ExtraJwksUris List<string>
    JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
    ForbiddenDestroySession bool
    Destroy any active session for the forbidden requests.
    ForbiddenErrorMessage string
    The error message for the forbidden requests (when not using the redirection).
    ForbiddenRedirectUris List<string>
    Where to redirect the client on forbidden requests.
    GroupsClaims List<string>
    The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
    GroupsRequireds List<string>
    The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    HideCredentials bool
    Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
    HttpProxy string
    The HTTP proxy.
    HttpProxyAuthorization string
    The HTTP proxy authorization.
    HttpVersion double
    The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.
    HttpsProxy string
    The HTTPS proxy.
    HttpsProxyAuthorization string
    The HTTPS proxy authorization.
    IdTokenParamName string
    The name of the parameter used to pass the id token.
    IdTokenParamTypes List<string>
    Where to look for the id token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    IgnoreSignatures List<string>
    Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.
    IntrospectJwtTokens bool
    Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
    IntrospectionAccept string
    The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).
    IntrospectionCheckActive bool
    Check that the introspection response has an active claim with a value of true.
    IntrospectionEndpoint string
    The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.
    IntrospectionEndpointAuthMethod string
    The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    IntrospectionHeadersClients List<string>
    Extra headers passed from the client to the introspection endpoint.
    IntrospectionHeadersNames List<string>
    Extra header names passed to the introspection endpoint.
    IntrospectionHeadersValues List<string>
    Extra header values passed to the introspection endpoint.
    IntrospectionHint string
    Introspection hint parameter value passed to the introspection endpoint.
    IntrospectionPostArgsClientHeaders List<string>
    Extra post arguments passed from the client headers to the introspection endpoint.
    IntrospectionPostArgsClients List<string>
    Extra post arguments passed from the client to the introspection endpoint.
    IntrospectionPostArgsNames List<string>
    Extra post argument names passed to the introspection endpoint.
    IntrospectionPostArgsValues List<string>
    Extra post argument values passed to the introspection endpoint.
    IntrospectionTokenParamName string
    Designate token's parameter name for introspection.
    Issuer string
    The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.
    IssuersAlloweds List<string>
    The issuers allowed to be present in the tokens (iss claim).
    JwtSessionClaim string
    The claim to match against the JWT session cookie.
    JwtSessionCookie string
    The name of the JWT session cookie.
    Keepalive bool
    Use keepalive with the HTTP client.
    Leeway double
    Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims
    LoginAction string
    What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.
    LoginMethods List<string>
    Enable login functionality with specified grants.
    LoginRedirectMode string
    Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).
    LoginRedirectUris List<string>
    Where to redirect the client when login_action is set to redirect.
    LoginTokens List<string>
    What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.
    LogoutMethods List<string>
    The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.
    LogoutPostArg string
    The request body argument that activates the logout.
    LogoutQueryArg string
    The request query argument that activates the logout.
    LogoutRedirectUris List<string>
    Where to redirect the client after the logout.
    LogoutRevoke bool

    Revoke tokens as part of the logout.

    For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

    LogoutRevokeAccessToken bool
    Revoke the access token as part of the logout. Requires logout_revoke to be set to true.
    LogoutRevokeRefreshToken bool
    Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.
    LogoutUriSuffix string
    The request URI suffix that activates the logout.
    MaxAge double
    The maximum age (in seconds) compared to the auth_time claim.
    MtlsIntrospectionEndpoint string
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    MtlsRevocationEndpoint string
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    MtlsTokenEndpoint string
    Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    NoProxy string
    Do not use proxy with these hosts.
    PasswordParamTypes List<string>
    Where to look for the username and password: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    PreserveQueryArgs bool
    With this parameter, you can preserve request query arguments even when doing authorization code flow.
    ProofOfPossessionAuthMethodsValidation bool
    If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
    ProofOfPossessionDpop string
    Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.
    ProofOfPossessionMtls string
    Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.
    PushedAuthorizationRequestEndpoint string
    The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.
    PushedAuthorizationRequestEndpointAuthMethod string
    The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    RedirectUris List<string>
    The redirect URI passed to the authorization and token endpoints.
    Redis GetGatewayPluginOpenidConnectConfigRedis
    RediscoveryLifetime double
    Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
    RefreshTokenParamName string
    The name of the parameter used to pass the refresh token.
    RefreshTokenParamTypes List<string>
    Where to look for the refresh token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    RefreshTokens bool
    Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.
    RequireProofKeyForCodeExchange bool
    Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).
    RequirePushedAuthorizationRequests bool
    Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).
    RequireSignedRequestObject bool
    Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).
    ResolveDistributedClaims bool
    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.
    ResponseMode string
    Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.
    ResponseTypes List<string>
    The response type passed to the authorization endpoint.
    Reverify bool
    Specifies whether to always verify tokens stored in the session.
    RevocationEndpoint string
    The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.
    RevocationEndpointAuthMethod string
    The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    RevocationTokenParamName string
    Designate token's parameter name for revocation.
    RolesClaims List<string>
    The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
    RolesRequireds List<string>
    The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    RunOnPreflight bool
    Specifies whether to run this plugin on pre-flight (OPTIONS) requests.
    Scopes List<string>
    The scopes passed to the authorization and token endpoints.
    ScopesClaims List<string>
    The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
    ScopesRequireds List<string>
    The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    SearchUserInfo bool
    Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
    SessionAbsoluteTimeout double
    Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    SessionAudience string
    The session audience, which is the intended target application. For example "my-application".
    SessionCookieDomain string
    The session cookie Domain flag.
    SessionCookieHttpOnly bool
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    SessionCookieName string
    The session cookie name.
    SessionCookiePath string
    The session cookie Path flag.
    SessionCookieSameSite string
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    SessionCookieSecure bool
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    SessionEnforceSameSubject bool
    When set to true, audiences are forced to share the same subject.
    SessionHashStorageKey bool
    When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
    SessionHashSubject bool
    When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.
    SessionIdlingTimeout double
    Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
    SessionMemcachedHost string
    The memcached host.
    SessionMemcachedPort double
    The memcached port.
    SessionMemcachedPrefix string
    The memcached session key prefix.
    SessionMemcachedSocket string
    The memcached unix socket path.
    SessionRemember bool
    Enables or disables persistent sessions.
    SessionRememberAbsoluteTimeout double
    Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    SessionRememberCookieName string
    Persistent session cookie name. Use with the remember configuration parameter.
    SessionRememberRollingTimeout double
    Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
    SessionRequestHeaders List<string>
    Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.
    SessionResponseHeaders List<string>
    Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.
    SessionRollingTimeout double
    Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    SessionSecret string
    The session secret.
    SessionStorage string
    The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.
    SessionStoreMetadata bool
    Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
    SslVerify bool
    Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.
    Timeout double
    Network IO timeout in milliseconds.
    TlsClientAuthCertId string
    ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
    TlsClientAuthSslVerify bool
    Verify identity provider server certificate during mTLS client authentication.
    TokenCacheKeyIncludeScope bool
    Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
    TokenEndpoint string
    The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.
    TokenEndpointAuthMethod string
    The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    TokenExchangeEndpoint string
    The token exchange endpoint.
    TokenHeadersClients List<string>
    Extra headers passed from the client to the token endpoint.
    TokenHeadersGrants List<string>
    Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.
    TokenHeadersNames List<string>
    Extra header names passed to the token endpoint.
    TokenHeadersPrefix string
    Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
    TokenHeadersReplays List<string>
    The names of token endpoint response headers to forward to the downstream client.
    TokenHeadersValues List<string>
    Extra header values passed to the token endpoint.
    TokenPostArgsClients List<string>
    Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.
    TokenPostArgsNames List<string>
    Extra post argument names passed to the token endpoint.
    TokenPostArgsValues List<string>
    Extra post argument values passed to the token endpoint.
    UnauthorizedDestroySession bool
    Destroy any active session for the unauthorized requests.
    UnauthorizedErrorMessage string
    The error message for the unauthorized requests (when not using the redirection).
    UnauthorizedRedirectUris List<string>
    Where to redirect the client on unauthorized requests.
    UnexpectedRedirectUris List<string>
    Where to redirect the client when unexpected errors happen with the requests.
    UpstreamAccessTokenHeader string
    The upstream access token header.
    UpstreamAccessTokenJwkHeader string
    The upstream access token JWK header.
    UpstreamHeadersClaims List<string>
    The upstream header claims. Only top level claims are supported.
    UpstreamHeadersNames List<string>
    The upstream header names for the claim values.
    UpstreamIdTokenHeader string
    The upstream id token header.
    UpstreamIdTokenJwkHeader string
    The upstream id token JWK header.
    UpstreamIntrospectionHeader string
    The upstream introspection header.
    UpstreamIntrospectionJwtHeader string
    The upstream introspection JWT header.
    UpstreamRefreshTokenHeader string
    The upstream refresh token header.
    UpstreamSessionIdHeader string
    The upstream session id header.
    UpstreamUserInfoHeader string
    The upstream user info header.
    UpstreamUserInfoJwtHeader string
    The upstream user info JWT header (in case the user info returns a JWT response).
    UserinfoAccept string
    The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).
    UserinfoEndpoint string
    The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.
    UserinfoHeadersClients List<string>
    Extra headers passed from the client to the user info endpoint.
    UserinfoHeadersNames List<string>
    Extra header names passed to the user info endpoint.
    UserinfoHeadersValues List<string>
    Extra header values passed to the user info endpoint.
    UserinfoQueryArgsClients List<string>
    Extra query arguments passed from the client to the user info endpoint.
    UserinfoQueryArgsNames List<string>
    Extra query argument names passed to the user info endpoint.
    UserinfoQueryArgsValues List<string>
    Extra query argument values passed to the user info endpoint.
    UsingPseudoIssuer bool
    If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.
    VerifyClaims bool
    Verify tokens for standard claims.
    VerifyNonce bool
    Verify nonce on authorization code flow.
    VerifyParameters bool
    Verify plugin configuration against discovery.
    VerifySignature bool
    Verify signature of tokens.
    Anonymous string
    An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a 4xx HTTP status code. This value must refer to the consumer id or username attribute, and not its custom_id.
    AudienceClaims []string
    The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
    AudienceRequireds []string
    The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    Audiences []string
    The audience passed to the authorization endpoint.
    AuthMethods []string
    Types of credentials/grants to enable.
    AuthenticatedGroupsClaims []string
    The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
    AuthorizationCookieDomain string
    The authorization cookie Domain flag.
    AuthorizationCookieHttpOnly bool
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    AuthorizationCookieName string
    The authorization cookie name.
    AuthorizationCookiePath string
    The authorization cookie Path flag.
    AuthorizationCookieSameSite string
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    AuthorizationCookieSecure bool
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    AuthorizationEndpoint string
    The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.
    AuthorizationQueryArgsClients []string
    Extra query arguments passed from the client to the authorization endpoint.
    AuthorizationQueryArgsNames []string
    Extra query argument names passed to the authorization endpoint.
    AuthorizationQueryArgsValues []string
    Extra query argument values passed to the authorization endpoint.
    AuthorizationRollingTimeout float64
    Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    BearerTokenCookieName string
    The name of the cookie in which the bearer token is passed.
    BearerTokenParamTypes []string
    Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL's query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.
    ByUsernameIgnoreCase bool
    If consumer_by is set to username, specify whether username can match consumers case-insensitively.
    CacheIntrospection bool
    Cache the introspection endpoint requests.
    CacheTokenExchange bool
    Cache the token exchange endpoint requests.
    CacheTokens bool
    Cache the token endpoint requests.
    CacheTokensSalt string
    Salt used for generating the cache key that is used for caching the token endpoint requests.
    CacheTtl float64
    The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
    CacheTtlMax float64
    The maximum cache ttl in seconds (enforced).
    CacheTtlMin float64
    The minimum cache ttl in seconds (enforced).
    CacheTtlNeg float64
    The negative cache ttl in seconds.
    CacheTtlResurrect float64
    The resurrection ttl in seconds.
    CacheUserInfo bool
    Cache the user info requests.
    ClaimsForbiddens []string
    If given, these claims are forbidden in the token payload.
    ClientAlgs []string
    The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.
    ClientArg string
    The client to use for this request (the selection is made with a request parameter with the same name).
    ClientAuths []string
    The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).
    ClientCredentialsParamTypes []string
    Where to look for the client credentials: - header: search the HTTP headers - query: search the URL's query string - body: search from the HTTP request body.
    ClientIds []string
    The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
    ClientJwks []GetGatewayPluginOpenidConnectConfigClientJwk
    The JWK used for the private_key_jwt authentication.
    ClientSecrets []string
    The client secret.
    ClusterCacheRedis GetGatewayPluginOpenidConnectConfigClusterCacheRedis
    ClusterCacheStrategy string
    The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.
    ConsumerBies []string
    Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.
    ConsumerClaims []string
    The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
    ConsumerOptional bool
    Do not terminate the request if consumer mapping fails.
    CredentialClaims []string
    The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
    DisableSessions []string
    Disable issuing the session cookie with the specified grants.
    DiscoveryHeadersNames []string
    Extra header names passed to the discovery endpoint.
    DiscoveryHeadersValues []string
    Extra header values passed to the discovery endpoint.
    DisplayErrors bool
    Display errors on failure responses.
    Domains []string
    The allowed values for the hd claim.
    DownstreamAccessTokenHeader string
    The downstream access token header.
    DownstreamAccessTokenJwkHeader string
    The downstream access token JWK header.
    DownstreamHeadersClaims []string
    The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
    DownstreamHeadersNames []string
    The downstream header names for the claim values.
    DownstreamIdTokenHeader string
    The downstream id token header.
    DownstreamIdTokenJwkHeader string
    The downstream id token JWK header.
    DownstreamIntrospectionHeader string
    The downstream introspection header.
    DownstreamIntrospectionJwtHeader string
    The downstream introspection JWT header.
    DownstreamRefreshTokenHeader string
    The downstream refresh token header.
    DownstreamSessionIdHeader string
    The downstream session id header.
    DownstreamUserInfoHeader string
    The downstream user info header.
    DownstreamUserInfoJwtHeader string
    The downstream user info JWT header (in case the user info returns a JWT response).
    DpopProofLifetime float64
    Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
    DpopUseNonce bool
    Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
    EnableHsSignatures bool
    Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
    EndSessionEndpoint string
    The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.
    ExposeErrorCode bool
    Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.
    ExtraJwksUris []string
    JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
    ForbiddenDestroySession bool
    Destroy any active session for the forbidden requests.
    ForbiddenErrorMessage string
    The error message for the forbidden requests (when not using the redirection).
    ForbiddenRedirectUris []string
    Where to redirect the client on forbidden requests.
    GroupsClaims []string
    The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
    GroupsRequireds []string
    The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    HideCredentials bool
    Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
    HttpProxy string
    The HTTP proxy.
    HttpProxyAuthorization string
    The HTTP proxy authorization.
    HttpVersion float64
    The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.
    HttpsProxy string
    The HTTPS proxy.
    HttpsProxyAuthorization string
    The HTTPS proxy authorization.
    IdTokenParamName string
    The name of the parameter used to pass the id token.
    IdTokenParamTypes []string
    Where to look for the id token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    IgnoreSignatures []string
    Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.
    IntrospectJwtTokens bool
    Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
    IntrospectionAccept string
    The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).
    IntrospectionCheckActive bool
    Check that the introspection response has an active claim with a value of true.
    IntrospectionEndpoint string
    The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.
    IntrospectionEndpointAuthMethod string
    The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    IntrospectionHeadersClients []string
    Extra headers passed from the client to the introspection endpoint.
    IntrospectionHeadersNames []string
    Extra header names passed to the introspection endpoint.
    IntrospectionHeadersValues []string
    Extra header values passed to the introspection endpoint.
    IntrospectionHint string
    Introspection hint parameter value passed to the introspection endpoint.
    IntrospectionPostArgsClientHeaders []string
    Extra post arguments passed from the client headers to the introspection endpoint.
    IntrospectionPostArgsClients []string
    Extra post arguments passed from the client to the introspection endpoint.
    IntrospectionPostArgsNames []string
    Extra post argument names passed to the introspection endpoint.
    IntrospectionPostArgsValues []string
    Extra post argument values passed to the introspection endpoint.
    IntrospectionTokenParamName string
    Designate token's parameter name for introspection.
    Issuer string
    The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.
    IssuersAlloweds []string
    The issuers allowed to be present in the tokens (iss claim).
    JwtSessionClaim string
    The claim to match against the JWT session cookie.
    JwtSessionCookie string
    The name of the JWT session cookie.
    Keepalive bool
    Use keepalive with the HTTP client.
    Leeway float64
    Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims
    LoginAction string
    What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.
    LoginMethods []string
    Enable login functionality with specified grants.
    LoginRedirectMode string
    Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).
    LoginRedirectUris []string
    Where to redirect the client when login_action is set to redirect.
    LoginTokens []string
    What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.
    LogoutMethods []string
    The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.
    LogoutPostArg string
    The request body argument that activates the logout.
    LogoutQueryArg string
    The request query argument that activates the logout.
    LogoutRedirectUris []string
    Where to redirect the client after the logout.
    LogoutRevoke bool

    Revoke tokens as part of the logout.

    For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

    LogoutRevokeAccessToken bool
    Revoke the access token as part of the logout. Requires logout_revoke to be set to true.
    LogoutRevokeRefreshToken bool
    Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.
    LogoutUriSuffix string
    The request URI suffix that activates the logout.
    MaxAge float64
    The maximum age (in seconds) compared to the auth_time claim.
    MtlsIntrospectionEndpoint string
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    MtlsRevocationEndpoint string
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    MtlsTokenEndpoint string
    Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    NoProxy string
    Do not use proxy with these hosts.
    PasswordParamTypes []string
    Where to look for the username and password: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    PreserveQueryArgs bool
    With this parameter, you can preserve request query arguments even when doing authorization code flow.
    ProofOfPossessionAuthMethodsValidation bool
    If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
    ProofOfPossessionDpop string
    Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.
    ProofOfPossessionMtls string
    Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.
    PushedAuthorizationRequestEndpoint string
    The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.
    PushedAuthorizationRequestEndpointAuthMethod string
    The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    RedirectUris []string
    The redirect URI passed to the authorization and token endpoints.
    Redis GetGatewayPluginOpenidConnectConfigRedis
    RediscoveryLifetime float64
    Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
    RefreshTokenParamName string
    The name of the parameter used to pass the refresh token.
    RefreshTokenParamTypes []string
    Where to look for the refresh token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    RefreshTokens bool
    Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.
    RequireProofKeyForCodeExchange bool
    Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).
    RequirePushedAuthorizationRequests bool
    Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).
    RequireSignedRequestObject bool
    Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).
    ResolveDistributedClaims bool
    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.
    ResponseMode string
    Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.
    ResponseTypes []string
    The response type passed to the authorization endpoint.
    Reverify bool
    Specifies whether to always verify tokens stored in the session.
    RevocationEndpoint string
    The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.
    RevocationEndpointAuthMethod string
    The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    RevocationTokenParamName string
    Designate token's parameter name for revocation.
    RolesClaims []string
    The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
    RolesRequireds []string
    The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    RunOnPreflight bool
    Specifies whether to run this plugin on pre-flight (OPTIONS) requests.
    Scopes []string
    The scopes passed to the authorization and token endpoints.
    ScopesClaims []string
    The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
    ScopesRequireds []string
    The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    SearchUserInfo bool
    Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
    SessionAbsoluteTimeout float64
    Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    SessionAudience string
    The session audience, which is the intended target application. For example "my-application".
    SessionCookieDomain string
    The session cookie Domain flag.
    SessionCookieHttpOnly bool
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    SessionCookieName string
    The session cookie name.
    SessionCookiePath string
    The session cookie Path flag.
    SessionCookieSameSite string
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    SessionCookieSecure bool
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    SessionEnforceSameSubject bool
    When set to true, audiences are forced to share the same subject.
    SessionHashStorageKey bool
    When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
    SessionHashSubject bool
    When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.
    SessionIdlingTimeout float64
    Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
    SessionMemcachedHost string
    The memcached host.
    SessionMemcachedPort float64
    The memcached port.
    SessionMemcachedPrefix string
    The memcached session key prefix.
    SessionMemcachedSocket string
    The memcached unix socket path.
    SessionRemember bool
    Enables or disables persistent sessions.
    SessionRememberAbsoluteTimeout float64
    Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    SessionRememberCookieName string
    Persistent session cookie name. Use with the remember configuration parameter.
    SessionRememberRollingTimeout float64
    Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
    SessionRequestHeaders []string
    Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.
    SessionResponseHeaders []string
    Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.
    SessionRollingTimeout float64
    Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    SessionSecret string
    The session secret.
    SessionStorage string
    The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.
    SessionStoreMetadata bool
    Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
    SslVerify bool
    Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.
    Timeout float64
    Network IO timeout in milliseconds.
    TlsClientAuthCertId string
    ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
    TlsClientAuthSslVerify bool
    Verify identity provider server certificate during mTLS client authentication.
    TokenCacheKeyIncludeScope bool
    Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
    TokenEndpoint string
    The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.
    TokenEndpointAuthMethod string
    The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    TokenExchangeEndpoint string
    The token exchange endpoint.
    TokenHeadersClients []string
    Extra headers passed from the client to the token endpoint.
    TokenHeadersGrants []string
    Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.
    TokenHeadersNames []string
    Extra header names passed to the token endpoint.
    TokenHeadersPrefix string
    Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
    TokenHeadersReplays []string
    The names of token endpoint response headers to forward to the downstream client.
    TokenHeadersValues []string
    Extra header values passed to the token endpoint.
    TokenPostArgsClients []string
    Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.
    TokenPostArgsNames []string
    Extra post argument names passed to the token endpoint.
    TokenPostArgsValues []string
    Extra post argument values passed to the token endpoint.
    UnauthorizedDestroySession bool
    Destroy any active session for the unauthorized requests.
    UnauthorizedErrorMessage string
    The error message for the unauthorized requests (when not using the redirection).
    UnauthorizedRedirectUris []string
    Where to redirect the client on unauthorized requests.
    UnexpectedRedirectUris []string
    Where to redirect the client when unexpected errors happen with the requests.
    UpstreamAccessTokenHeader string
    The upstream access token header.
    UpstreamAccessTokenJwkHeader string
    The upstream access token JWK header.
    UpstreamHeadersClaims []string
    The upstream header claims. Only top level claims are supported.
    UpstreamHeadersNames []string
    The upstream header names for the claim values.
    UpstreamIdTokenHeader string
    The upstream id token header.
    UpstreamIdTokenJwkHeader string
    The upstream id token JWK header.
    UpstreamIntrospectionHeader string
    The upstream introspection header.
    UpstreamIntrospectionJwtHeader string
    The upstream introspection JWT header.
    UpstreamRefreshTokenHeader string
    The upstream refresh token header.
    UpstreamSessionIdHeader string
    The upstream session id header.
    UpstreamUserInfoHeader string
    The upstream user info header.
    UpstreamUserInfoJwtHeader string
    The upstream user info JWT header (in case the user info returns a JWT response).
    UserinfoAccept string
    The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).
    UserinfoEndpoint string
    The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.
    UserinfoHeadersClients []string
    Extra headers passed from the client to the user info endpoint.
    UserinfoHeadersNames []string
    Extra header names passed to the user info endpoint.
    UserinfoHeadersValues []string
    Extra header values passed to the user info endpoint.
    UserinfoQueryArgsClients []string
    Extra query arguments passed from the client to the user info endpoint.
    UserinfoQueryArgsNames []string
    Extra query argument names passed to the user info endpoint.
    UserinfoQueryArgsValues []string
    Extra query argument values passed to the user info endpoint.
    UsingPseudoIssuer bool
    If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.
    VerifyClaims bool
    Verify tokens for standard claims.
    VerifyNonce bool
    Verify nonce on authorization code flow.
    VerifyParameters bool
    Verify plugin configuration against discovery.
    VerifySignature bool
    Verify signature of tokens.
    anonymous String
    An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a 4xx HTTP status code. This value must refer to the consumer id or username attribute, and not its custom_id.
    audienceClaims List<String>
    The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
    audienceRequireds List<String>
    The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    audiences List<String>
    The audience passed to the authorization endpoint.
    authMethods List<String>
    Types of credentials/grants to enable.
    authenticatedGroupsClaims List<String>
    The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
    authorizationCookieDomain String
    The authorization cookie Domain flag.
    authorizationCookieHttpOnly Boolean
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    authorizationCookieName String
    The authorization cookie name.
    authorizationCookiePath String
    The authorization cookie Path flag.
    authorizationCookieSameSite String
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    authorizationCookieSecure Boolean
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    authorizationEndpoint String
    The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.
    authorizationQueryArgsClients List<String>
    Extra query arguments passed from the client to the authorization endpoint.
    authorizationQueryArgsNames List<String>
    Extra query argument names passed to the authorization endpoint.
    authorizationQueryArgsValues List<String>
    Extra query argument values passed to the authorization endpoint.
    authorizationRollingTimeout Double
    Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    bearerTokenCookieName String
    The name of the cookie in which the bearer token is passed.
    bearerTokenParamTypes List<String>
    Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL's query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.
    byUsernameIgnoreCase Boolean
    If consumer_by is set to username, specify whether username can match consumers case-insensitively.
    cacheIntrospection Boolean
    Cache the introspection endpoint requests.
    cacheTokenExchange Boolean
    Cache the token exchange endpoint requests.
    cacheTokens Boolean
    Cache the token endpoint requests.
    cacheTokensSalt String
    Salt used for generating the cache key that is used for caching the token endpoint requests.
    cacheTtl Double
    The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
    cacheTtlMax Double
    The maximum cache ttl in seconds (enforced).
    cacheTtlMin Double
    The minimum cache ttl in seconds (enforced).
    cacheTtlNeg Double
    The negative cache ttl in seconds.
    cacheTtlResurrect Double
    The resurrection ttl in seconds.
    cacheUserInfo Boolean
    Cache the user info requests.
    claimsForbiddens List<String>
    If given, these claims are forbidden in the token payload.
    clientAlgs List<String>
    The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.
    clientArg String
    The client to use for this request (the selection is made with a request parameter with the same name).
    clientAuths List<String>
    The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).
    clientCredentialsParamTypes List<String>
    Where to look for the client credentials: - header: search the HTTP headers - query: search the URL's query string - body: search from the HTTP request body.
    clientIds List<String>
    The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
    clientJwks List<GetGatewayPluginOpenidConnectConfigClientJwk>
    The JWK used for the private_key_jwt authentication.
    clientSecrets List<String>
    The client secret.
    clusterCacheRedis GetGatewayPluginOpenidConnectConfigClusterCacheRedis
    clusterCacheStrategy String
    The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.
    consumerBies List<String>
    Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.
    consumerClaims List<String>
    The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
    consumerOptional Boolean
    Do not terminate the request if consumer mapping fails.
    credentialClaims List<String>
    The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
    disableSessions List<String>
    Disable issuing the session cookie with the specified grants.
    discoveryHeadersNames List<String>
    Extra header names passed to the discovery endpoint.
    discoveryHeadersValues List<String>
    Extra header values passed to the discovery endpoint.
    displayErrors Boolean
    Display errors on failure responses.
    domains List<String>
    The allowed values for the hd claim.
    downstreamAccessTokenHeader String
    The downstream access token header.
    downstreamAccessTokenJwkHeader String
    The downstream access token JWK header.
    downstreamHeadersClaims List<String>
    The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
    downstreamHeadersNames List<String>
    The downstream header names for the claim values.
    downstreamIdTokenHeader String
    The downstream id token header.
    downstreamIdTokenJwkHeader String
    The downstream id token JWK header.
    downstreamIntrospectionHeader String
    The downstream introspection header.
    downstreamIntrospectionJwtHeader String
    The downstream introspection JWT header.
    downstreamRefreshTokenHeader String
    The downstream refresh token header.
    downstreamSessionIdHeader String
    The downstream session id header.
    downstreamUserInfoHeader String
    The downstream user info header.
    downstreamUserInfoJwtHeader String
    The downstream user info JWT header (in case the user info returns a JWT response).
    dpopProofLifetime Double
    Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
    dpopUseNonce Boolean
    Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
    enableHsSignatures Boolean
    Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
    endSessionEndpoint String
    The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.
    exposeErrorCode Boolean
    Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.
    extraJwksUris List<String>
    JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
    forbiddenDestroySession Boolean
    Destroy any active session for the forbidden requests.
    forbiddenErrorMessage String
    The error message for the forbidden requests (when not using the redirection).
    forbiddenRedirectUris List<String>
    Where to redirect the client on forbidden requests.
    groupsClaims List<String>
    The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
    groupsRequireds List<String>
    The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    hideCredentials Boolean
    Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
    httpProxy String
    The HTTP proxy.
    httpProxyAuthorization String
    The HTTP proxy authorization.
    httpVersion Double
    The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.
    httpsProxy String
    The HTTPS proxy.
    httpsProxyAuthorization String
    The HTTPS proxy authorization.
    idTokenParamName String
    The name of the parameter used to pass the id token.
    idTokenParamTypes List<String>
    Where to look for the id token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    ignoreSignatures List<String>
    Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.
    introspectJwtTokens Boolean
    Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
    introspectionAccept String
    The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).
    introspectionCheckActive Boolean
    Check that the introspection response has an active claim with a value of true.
    introspectionEndpoint String
    The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.
    introspectionEndpointAuthMethod String
    The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    introspectionHeadersClients List<String>
    Extra headers passed from the client to the introspection endpoint.
    introspectionHeadersNames List<String>
    Extra header names passed to the introspection endpoint.
    introspectionHeadersValues List<String>
    Extra header values passed to the introspection endpoint.
    introspectionHint String
    Introspection hint parameter value passed to the introspection endpoint.
    introspectionPostArgsClientHeaders List<String>
    Extra post arguments passed from the client headers to the introspection endpoint.
    introspectionPostArgsClients List<String>
    Extra post arguments passed from the client to the introspection endpoint.
    introspectionPostArgsNames List<String>
    Extra post argument names passed to the introspection endpoint.
    introspectionPostArgsValues List<String>
    Extra post argument values passed to the introspection endpoint.
    introspectionTokenParamName String
    Designate token's parameter name for introspection.
    issuer String
    The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.
    issuersAlloweds List<String>
    The issuers allowed to be present in the tokens (iss claim).
    jwtSessionClaim String
    The claim to match against the JWT session cookie.
    jwtSessionCookie String
    The name of the JWT session cookie.
    keepalive Boolean
    Use keepalive with the HTTP client.
    leeway Double
    Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims
    loginAction String
    What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.
    loginMethods List<String>
    Enable login functionality with specified grants.
    loginRedirectMode String
    Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).
    loginRedirectUris List<String>
    Where to redirect the client when login_action is set to redirect.
    loginTokens List<String>
    What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.
    logoutMethods List<String>
    The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.
    logoutPostArg String
    The request body argument that activates the logout.
    logoutQueryArg String
    The request query argument that activates the logout.
    logoutRedirectUris List<String>
    Where to redirect the client after the logout.
    logoutRevoke Boolean

    Revoke tokens as part of the logout.

    For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

    logoutRevokeAccessToken Boolean
    Revoke the access token as part of the logout. Requires logout_revoke to be set to true.
    logoutRevokeRefreshToken Boolean
    Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.
    logoutUriSuffix String
    The request URI suffix that activates the logout.
    maxAge Double
    The maximum age (in seconds) compared to the auth_time claim.
    mtlsIntrospectionEndpoint String
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtlsRevocationEndpoint String
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtlsTokenEndpoint String
    Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    noProxy String
    Do not use proxy with these hosts.
    passwordParamTypes List<String>
    Where to look for the username and password: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    preserveQueryArgs Boolean
    With this parameter, you can preserve request query arguments even when doing authorization code flow.
    proofOfPossessionAuthMethodsValidation Boolean
    If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
    proofOfPossessionDpop String
    Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.
    proofOfPossessionMtls String
    Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.
    pushedAuthorizationRequestEndpoint String
    The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.
    pushedAuthorizationRequestEndpointAuthMethod String
    The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    redirectUris List<String>
    The redirect URI passed to the authorization and token endpoints.
    redis GetGatewayPluginOpenidConnectConfigRedis
    rediscoveryLifetime Double
    Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
    refreshTokenParamName String
    The name of the parameter used to pass the refresh token.
    refreshTokenParamTypes List<String>
    Where to look for the refresh token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    refreshTokens Boolean
    Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.
    requireProofKeyForCodeExchange Boolean
    Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).
    requirePushedAuthorizationRequests Boolean
    Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).
    requireSignedRequestObject Boolean
    Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).
    resolveDistributedClaims Boolean
    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.
    responseMode String
    Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.
    responseTypes List<String>
    The response type passed to the authorization endpoint.
    reverify Boolean
    Specifies whether to always verify tokens stored in the session.
    revocationEndpoint String
    The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.
    revocationEndpointAuthMethod String
    The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    revocationTokenParamName String
    Designate token's parameter name for revocation.
    rolesClaims List<String>
    The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
    rolesRequireds List<String>
    The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    runOnPreflight Boolean
    Specifies whether to run this plugin on pre-flight (OPTIONS) requests.
    scopes List<String>
    The scopes passed to the authorization and token endpoints.
    scopesClaims List<String>
    The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
    scopesRequireds List<String>
    The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    searchUserInfo Boolean
    Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
    sessionAbsoluteTimeout Double
    Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    sessionAudience String
    The session audience, which is the intended target application. For example "my-application".
    sessionCookieDomain String
    The session cookie Domain flag.
    sessionCookieHttpOnly Boolean
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    sessionCookieName String
    The session cookie name.
    sessionCookiePath String
    The session cookie Path flag.
    sessionCookieSameSite String
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    sessionCookieSecure Boolean
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    sessionEnforceSameSubject Boolean
    When set to true, audiences are forced to share the same subject.
    sessionHashStorageKey Boolean
    When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
    sessionHashSubject Boolean
    When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.
    sessionIdlingTimeout Double
    Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
    sessionMemcachedHost String
    The memcached host.
    sessionMemcachedPort Double
    The memcached port.
    sessionMemcachedPrefix String
    The memcached session key prefix.
    sessionMemcachedSocket String
    The memcached unix socket path.
    sessionRemember Boolean
    Enables or disables persistent sessions.
    sessionRememberAbsoluteTimeout Double
    Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    sessionRememberCookieName String
    Persistent session cookie name. Use with the remember configuration parameter.
    sessionRememberRollingTimeout Double
    Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
    sessionRequestHeaders List<String>
    Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.
    sessionResponseHeaders List<String>
    Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.
    sessionRollingTimeout Double
    Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    sessionSecret String
    The session secret.
    sessionStorage String
    The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.
    sessionStoreMetadata Boolean
    Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
    sslVerify Boolean
    Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.
    timeout Double
    Network IO timeout in milliseconds.
    tlsClientAuthCertId String
    ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
    tlsClientAuthSslVerify Boolean
    Verify identity provider server certificate during mTLS client authentication.
    tokenCacheKeyIncludeScope Boolean
    Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
    tokenEndpoint String
    The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.
    tokenEndpointAuthMethod String
    The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    tokenExchangeEndpoint String
    The token exchange endpoint.
    tokenHeadersClients List<String>
    Extra headers passed from the client to the token endpoint.
    tokenHeadersGrants List<String>
    Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.
    tokenHeadersNames List<String>
    Extra header names passed to the token endpoint.
    tokenHeadersPrefix String
    Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
    tokenHeadersReplays List<String>
    The names of token endpoint response headers to forward to the downstream client.
    tokenHeadersValues List<String>
    Extra header values passed to the token endpoint.
    tokenPostArgsClients List<String>
    Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.
    tokenPostArgsNames List<String>
    Extra post argument names passed to the token endpoint.
    tokenPostArgsValues List<String>
    Extra post argument values passed to the token endpoint.
    unauthorizedDestroySession Boolean
    Destroy any active session for the unauthorized requests.
    unauthorizedErrorMessage String
    The error message for the unauthorized requests (when not using the redirection).
    unauthorizedRedirectUris List<String>
    Where to redirect the client on unauthorized requests.
    unexpectedRedirectUris List<String>
    Where to redirect the client when unexpected errors happen with the requests.
    upstreamAccessTokenHeader String
    The upstream access token header.
    upstreamAccessTokenJwkHeader String
    The upstream access token JWK header.
    upstreamHeadersClaims List<String>
    The upstream header claims. Only top level claims are supported.
    upstreamHeadersNames List<String>
    The upstream header names for the claim values.
    upstreamIdTokenHeader String
    The upstream id token header.
    upstreamIdTokenJwkHeader String
    The upstream id token JWK header.
    upstreamIntrospectionHeader String
    The upstream introspection header.
    upstreamIntrospectionJwtHeader String
    The upstream introspection JWT header.
    upstreamRefreshTokenHeader String
    The upstream refresh token header.
    upstreamSessionIdHeader String
    The upstream session id header.
    upstreamUserInfoHeader String
    The upstream user info header.
    upstreamUserInfoJwtHeader String
    The upstream user info JWT header (in case the user info returns a JWT response).
    userinfoAccept String
    The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).
    userinfoEndpoint String
    The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.
    userinfoHeadersClients List<String>
    Extra headers passed from the client to the user info endpoint.
    userinfoHeadersNames List<String>
    Extra header names passed to the user info endpoint.
    userinfoHeadersValues List<String>
    Extra header values passed to the user info endpoint.
    userinfoQueryArgsClients List<String>
    Extra query arguments passed from the client to the user info endpoint.
    userinfoQueryArgsNames List<String>
    Extra query argument names passed to the user info endpoint.
    userinfoQueryArgsValues List<String>
    Extra query argument values passed to the user info endpoint.
    usingPseudoIssuer Boolean
    If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.
    verifyClaims Boolean
    Verify tokens for standard claims.
    verifyNonce Boolean
    Verify nonce on authorization code flow.
    verifyParameters Boolean
    Verify plugin configuration against discovery.
    verifySignature Boolean
    Verify signature of tokens.
    anonymous string
    An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a 4xx HTTP status code. This value must refer to the consumer id or username attribute, and not its custom_id.
    audienceClaims string[]
    The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
    audienceRequireds string[]
    The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    audiences string[]
    The audience passed to the authorization endpoint.
    authMethods string[]
    Types of credentials/grants to enable.
    authenticatedGroupsClaims string[]
    The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
    authorizationCookieDomain string
    The authorization cookie Domain flag.
    authorizationCookieHttpOnly boolean
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    authorizationCookieName string
    The authorization cookie name.
    authorizationCookiePath string
    The authorization cookie Path flag.
    authorizationCookieSameSite string
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    authorizationCookieSecure boolean
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    authorizationEndpoint string
    The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.
    authorizationQueryArgsClients string[]
    Extra query arguments passed from the client to the authorization endpoint.
    authorizationQueryArgsNames string[]
    Extra query argument names passed to the authorization endpoint.
    authorizationQueryArgsValues string[]
    Extra query argument values passed to the authorization endpoint.
    authorizationRollingTimeout number
    Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    bearerTokenCookieName string
    The name of the cookie in which the bearer token is passed.
    bearerTokenParamTypes string[]
    Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL's query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.
    byUsernameIgnoreCase boolean
    If consumer_by is set to username, specify whether username can match consumers case-insensitively.
    cacheIntrospection boolean
    Cache the introspection endpoint requests.
    cacheTokenExchange boolean
    Cache the token exchange endpoint requests.
    cacheTokens boolean
    Cache the token endpoint requests.
    cacheTokensSalt string
    Salt used for generating the cache key that is used for caching the token endpoint requests.
    cacheTtl number
    The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
    cacheTtlMax number
    The maximum cache ttl in seconds (enforced).
    cacheTtlMin number
    The minimum cache ttl in seconds (enforced).
    cacheTtlNeg number
    The negative cache ttl in seconds.
    cacheTtlResurrect number
    The resurrection ttl in seconds.
    cacheUserInfo boolean
    Cache the user info requests.
    claimsForbiddens string[]
    If given, these claims are forbidden in the token payload.
    clientAlgs string[]
    The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.
    clientArg string
    The client to use for this request (the selection is made with a request parameter with the same name).
    clientAuths string[]
    The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).
    clientCredentialsParamTypes string[]
    Where to look for the client credentials: - header: search the HTTP headers - query: search the URL's query string - body: search from the HTTP request body.
    clientIds string[]
    The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
    clientJwks GetGatewayPluginOpenidConnectConfigClientJwk[]
    The JWK used for the private_key_jwt authentication.
    clientSecrets string[]
    The client secret.
    clusterCacheRedis GetGatewayPluginOpenidConnectConfigClusterCacheRedis
    clusterCacheStrategy string
    The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.
    consumerBies string[]
    Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.
    consumerClaims string[]
    The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
    consumerOptional boolean
    Do not terminate the request if consumer mapping fails.
    credentialClaims string[]
    The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
    disableSessions string[]
    Disable issuing the session cookie with the specified grants.
    discoveryHeadersNames string[]
    Extra header names passed to the discovery endpoint.
    discoveryHeadersValues string[]
    Extra header values passed to the discovery endpoint.
    displayErrors boolean
    Display errors on failure responses.
    domains string[]
    The allowed values for the hd claim.
    downstreamAccessTokenHeader string
    The downstream access token header.
    downstreamAccessTokenJwkHeader string
    The downstream access token JWK header.
    downstreamHeadersClaims string[]
    The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
    downstreamHeadersNames string[]
    The downstream header names for the claim values.
    downstreamIdTokenHeader string
    The downstream id token header.
    downstreamIdTokenJwkHeader string
    The downstream id token JWK header.
    downstreamIntrospectionHeader string
    The downstream introspection header.
    downstreamIntrospectionJwtHeader string
    The downstream introspection JWT header.
    downstreamRefreshTokenHeader string
    The downstream refresh token header.
    downstreamSessionIdHeader string
    The downstream session id header.
    downstreamUserInfoHeader string
    The downstream user info header.
    downstreamUserInfoJwtHeader string
    The downstream user info JWT header (in case the user info returns a JWT response).
    dpopProofLifetime number
    Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
    dpopUseNonce boolean
    Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
    enableHsSignatures boolean
    Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
    endSessionEndpoint string
    The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.
    exposeErrorCode boolean
    Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.
    extraJwksUris string[]
    JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
    forbiddenDestroySession boolean
    Destroy any active session for the forbidden requests.
    forbiddenErrorMessage string
    The error message for the forbidden requests (when not using the redirection).
    forbiddenRedirectUris string[]
    Where to redirect the client on forbidden requests.
    groupsClaims string[]
    The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
    groupsRequireds string[]
    The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    hideCredentials boolean
    Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
    httpProxy string
    The HTTP proxy.
    httpProxyAuthorization string
    The HTTP proxy authorization.
    httpVersion number
    The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.
    httpsProxy string
    The HTTPS proxy.
    httpsProxyAuthorization string
    The HTTPS proxy authorization.
    idTokenParamName string
    The name of the parameter used to pass the id token.
    idTokenParamTypes string[]
    Where to look for the id token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    ignoreSignatures string[]
    Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.
    introspectJwtTokens boolean
    Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
    introspectionAccept string
    The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).
    introspectionCheckActive boolean
    Check that the introspection response has an active claim with a value of true.
    introspectionEndpoint string
    The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.
    introspectionEndpointAuthMethod string
    The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    introspectionHeadersClients string[]
    Extra headers passed from the client to the introspection endpoint.
    introspectionHeadersNames string[]
    Extra header names passed to the introspection endpoint.
    introspectionHeadersValues string[]
    Extra header values passed to the introspection endpoint.
    introspectionHint string
    Introspection hint parameter value passed to the introspection endpoint.
    introspectionPostArgsClientHeaders string[]
    Extra post arguments passed from the client headers to the introspection endpoint.
    introspectionPostArgsClients string[]
    Extra post arguments passed from the client to the introspection endpoint.
    introspectionPostArgsNames string[]
    Extra post argument names passed to the introspection endpoint.
    introspectionPostArgsValues string[]
    Extra post argument values passed to the introspection endpoint.
    introspectionTokenParamName string
    Designate token's parameter name for introspection.
    issuer string
    The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.
    issuersAlloweds string[]
    The issuers allowed to be present in the tokens (iss claim).
    jwtSessionClaim string
    The claim to match against the JWT session cookie.
    jwtSessionCookie string
    The name of the JWT session cookie.
    keepalive boolean
    Use keepalive with the HTTP client.
    leeway number
    Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims
    loginAction string
    What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.
    loginMethods string[]
    Enable login functionality with specified grants.
    loginRedirectMode string
    Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).
    loginRedirectUris string[]
    Where to redirect the client when login_action is set to redirect.
    loginTokens string[]
    What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.
    logoutMethods string[]
    The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.
    logoutPostArg string
    The request body argument that activates the logout.
    logoutQueryArg string
    The request query argument that activates the logout.
    logoutRedirectUris string[]
    Where to redirect the client after the logout.
    logoutRevoke boolean

    Revoke tokens as part of the logout.

    For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

    logoutRevokeAccessToken boolean
    Revoke the access token as part of the logout. Requires logout_revoke to be set to true.
    logoutRevokeRefreshToken boolean
    Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.
    logoutUriSuffix string
    The request URI suffix that activates the logout.
    maxAge number
    The maximum age (in seconds) compared to the auth_time claim.
    mtlsIntrospectionEndpoint string
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtlsRevocationEndpoint string
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtlsTokenEndpoint string
    Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    noProxy string
    Do not use proxy with these hosts.
    passwordParamTypes string[]
    Where to look for the username and password: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    preserveQueryArgs boolean
    With this parameter, you can preserve request query arguments even when doing authorization code flow.
    proofOfPossessionAuthMethodsValidation boolean
    If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
    proofOfPossessionDpop string
    Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.
    proofOfPossessionMtls string
    Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.
    pushedAuthorizationRequestEndpoint string
    The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.
    pushedAuthorizationRequestEndpointAuthMethod string
    The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    redirectUris string[]
    The redirect URI passed to the authorization and token endpoints.
    redis GetGatewayPluginOpenidConnectConfigRedis
    rediscoveryLifetime number
    Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
    refreshTokenParamName string
    The name of the parameter used to pass the refresh token.
    refreshTokenParamTypes string[]
    Where to look for the refresh token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    refreshTokens boolean
    Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.
    requireProofKeyForCodeExchange boolean
    Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).
    requirePushedAuthorizationRequests boolean
    Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).
    requireSignedRequestObject boolean
    Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).
    resolveDistributedClaims boolean
    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.
    responseMode string
    Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.
    responseTypes string[]
    The response type passed to the authorization endpoint.
    reverify boolean
    Specifies whether to always verify tokens stored in the session.
    revocationEndpoint string
    The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.
    revocationEndpointAuthMethod string
    The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    revocationTokenParamName string
    Designate token's parameter name for revocation.
    rolesClaims string[]
    The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
    rolesRequireds string[]
    The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    runOnPreflight boolean
    Specifies whether to run this plugin on pre-flight (OPTIONS) requests.
    scopes string[]
    The scopes passed to the authorization and token endpoints.
    scopesClaims string[]
    The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
    scopesRequireds string[]
    The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    searchUserInfo boolean
    Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
    sessionAbsoluteTimeout number
    Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    sessionAudience string
    The session audience, which is the intended target application. For example "my-application".
    sessionCookieDomain string
    The session cookie Domain flag.
    sessionCookieHttpOnly boolean
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    sessionCookieName string
    The session cookie name.
    sessionCookiePath string
    The session cookie Path flag.
    sessionCookieSameSite string
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    sessionCookieSecure boolean
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    sessionEnforceSameSubject boolean
    When set to true, audiences are forced to share the same subject.
    sessionHashStorageKey boolean
    When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
    sessionHashSubject boolean
    When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.
    sessionIdlingTimeout number
    Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
    sessionMemcachedHost string
    The memcached host.
    sessionMemcachedPort number
    The memcached port.
    sessionMemcachedPrefix string
    The memcached session key prefix.
    sessionMemcachedSocket string
    The memcached unix socket path.
    sessionRemember boolean
    Enables or disables persistent sessions.
    sessionRememberAbsoluteTimeout number
    Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    sessionRememberCookieName string
    Persistent session cookie name. Use with the remember configuration parameter.
    sessionRememberRollingTimeout number
    Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
    sessionRequestHeaders string[]
    Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.
    sessionResponseHeaders string[]
    Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.
    sessionRollingTimeout number
    Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    sessionSecret string
    The session secret.
    sessionStorage string
    The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.
    sessionStoreMetadata boolean
    Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
    sslVerify boolean
    Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.
    timeout number
    Network IO timeout in milliseconds.
    tlsClientAuthCertId string
    ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
    tlsClientAuthSslVerify boolean
    Verify identity provider server certificate during mTLS client authentication.
    tokenCacheKeyIncludeScope boolean
    Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
    tokenEndpoint string
    The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.
    tokenEndpointAuthMethod string
    The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    tokenExchangeEndpoint string
    The token exchange endpoint.
    tokenHeadersClients string[]
    Extra headers passed from the client to the token endpoint.
    tokenHeadersGrants string[]
    Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.
    tokenHeadersNames string[]
    Extra header names passed to the token endpoint.
    tokenHeadersPrefix string
    Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
    tokenHeadersReplays string[]
    The names of token endpoint response headers to forward to the downstream client.
    tokenHeadersValues string[]
    Extra header values passed to the token endpoint.
    tokenPostArgsClients string[]
    Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.
    tokenPostArgsNames string[]
    Extra post argument names passed to the token endpoint.
    tokenPostArgsValues string[]
    Extra post argument values passed to the token endpoint.
    unauthorizedDestroySession boolean
    Destroy any active session for the unauthorized requests.
    unauthorizedErrorMessage string
    The error message for the unauthorized requests (when not using the redirection).
    unauthorizedRedirectUris string[]
    Where to redirect the client on unauthorized requests.
    unexpectedRedirectUris string[]
    Where to redirect the client when unexpected errors happen with the requests.
    upstreamAccessTokenHeader string
    The upstream access token header.
    upstreamAccessTokenJwkHeader string
    The upstream access token JWK header.
    upstreamHeadersClaims string[]
    The upstream header claims. Only top level claims are supported.
    upstreamHeadersNames string[]
    The upstream header names for the claim values.
    upstreamIdTokenHeader string
    The upstream id token header.
    upstreamIdTokenJwkHeader string
    The upstream id token JWK header.
    upstreamIntrospectionHeader string
    The upstream introspection header.
    upstreamIntrospectionJwtHeader string
    The upstream introspection JWT header.
    upstreamRefreshTokenHeader string
    The upstream refresh token header.
    upstreamSessionIdHeader string
    The upstream session id header.
    upstreamUserInfoHeader string
    The upstream user info header.
    upstreamUserInfoJwtHeader string
    The upstream user info JWT header (in case the user info returns a JWT response).
    userinfoAccept string
    The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).
    userinfoEndpoint string
    The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.
    userinfoHeadersClients string[]
    Extra headers passed from the client to the user info endpoint.
    userinfoHeadersNames string[]
    Extra header names passed to the user info endpoint.
    userinfoHeadersValues string[]
    Extra header values passed to the user info endpoint.
    userinfoQueryArgsClients string[]
    Extra query arguments passed from the client to the user info endpoint.
    userinfoQueryArgsNames string[]
    Extra query argument names passed to the user info endpoint.
    userinfoQueryArgsValues string[]
    Extra query argument values passed to the user info endpoint.
    usingPseudoIssuer boolean
    If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.
    verifyClaims boolean
    Verify tokens for standard claims.
    verifyNonce boolean
    Verify nonce on authorization code flow.
    verifyParameters boolean
    Verify plugin configuration against discovery.
    verifySignature boolean
    Verify signature of tokens.
    anonymous str
    An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a 4xx HTTP status code. This value must refer to the consumer id or username attribute, and not its custom_id.
    audience_claims Sequence[str]
    The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
    audience_requireds Sequence[str]
    The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    audiences Sequence[str]
    The audience passed to the authorization endpoint.
    auth_methods Sequence[str]
    Types of credentials/grants to enable.
    authenticated_groups_claims Sequence[str]
    The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
    authorization_cookie_domain str
    The authorization cookie Domain flag.
    authorization_cookie_http_only bool
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    authorization_cookie_name str
    The authorization cookie name.
    authorization_cookie_path str
    The authorization cookie Path flag.
    authorization_cookie_same_site str
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    authorization_cookie_secure bool
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    authorization_endpoint str
    The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.
    authorization_query_args_clients Sequence[str]
    Extra query arguments passed from the client to the authorization endpoint.
    authorization_query_args_names Sequence[str]
    Extra query argument names passed to the authorization endpoint.
    authorization_query_args_values Sequence[str]
    Extra query argument values passed to the authorization endpoint.
    authorization_rolling_timeout float
    Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    bearer_token_cookie_name str
    The name of the cookie in which the bearer token is passed.
    bearer_token_param_types Sequence[str]
    Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL's query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.
    by_username_ignore_case bool
    If consumer_by is set to username, specify whether username can match consumers case-insensitively.
    cache_introspection bool
    Cache the introspection endpoint requests.
    cache_token_exchange bool
    Cache the token exchange endpoint requests.
    cache_tokens bool
    Cache the token endpoint requests.
    cache_tokens_salt str
    Salt used for generating the cache key that is used for caching the token endpoint requests.
    cache_ttl float
    The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
    cache_ttl_max float
    The maximum cache ttl in seconds (enforced).
    cache_ttl_min float
    The minimum cache ttl in seconds (enforced).
    cache_ttl_neg float
    The negative cache ttl in seconds.
    cache_ttl_resurrect float
    The resurrection ttl in seconds.
    cache_user_info bool
    Cache the user info requests.
    claims_forbiddens Sequence[str]
    If given, these claims are forbidden in the token payload.
    client_algs Sequence[str]
    The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.
    client_arg str
    The client to use for this request (the selection is made with a request parameter with the same name).
    client_auths Sequence[str]
    The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).
    client_credentials_param_types Sequence[str]
    Where to look for the client credentials: - header: search the HTTP headers - query: search the URL's query string - body: search from the HTTP request body.
    client_ids Sequence[str]
    The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
    client_jwks Sequence[GetGatewayPluginOpenidConnectConfigClientJwk]
    The JWK used for the private_key_jwt authentication.
    client_secrets Sequence[str]
    The client secret.
    cluster_cache_redis GetGatewayPluginOpenidConnectConfigClusterCacheRedis
    cluster_cache_strategy str
    The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.
    consumer_bies Sequence[str]
    Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.
    consumer_claims Sequence[str]
    The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
    consumer_optional bool
    Do not terminate the request if consumer mapping fails.
    credential_claims Sequence[str]
    The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
    disable_sessions Sequence[str]
    Disable issuing the session cookie with the specified grants.
    discovery_headers_names Sequence[str]
    Extra header names passed to the discovery endpoint.
    discovery_headers_values Sequence[str]
    Extra header values passed to the discovery endpoint.
    display_errors bool
    Display errors on failure responses.
    domains Sequence[str]
    The allowed values for the hd claim.
    downstream_access_token_header str
    The downstream access token header.
    downstream_access_token_jwk_header str
    The downstream access token JWK header.
    downstream_headers_claims Sequence[str]
    The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
    downstream_headers_names Sequence[str]
    The downstream header names for the claim values.
    downstream_id_token_header str
    The downstream id token header.
    downstream_id_token_jwk_header str
    The downstream id token JWK header.
    downstream_introspection_header str
    The downstream introspection header.
    downstream_introspection_jwt_header str
    The downstream introspection JWT header.
    downstream_refresh_token_header str
    The downstream refresh token header.
    downstream_session_id_header str
    The downstream session id header.
    downstream_user_info_header str
    The downstream user info header.
    downstream_user_info_jwt_header str
    The downstream user info JWT header (in case the user info returns a JWT response).
    dpop_proof_lifetime float
    Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
    dpop_use_nonce bool
    Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
    enable_hs_signatures bool
    Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
    end_session_endpoint str
    The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.
    expose_error_code bool
    Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.
    extra_jwks_uris Sequence[str]
    JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
    forbidden_destroy_session bool
    Destroy any active session for the forbidden requests.
    forbidden_error_message str
    The error message for the forbidden requests (when not using the redirection).
    forbidden_redirect_uris Sequence[str]
    Where to redirect the client on forbidden requests.
    groups_claims Sequence[str]
    The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
    groups_requireds Sequence[str]
    The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    hide_credentials bool
    Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
    http_proxy str
    The HTTP proxy.
    http_proxy_authorization str
    The HTTP proxy authorization.
    http_version float
    The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.
    https_proxy str
    The HTTPS proxy.
    https_proxy_authorization str
    The HTTPS proxy authorization.
    id_token_param_name str
    The name of the parameter used to pass the id token.
    id_token_param_types Sequence[str]
    Where to look for the id token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    ignore_signatures Sequence[str]
    Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.
    introspect_jwt_tokens bool
    Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
    introspection_accept str
    The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).
    introspection_check_active bool
    Check that the introspection response has an active claim with a value of true.
    introspection_endpoint str
    The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.
    introspection_endpoint_auth_method str
    The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    introspection_headers_clients Sequence[str]
    Extra headers passed from the client to the introspection endpoint.
    introspection_headers_names Sequence[str]
    Extra header names passed to the introspection endpoint.
    introspection_headers_values Sequence[str]
    Extra header values passed to the introspection endpoint.
    introspection_hint str
    Introspection hint parameter value passed to the introspection endpoint.
    introspection_post_args_client_headers Sequence[str]
    Extra post arguments passed from the client headers to the introspection endpoint.
    introspection_post_args_clients Sequence[str]
    Extra post arguments passed from the client to the introspection endpoint.
    introspection_post_args_names Sequence[str]
    Extra post argument names passed to the introspection endpoint.
    introspection_post_args_values Sequence[str]
    Extra post argument values passed to the introspection endpoint.
    introspection_token_param_name str
    Designate token's parameter name for introspection.
    issuer str
    The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.
    issuers_alloweds Sequence[str]
    The issuers allowed to be present in the tokens (iss claim).
    jwt_session_claim str
    The claim to match against the JWT session cookie.
    jwt_session_cookie str
    The name of the JWT session cookie.
    keepalive bool
    Use keepalive with the HTTP client.
    leeway float
    Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims
    login_action str
    What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.
    login_methods Sequence[str]
    Enable login functionality with specified grants.
    login_redirect_mode str
    Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).
    login_redirect_uris Sequence[str]
    Where to redirect the client when login_action is set to redirect.
    login_tokens Sequence[str]
    What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.
    logout_methods Sequence[str]
    The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.
    logout_post_arg str
    The request body argument that activates the logout.
    logout_query_arg str
    The request query argument that activates the logout.
    logout_redirect_uris Sequence[str]
    Where to redirect the client after the logout.
    logout_revoke bool

    Revoke tokens as part of the logout.

    For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

    logout_revoke_access_token bool
    Revoke the access token as part of the logout. Requires logout_revoke to be set to true.
    logout_revoke_refresh_token bool
    Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.
    logout_uri_suffix str
    The request URI suffix that activates the logout.
    max_age float
    The maximum age (in seconds) compared to the auth_time claim.
    mtls_introspection_endpoint str
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtls_revocation_endpoint str
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtls_token_endpoint str
    Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    no_proxy str
    Do not use proxy with these hosts.
    password_param_types Sequence[str]
    Where to look for the username and password: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    preserve_query_args bool
    With this parameter, you can preserve request query arguments even when doing authorization code flow.
    proof_of_possession_auth_methods_validation bool
    If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
    proof_of_possession_dpop str
    Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.
    proof_of_possession_mtls str
    Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.
    pushed_authorization_request_endpoint str
    The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.
    pushed_authorization_request_endpoint_auth_method str
    The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    redirect_uris Sequence[str]
    The redirect URI passed to the authorization and token endpoints.
    redis GetGatewayPluginOpenidConnectConfigRedis
    rediscovery_lifetime float
    Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
    refresh_token_param_name str
    The name of the parameter used to pass the refresh token.
    refresh_token_param_types Sequence[str]
    Where to look for the refresh token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    refresh_tokens bool
    Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.
    require_proof_key_for_code_exchange bool
    Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).
    require_pushed_authorization_requests bool
    Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).
    require_signed_request_object bool
    Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).
    resolve_distributed_claims bool
    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.
    response_mode str
    Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.
    response_types Sequence[str]
    The response type passed to the authorization endpoint.
    reverify bool
    Specifies whether to always verify tokens stored in the session.
    revocation_endpoint str
    The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.
    revocation_endpoint_auth_method str
    The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    revocation_token_param_name str
    Designate token's parameter name for revocation.
    roles_claims Sequence[str]
    The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
    roles_requireds Sequence[str]
    The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    run_on_preflight bool
    Specifies whether to run this plugin on pre-flight (OPTIONS) requests.
    scopes Sequence[str]
    The scopes passed to the authorization and token endpoints.
    scopes_claims Sequence[str]
    The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
    scopes_requireds Sequence[str]
    The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    search_user_info bool
    Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
    session_absolute_timeout float
    Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    session_audience str
    The session audience, which is the intended target application. For example "my-application".
    session_cookie_domain str
    The session cookie Domain flag.
    session_cookie_http_only bool
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    session_cookie_name str
    The session cookie name.
    session_cookie_path str
    The session cookie Path flag.
    session_cookie_same_site str
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    session_cookie_secure bool
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    session_enforce_same_subject bool
    When set to true, audiences are forced to share the same subject.
    session_hash_storage_key bool
    When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
    session_hash_subject bool
    When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.
    session_idling_timeout float
    Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
    session_memcached_host str
    The memcached host.
    session_memcached_port float
    The memcached port.
    session_memcached_prefix str
    The memcached session key prefix.
    session_memcached_socket str
    The memcached unix socket path.
    session_remember bool
    Enables or disables persistent sessions.
    session_remember_absolute_timeout float
    Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    session_remember_cookie_name str
    Persistent session cookie name. Use with the remember configuration parameter.
    session_remember_rolling_timeout float
    Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
    session_request_headers Sequence[str]
    Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.
    session_response_headers Sequence[str]
    Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.
    session_rolling_timeout float
    Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    session_secret str
    The session secret.
    session_storage str
    The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.
    session_store_metadata bool
    Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
    ssl_verify bool
    Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.
    timeout float
    Network IO timeout in milliseconds.
    tls_client_auth_cert_id str
    ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
    tls_client_auth_ssl_verify bool
    Verify identity provider server certificate during mTLS client authentication.
    token_cache_key_include_scope bool
    Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
    token_endpoint str
    The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.
    token_endpoint_auth_method str
    The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    token_exchange_endpoint str
    The token exchange endpoint.
    token_headers_clients Sequence[str]
    Extra headers passed from the client to the token endpoint.
    token_headers_grants Sequence[str]
    Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.
    token_headers_names Sequence[str]
    Extra header names passed to the token endpoint.
    token_headers_prefix str
    Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
    token_headers_replays Sequence[str]
    The names of token endpoint response headers to forward to the downstream client.
    token_headers_values Sequence[str]
    Extra header values passed to the token endpoint.
    token_post_args_clients Sequence[str]
    Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.
    token_post_args_names Sequence[str]
    Extra post argument names passed to the token endpoint.
    token_post_args_values Sequence[str]
    Extra post argument values passed to the token endpoint.
    unauthorized_destroy_session bool
    Destroy any active session for the unauthorized requests.
    unauthorized_error_message str
    The error message for the unauthorized requests (when not using the redirection).
    unauthorized_redirect_uris Sequence[str]
    Where to redirect the client on unauthorized requests.
    unexpected_redirect_uris Sequence[str]
    Where to redirect the client when unexpected errors happen with the requests.
    upstream_access_token_header str
    The upstream access token header.
    upstream_access_token_jwk_header str
    The upstream access token JWK header.
    upstream_headers_claims Sequence[str]
    The upstream header claims. Only top level claims are supported.
    upstream_headers_names Sequence[str]
    The upstream header names for the claim values.
    upstream_id_token_header str
    The upstream id token header.
    upstream_id_token_jwk_header str
    The upstream id token JWK header.
    upstream_introspection_header str
    The upstream introspection header.
    upstream_introspection_jwt_header str
    The upstream introspection JWT header.
    upstream_refresh_token_header str
    The upstream refresh token header.
    upstream_session_id_header str
    The upstream session id header.
    upstream_user_info_header str
    The upstream user info header.
    upstream_user_info_jwt_header str
    The upstream user info JWT header (in case the user info returns a JWT response).
    userinfo_accept str
    The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).
    userinfo_endpoint str
    The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.
    userinfo_headers_clients Sequence[str]
    Extra headers passed from the client to the user info endpoint.
    userinfo_headers_names Sequence[str]
    Extra header names passed to the user info endpoint.
    userinfo_headers_values Sequence[str]
    Extra header values passed to the user info endpoint.
    userinfo_query_args_clients Sequence[str]
    Extra query arguments passed from the client to the user info endpoint.
    userinfo_query_args_names Sequence[str]
    Extra query argument names passed to the user info endpoint.
    userinfo_query_args_values Sequence[str]
    Extra query argument values passed to the user info endpoint.
    using_pseudo_issuer bool
    If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.
    verify_claims bool
    Verify tokens for standard claims.
    verify_nonce bool
    Verify nonce on authorization code flow.
    verify_parameters bool
    Verify plugin configuration against discovery.
    verify_signature bool
    Verify signature of tokens.
    anonymous String
    An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a 4xx HTTP status code. This value must refer to the consumer id or username attribute, and not its custom_id.
    audienceClaims List<String>
    The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.
    audienceRequireds List<String>
    The audiences (audience_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    audiences List<String>
    The audience passed to the authorization endpoint.
    authMethods List<String>
    Types of credentials/grants to enable.
    authenticatedGroupsClaims List<String>
    The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.
    authorizationCookieDomain String
    The authorization cookie Domain flag.
    authorizationCookieHttpOnly Boolean
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    authorizationCookieName String
    The authorization cookie name.
    authorizationCookiePath String
    The authorization cookie Path flag.
    authorizationCookieSameSite String
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    authorizationCookieSecure Boolean
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    authorizationEndpoint String
    The authorization endpoint. If set it overrides the value in authorization_endpoint returned by the discovery endpoint.
    authorizationQueryArgsClients List<String>
    Extra query arguments passed from the client to the authorization endpoint.
    authorizationQueryArgsNames List<String>
    Extra query argument names passed to the authorization endpoint.
    authorizationQueryArgsValues List<String>
    Extra query argument values passed to the authorization endpoint.
    authorizationRollingTimeout Number
    Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    bearerTokenCookieName String
    The name of the cookie in which the bearer token is passed.
    bearerTokenParamTypes List<String>
    Where to look for the bearer token: - header: search the Authorization, access-token, and x-access-token HTTP headers - query: search the URL's query string - body: search the HTTP request body - cookie: search the HTTP request cookies specified with config.bearer_token_cookie_name.
    byUsernameIgnoreCase Boolean
    If consumer_by is set to username, specify whether username can match consumers case-insensitively.
    cacheIntrospection Boolean
    Cache the introspection endpoint requests.
    cacheTokenExchange Boolean
    Cache the token exchange endpoint requests.
    cacheTokens Boolean
    Cache the token endpoint requests.
    cacheTokensSalt String
    Salt used for generating the cache key that is used for caching the token endpoint requests.
    cacheTtl Number
    The default cache ttl in seconds that is used in case the cached object does not specify the expiry.
    cacheTtlMax Number
    The maximum cache ttl in seconds (enforced).
    cacheTtlMin Number
    The minimum cache ttl in seconds (enforced).
    cacheTtlNeg Number
    The negative cache ttl in seconds.
    cacheTtlResurrect Number
    The resurrection ttl in seconds.
    cacheUserInfo Boolean
    Cache the user info requests.
    claimsForbiddens List<String>
    If given, these claims are forbidden in the token payload.
    clientAlgs List<String>
    The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.
    clientArg String
    The client to use for this request (the selection is made with a request parameter with the same name).
    clientAuths List<String>
    The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).
    clientCredentialsParamTypes List<String>
    Where to look for the client credentials: - header: search the HTTP headers - query: search the URL's query string - body: search from the HTTP request body.
    clientIds List<String>
    The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.
    clientJwks List<Property Map>
    The JWK used for the private_key_jwt authentication.
    clientSecrets List<String>
    The client secret.
    clusterCacheRedis Property Map
    clusterCacheStrategy String
    The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.
    consumerBies List<String>
    Consumer fields used for mapping: - id: try to find the matching Consumer by id - username: try to find the matching Consumer by username - custom_id: try to find the matching Consumer by custom_id.
    consumerClaims List<String>
    The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.
    consumerOptional Boolean
    Do not terminate the request if consumer mapping fails.
    credentialClaims List<String>
    The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.
    disableSessions List<String>
    Disable issuing the session cookie with the specified grants.
    discoveryHeadersNames List<String>
    Extra header names passed to the discovery endpoint.
    discoveryHeadersValues List<String>
    Extra header values passed to the discovery endpoint.
    displayErrors Boolean
    Display errors on failure responses.
    domains List<String>
    The allowed values for the hd claim.
    downstreamAccessTokenHeader String
    The downstream access token header.
    downstreamAccessTokenJwkHeader String
    The downstream access token JWK header.
    downstreamHeadersClaims List<String>
    The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.
    downstreamHeadersNames List<String>
    The downstream header names for the claim values.
    downstreamIdTokenHeader String
    The downstream id token header.
    downstreamIdTokenJwkHeader String
    The downstream id token JWK header.
    downstreamIntrospectionHeader String
    The downstream introspection header.
    downstreamIntrospectionJwtHeader String
    The downstream introspection JWT header.
    downstreamRefreshTokenHeader String
    The downstream refresh token header.
    downstreamSessionIdHeader String
    The downstream session id header.
    downstreamUserInfoHeader String
    The downstream user info header.
    downstreamUserInfoJwtHeader String
    The downstream user info JWT header (in case the user info returns a JWT response).
    dpopProofLifetime Number
    Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.
    dpopUseNonce Boolean
    Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.
    enableHsSignatures Boolean
    Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).
    endSessionEndpoint String
    The end session endpoint. If set it overrides the value in end_session_endpoint returned by the discovery endpoint.
    exposeErrorCode Boolean
    Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to false to disable.
    extraJwksUris List<String>
    JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).
    forbiddenDestroySession Boolean
    Destroy any active session for the forbidden requests.
    forbiddenErrorMessage String
    The error message for the forbidden requests (when not using the redirection).
    forbiddenRedirectUris List<String>
    Where to redirect the client on forbidden requests.
    groupsClaims List<String>
    The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.
    groupsRequireds List<String>
    The groups (groups_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    hideCredentials Boolean
    Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.
    httpProxy String
    The HTTP proxy.
    httpProxyAuthorization String
    The HTTP proxy authorization.
    httpVersion Number
    The HTTP version used for the requests by this plugin: - 1.1: HTTP 1.1 (the default) - 1.0: HTTP 1.0.
    httpsProxy String
    The HTTPS proxy.
    httpsProxyAuthorization String
    The HTTPS proxy authorization.
    idTokenParamName String
    The name of the parameter used to pass the id token.
    idTokenParamTypes List<String>
    Where to look for the id token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    ignoreSignatures List<String>
    Skip the token signature verification on certain grants: - password: OAuth password grant - client_credentials: OAuth client credentials grant - authorization_code: authorization code flow - refresh_token: OAuth refresh token grant - session: session cookie authentication - introspection: OAuth introspection - userinfo: OpenID Connect user info endpoint authentication.
    introspectJwtTokens Boolean
    Specifies whether to introspect the JWT access tokens (can be used to check for revocations).
    introspectionAccept String
    The value of Accept header for introspection requests: - application/json: introspection response as JSON - application/token-introspection+jwt: introspection response as JWT (from the current IETF draft document) - application/jwt: introspection response as JWT (from the obsolete IETF draft document).
    introspectionCheckActive Boolean
    Check that the introspection response has an active claim with a value of true.
    introspectionEndpoint String
    The introspection endpoint. If set it overrides the value in introspection_endpoint returned by the discovery endpoint.
    introspectionEndpointAuthMethod String
    The introspection endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    introspectionHeadersClients List<String>
    Extra headers passed from the client to the introspection endpoint.
    introspectionHeadersNames List<String>
    Extra header names passed to the introspection endpoint.
    introspectionHeadersValues List<String>
    Extra header values passed to the introspection endpoint.
    introspectionHint String
    Introspection hint parameter value passed to the introspection endpoint.
    introspectionPostArgsClientHeaders List<String>
    Extra post arguments passed from the client headers to the introspection endpoint.
    introspectionPostArgsClients List<String>
    Extra post arguments passed from the client to the introspection endpoint.
    introspectionPostArgsNames List<String>
    Extra post argument names passed to the introspection endpoint.
    introspectionPostArgsValues List<String>
    Extra post argument values passed to the introspection endpoint.
    introspectionTokenParamName String
    Designate token's parameter name for introspection.
    issuer String
    The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure config.using_pseudo_issuer=true.
    issuersAlloweds List<String>
    The issuers allowed to be present in the tokens (iss claim).
    jwtSessionClaim String
    The claim to match against the JWT session cookie.
    jwtSessionCookie String
    The name of the JWT session cookie.
    keepalive Boolean
    Use keepalive with the HTTP client.
    leeway Number
    Defines leeway time (in seconds) for auth_time, exp, iat, and nbf claims
    loginAction String
    What to do after successful login: - upstream: proxy request to upstream service - response: terminate request with a response - redirect: redirect to a different location.
    loginMethods List<String>
    Enable login functionality with specified grants.
    loginRedirectMode String
    Where to place login_tokens when using redirect login_action: - query: place tokens in query string - fragment: place tokens in url fragment (not readable by servers).
    loginRedirectUris List<String>
    Where to redirect the client when login_action is set to redirect.
    loginTokens List<String>
    What tokens to include in response body or redirect query string or fragment: - id_token: include id token - access_token: include access token - refresh_token: include refresh token - tokens: include the full token endpoint response - introspection: include introspection response.
    logoutMethods List<String>
    The request methods that can activate the logout: - POST: HTTP POST method - GET: HTTP GET method - DELETE: HTTP DELETE method.
    logoutPostArg String
    The request body argument that activates the logout.
    logoutQueryArg String
    The request query argument that activates the logout.
    logoutRedirectUris List<String>
    Where to redirect the client after the logout.
    logoutRevoke Boolean

    Revoke tokens as part of the logout.

    For more granular token revocation, you can also adjust the logout_revoke_access_token and logout_revoke_refresh_token parameters.

    logoutRevokeAccessToken Boolean
    Revoke the access token as part of the logout. Requires logout_revoke to be set to true.
    logoutRevokeRefreshToken Boolean
    Revoke the refresh token as part of the logout. Requires logout_revoke to be set to true.
    logoutUriSuffix String
    The request URI suffix that activates the logout.
    maxAge Number
    The maximum age (in seconds) compared to the auth_time claim.
    mtlsIntrospectionEndpoint String
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtlsRevocationEndpoint String
    Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    mtlsTokenEndpoint String
    Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in mtls_endpoint_aliases returned by the discovery endpoint.
    noProxy String
    Do not use proxy with these hosts.
    passwordParamTypes List<String>
    Where to look for the username and password: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    preserveQueryArgs Boolean
    With this parameter, you can preserve request query arguments even when doing authorization code flow.
    proofOfPossessionAuthMethodsValidation Boolean
    If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.
    proofOfPossessionDpop String
    Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.
    proofOfPossessionMtls String
    Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.
    pushedAuthorizationRequestEndpoint String
    The pushed authorization endpoint. If set it overrides the value in pushed_authorization_request_endpoint returned by the discovery endpoint.
    pushedAuthorizationRequestEndpointAuthMethod String
    The pushed authorization request endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    redirectUris List<String>
    The redirect URI passed to the authorization and token endpoints.
    redis Property Map
    rediscoveryLifetime Number
    Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.
    refreshTokenParamName String
    The name of the parameter used to pass the refresh token.
    refreshTokenParamTypes List<String>
    Where to look for the refresh token: - header: search the HTTP headers - query: search the URL's query string - body: search the HTTP request body.
    refreshTokens Boolean
    Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a refresh_token available.
    requireProofKeyForCodeExchange Boolean
    Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of code_challenge_methods_supported, and enabled automatically (in case the code_challenge_methods_supported is missing, the PKCE will not be enabled).
    requirePushedAuthorizationRequests Boolean
    Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of require_pushed_authorization_requests (which defaults to false).
    requireSignedRequestObject Boolean
    Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of require_signed_request_object, and enabled automatically (in case the require_signed_request_object is missing, the feature will not be enabled).
    resolveDistributedClaims Boolean
    Distributed claims are represented by the _claim_names and _claim_sources members of the JSON object containing the claims. If this parameter is set to true, the plugin explicitly resolves these distributed claims.
    responseMode String
    Response mode passed to the authorization endpoint: - query: for parameters in query string - form_post: for parameters in request body - fragment: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - query.jwt, form_post.jwt, fragment.jwt: similar to query, form_post and fragment but the parameters are encoded in a JWT - jwt: shortcut that indicates the default encoding for the requested response type.
    responseTypes List<String>
    The response type passed to the authorization endpoint.
    reverify Boolean
    Specifies whether to always verify tokens stored in the session.
    revocationEndpoint String
    The revocation endpoint. If set it overrides the value in revocation_endpoint returned by the discovery endpoint.
    revocationEndpointAuthMethod String
    The revocation endpoint authentication method: : client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    revocationTokenParamName String
    Designate token's parameter name for revocation.
    rolesClaims List<String>
    The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.
    rolesRequireds List<String>
    The roles (roles_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    runOnPreflight Boolean
    Specifies whether to run this plugin on pre-flight (OPTIONS) requests.
    scopes List<String>
    The scopes passed to the authorization and token endpoints.
    scopesClaims List<String>
    The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.
    scopesRequireds List<String>
    The scopes (scopes_claim claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both AND / OR cases.
    searchUserInfo Boolean
    Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.
    sessionAbsoluteTimeout Number
    Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    sessionAudience String
    The session audience, which is the intended target application. For example "my-application".
    sessionCookieDomain String
    The session cookie Domain flag.
    sessionCookieHttpOnly Boolean
    Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property.
    sessionCookieName String
    The session cookie name.
    sessionCookiePath String
    The session cookie Path flag.
    sessionCookieSameSite String
    Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.
    sessionCookieSecure Boolean
    Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.
    sessionEnforceSameSubject Boolean
    When set to true, audiences are forced to share the same subject.
    sessionHashStorageKey Boolean
    When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.
    sessionHashSubject Boolean
    When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.
    sessionIdlingTimeout Number
    Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.
    sessionMemcachedHost String
    The memcached host.
    sessionMemcachedPort Number
    The memcached port.
    sessionMemcachedPrefix String
    The memcached session key prefix.
    sessionMemcachedSocket String
    The memcached unix socket path.
    sessionRemember Boolean
    Enables or disables persistent sessions.
    sessionRememberAbsoluteTimeout Number
    Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.
    sessionRememberCookieName String
    Persistent session cookie name. Use with the remember configuration parameter.
    sessionRememberRollingTimeout Number
    Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.
    sessionRequestHeaders List<String>
    Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout request headers.
    sessionResponseHeaders List<String>
    Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. [ "id", "timeout" ] will set Session-Id and Session-Timeout response headers.
    sessionRollingTimeout Number
    Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.
    sessionSecret String
    The session secret.
    sessionStorage String
    The session storage for session data: - cookie: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - memcache: stores session data in memcached - redis: stores session data in Redis.
    sessionStoreMetadata Boolean
    Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.
    sslVerify Boolean
    Verify identity provider server certificate. If set to true, the plugin uses the CA certificate set in the kong.conf config parameter lua_ssl_trusted_certificate.
    timeout Number
    Network IO timeout in milliseconds.
    tlsClientAuthCertId String
    ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.
    tlsClientAuthSslVerify Boolean
    Verify identity provider server certificate during mTLS client authentication.
    tokenCacheKeyIncludeScope Boolean
    Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.
    tokenEndpoint String
    The token endpoint. If set it overrides the value in token_endpoint returned by the discovery endpoint.
    tokenEndpointAuthMethod String
    The token endpoint authentication method: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, tls_client_auth, self_signed_tls_client_auth, or none: do not authenticate
    tokenExchangeEndpoint String
    The token exchange endpoint.
    tokenHeadersClients List<String>
    Extra headers passed from the client to the token endpoint.
    tokenHeadersGrants List<String>
    Enable the sending of the token endpoint response headers only with certain grants: - password: with OAuth password grant - client_credentials: with OAuth client credentials grant - authorization_code: with authorization code flow - refresh_token with refresh token grant.
    tokenHeadersNames List<String>
    Extra header names passed to the token endpoint.
    tokenHeadersPrefix String
    Add a prefix to the token endpoint response headers before forwarding them to the downstream client.
    tokenHeadersReplays List<String>
    The names of token endpoint response headers to forward to the downstream client.
    tokenHeadersValues List<String>
    Extra header values passed to the token endpoint.
    tokenPostArgsClients List<String>
    Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with scope values, like this: config.token_post_args_client=scope In this case, the token would take the scope value from the query parameter or from the request body or from the header and send it to the token endpoint.
    tokenPostArgsNames List<String>
    Extra post argument names passed to the token endpoint.
    tokenPostArgsValues List<String>
    Extra post argument values passed to the token endpoint.
    unauthorizedDestroySession Boolean
    Destroy any active session for the unauthorized requests.
    unauthorizedErrorMessage String
    The error message for the unauthorized requests (when not using the redirection).
    unauthorizedRedirectUris List<String>
    Where to redirect the client on unauthorized requests.
    unexpectedRedirectUris List<String>
    Where to redirect the client when unexpected errors happen with the requests.
    upstreamAccessTokenHeader String
    The upstream access token header.
    upstreamAccessTokenJwkHeader String
    The upstream access token JWK header.
    upstreamHeadersClaims List<String>
    The upstream header claims. Only top level claims are supported.
    upstreamHeadersNames List<String>
    The upstream header names for the claim values.
    upstreamIdTokenHeader String
    The upstream id token header.
    upstreamIdTokenJwkHeader String
    The upstream id token JWK header.
    upstreamIntrospectionHeader String
    The upstream introspection header.
    upstreamIntrospectionJwtHeader String
    The upstream introspection JWT header.
    upstreamRefreshTokenHeader String
    The upstream refresh token header.
    upstreamSessionIdHeader String
    The upstream session id header.
    upstreamUserInfoHeader String
    The upstream user info header.
    upstreamUserInfoJwtHeader String
    The upstream user info JWT header (in case the user info returns a JWT response).
    userinfoAccept String
    The value of Accept header for user info requests: - application/json: user info response as JSON - application/jwt: user info response as JWT (from the obsolete IETF draft document).
    userinfoEndpoint String
    The user info endpoint. If set it overrides the value in userinfo_endpoint returned by the discovery endpoint.
    userinfoHeadersClients List<String>
    Extra headers passed from the client to the user info endpoint.
    userinfoHeadersNames List<String>
    Extra header names passed to the user info endpoint.
    userinfoHeadersValues List<String>
    Extra header values passed to the user info endpoint.
    userinfoQueryArgsClients List<String>
    Extra query arguments passed from the client to the user info endpoint.
    userinfoQueryArgsNames List<String>
    Extra query argument names passed to the user info endpoint.
    userinfoQueryArgsValues List<String>
    Extra query argument values passed to the user info endpoint.
    usingPseudoIssuer Boolean
    If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with config.issuer.
    verifyClaims Boolean
    Verify tokens for standard claims.
    verifyNonce Boolean
    Verify nonce on authorization code flow.
    verifyParameters Boolean
    Verify plugin configuration against discovery.
    verifySignature Boolean
    Verify signature of tokens.

    GetGatewayPluginOpenidConnectConfigClientJwk

    Alg string
    Crv string
    D string
    Dp string
    Dq string
    E string
    Issuer string
    K string
    KeyOps List<string>
    Kid string
    Kty string
    N string
    Oth string
    P string
    Q string
    Qi string
    R string
    T string
    Use string
    X string
    X5cs List<string>
    X5t string
    X5tNumberS256 string
    X5u string
    Y string
    Alg string
    Crv string
    D string
    Dp string
    Dq string
    E string
    Issuer string
    K string
    KeyOps []string
    Kid string
    Kty string
    N string
    Oth string
    P string
    Q string
    Qi string
    R string
    T string
    Use string
    X string
    X5cs []string
    X5t string
    X5tNumberS256 string
    X5u string
    Y string
    alg String
    crv String
    d String
    dp String
    dq String
    e String
    issuer String
    k String
    keyOps List<String>
    kid String
    kty String
    n String
    oth String
    p String
    q String
    qi String
    r String
    t String
    use String
    x String
    x5cs List<String>
    x5t String
    x5tNumberS256 String
    x5u String
    y String
    alg string
    crv string
    d string
    dp string
    dq string
    e string
    issuer string
    k string
    keyOps string[]
    kid string
    kty string
    n string
    oth string
    p string
    q string
    qi string
    r string
    t string
    use string
    x string
    x5cs string[]
    x5t string
    x5tNumberS256 string
    x5u string
    y string
    alg str
    crv str
    d str
    dp str
    dq str
    e str
    issuer str
    k str
    key_ops Sequence[str]
    kid str
    kty str
    n str
    oth str
    p str
    q str
    qi str
    r str
    t str
    use str
    x str
    x5cs Sequence[str]
    x5t str
    x5t_number_s256 str
    x5u str
    y str
    alg String
    crv String
    d String
    dp String
    dq String
    e String
    issuer String
    k String
    keyOps List<String>
    kid String
    kty String
    n String
    oth String
    p String
    q String
    qi String
    r String
    t String
    use String
    x String
    x5cs List<String>
    x5t String
    x5tNumberS256 String
    x5u String
    y String

    GetGatewayPluginOpenidConnectConfigClusterCacheRedis

    ClusterMaxRedirections double
    Maximum retry attempts for redirection.
    ClusterNodes List<GetGatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode>
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    ConnectTimeout double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    ConnectionIsProxied bool
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    Database double
    Database to use for the Redis connection when using the redis strategy
    Host string
    A string representing a host name, such as example.com.
    KeepaliveBacklog double
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    KeepalivePoolSize double
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    Password string
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    Port double
    An integer representing a port number between 0 and 65535, inclusive.
    ReadTimeout double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SendTimeout double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SentinelMaster string
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    SentinelNodes List<GetGatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode>
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    SentinelPassword string
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    SentinelRole string
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    SentinelUsername string
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    ServerName string
    A string representing an SNI (server name indication) value for TLS.
    Ssl bool
    If set to true, uses SSL to connect to Redis.
    SslVerify bool
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    Username string
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    ClusterMaxRedirections float64
    Maximum retry attempts for redirection.
    ClusterNodes []GetGatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    ConnectTimeout float64
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    ConnectionIsProxied bool
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    Database float64
    Database to use for the Redis connection when using the redis strategy
    Host string
    A string representing a host name, such as example.com.
    KeepaliveBacklog float64
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    KeepalivePoolSize float64
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    Password string
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    Port float64
    An integer representing a port number between 0 and 65535, inclusive.
    ReadTimeout float64
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SendTimeout float64
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SentinelMaster string
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    SentinelNodes []GetGatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    SentinelPassword string
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    SentinelRole string
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    SentinelUsername string
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    ServerName string
    A string representing an SNI (server name indication) value for TLS.
    Ssl bool
    If set to true, uses SSL to connect to Redis.
    SslVerify bool
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    Username string
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    clusterMaxRedirections Double
    Maximum retry attempts for redirection.
    clusterNodes List<GetGatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode>
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connectTimeout Double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connectionIsProxied Boolean
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database Double
    Database to use for the Redis connection when using the redis strategy
    host String
    A string representing a host name, such as example.com.
    keepaliveBacklog Double
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalivePoolSize Double
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password String
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port Double
    An integer representing a port number between 0 and 65535, inclusive.
    readTimeout Double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sendTimeout Double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinelMaster String
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinelNodes List<GetGatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode>
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinelPassword String
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinelRole String
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinelUsername String
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    serverName String
    A string representing an SNI (server name indication) value for TLS.
    ssl Boolean
    If set to true, uses SSL to connect to Redis.
    sslVerify Boolean
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username String
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    clusterMaxRedirections number
    Maximum retry attempts for redirection.
    clusterNodes GetGatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode[]
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connectTimeout number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connectionIsProxied boolean
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database number
    Database to use for the Redis connection when using the redis strategy
    host string
    A string representing a host name, such as example.com.
    keepaliveBacklog number
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalivePoolSize number
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password string
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port number
    An integer representing a port number between 0 and 65535, inclusive.
    readTimeout number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sendTimeout number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinelMaster string
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinelNodes GetGatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode[]
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinelPassword string
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinelRole string
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinelUsername string
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    serverName string
    A string representing an SNI (server name indication) value for TLS.
    ssl boolean
    If set to true, uses SSL to connect to Redis.
    sslVerify boolean
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username string
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    cluster_max_redirections float
    Maximum retry attempts for redirection.
    cluster_nodes Sequence[GetGatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode]
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connect_timeout float
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connection_is_proxied bool
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database float
    Database to use for the Redis connection when using the redis strategy
    host str
    A string representing a host name, such as example.com.
    keepalive_backlog float
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalive_pool_size float
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password str
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port float
    An integer representing a port number between 0 and 65535, inclusive.
    read_timeout float
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    send_timeout float
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinel_master str
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinel_nodes Sequence[GetGatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode]
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinel_password str
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinel_role str
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinel_username str
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    server_name str
    A string representing an SNI (server name indication) value for TLS.
    ssl bool
    If set to true, uses SSL to connect to Redis.
    ssl_verify bool
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username str
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    clusterMaxRedirections Number
    Maximum retry attempts for redirection.
    clusterNodes List<Property Map>
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connectTimeout Number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connectionIsProxied Boolean
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database Number
    Database to use for the Redis connection when using the redis strategy
    host String
    A string representing a host name, such as example.com.
    keepaliveBacklog Number
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalivePoolSize Number
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password String
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port Number
    An integer representing a port number between 0 and 65535, inclusive.
    readTimeout Number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sendTimeout Number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinelMaster String
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinelNodes List<Property Map>
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinelPassword String
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinelRole String
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinelUsername String
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    serverName String
    A string representing an SNI (server name indication) value for TLS.
    ssl Boolean
    If set to true, uses SSL to connect to Redis.
    sslVerify Boolean
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username String
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.

    GetGatewayPluginOpenidConnectConfigClusterCacheRedisClusterNode

    Ip string
    A string representing a host name, such as example.com.
    Port double
    An integer representing a port number between 0 and 65535, inclusive.
    Ip string
    A string representing a host name, such as example.com.
    Port float64
    An integer representing a port number between 0 and 65535, inclusive.
    ip String
    A string representing a host name, such as example.com.
    port Double
    An integer representing a port number between 0 and 65535, inclusive.
    ip string
    A string representing a host name, such as example.com.
    port number
    An integer representing a port number between 0 and 65535, inclusive.
    ip str
    A string representing a host name, such as example.com.
    port float
    An integer representing a port number between 0 and 65535, inclusive.
    ip String
    A string representing a host name, such as example.com.
    port Number
    An integer representing a port number between 0 and 65535, inclusive.

    GetGatewayPluginOpenidConnectConfigClusterCacheRedisSentinelNode

    Host string
    A string representing a host name, such as example.com.
    Port double
    An integer representing a port number between 0 and 65535, inclusive.
    Host string
    A string representing a host name, such as example.com.
    Port float64
    An integer representing a port number between 0 and 65535, inclusive.
    host String
    A string representing a host name, such as example.com.
    port Double
    An integer representing a port number between 0 and 65535, inclusive.
    host string
    A string representing a host name, such as example.com.
    port number
    An integer representing a port number between 0 and 65535, inclusive.
    host str
    A string representing a host name, such as example.com.
    port float
    An integer representing a port number between 0 and 65535, inclusive.
    host String
    A string representing a host name, such as example.com.
    port Number
    An integer representing a port number between 0 and 65535, inclusive.

    GetGatewayPluginOpenidConnectConfigRedis

    ClusterMaxRedirections double
    Maximum retry attempts for redirection.
    ClusterNodes List<GetGatewayPluginOpenidConnectConfigRedisClusterNode>
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    ConnectTimeout double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    ConnectionIsProxied bool
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    Database double
    Database to use for the Redis connection when using the redis strategy
    Host string
    A string representing a host name, such as example.com.
    KeepaliveBacklog double
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    KeepalivePoolSize double
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    Password string
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    Port double
    An integer representing a port number between 0 and 65535, inclusive.
    Prefix string
    The Redis session key prefix.
    ReadTimeout double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SendTimeout double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SentinelMaster string
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    SentinelNodes List<GetGatewayPluginOpenidConnectConfigRedisSentinelNode>
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    SentinelPassword string
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    SentinelRole string
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    SentinelUsername string
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    ServerName string
    A string representing an SNI (server name indication) value for TLS.
    Socket string
    The Redis unix socket path.
    Ssl bool
    If set to true, uses SSL to connect to Redis.
    SslVerify bool
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    Username string
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    ClusterMaxRedirections float64
    Maximum retry attempts for redirection.
    ClusterNodes []GetGatewayPluginOpenidConnectConfigRedisClusterNode
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    ConnectTimeout float64
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    ConnectionIsProxied bool
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    Database float64
    Database to use for the Redis connection when using the redis strategy
    Host string
    A string representing a host name, such as example.com.
    KeepaliveBacklog float64
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    KeepalivePoolSize float64
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    Password string
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    Port float64
    An integer representing a port number between 0 and 65535, inclusive.
    Prefix string
    The Redis session key prefix.
    ReadTimeout float64
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SendTimeout float64
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    SentinelMaster string
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    SentinelNodes []GetGatewayPluginOpenidConnectConfigRedisSentinelNode
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    SentinelPassword string
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    SentinelRole string
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    SentinelUsername string
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    ServerName string
    A string representing an SNI (server name indication) value for TLS.
    Socket string
    The Redis unix socket path.
    Ssl bool
    If set to true, uses SSL to connect to Redis.
    SslVerify bool
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    Username string
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    clusterMaxRedirections Double
    Maximum retry attempts for redirection.
    clusterNodes List<GetGatewayPluginOpenidConnectConfigRedisClusterNode>
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connectTimeout Double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connectionIsProxied Boolean
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database Double
    Database to use for the Redis connection when using the redis strategy
    host String
    A string representing a host name, such as example.com.
    keepaliveBacklog Double
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalivePoolSize Double
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password String
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port Double
    An integer representing a port number between 0 and 65535, inclusive.
    prefix String
    The Redis session key prefix.
    readTimeout Double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sendTimeout Double
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinelMaster String
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinelNodes List<GetGatewayPluginOpenidConnectConfigRedisSentinelNode>
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinelPassword String
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinelRole String
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinelUsername String
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    serverName String
    A string representing an SNI (server name indication) value for TLS.
    socket String
    The Redis unix socket path.
    ssl Boolean
    If set to true, uses SSL to connect to Redis.
    sslVerify Boolean
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username String
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    clusterMaxRedirections number
    Maximum retry attempts for redirection.
    clusterNodes GetGatewayPluginOpenidConnectConfigRedisClusterNode[]
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connectTimeout number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connectionIsProxied boolean
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database number
    Database to use for the Redis connection when using the redis strategy
    host string
    A string representing a host name, such as example.com.
    keepaliveBacklog number
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalivePoolSize number
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password string
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port number
    An integer representing a port number between 0 and 65535, inclusive.
    prefix string
    The Redis session key prefix.
    readTimeout number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sendTimeout number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinelMaster string
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinelNodes GetGatewayPluginOpenidConnectConfigRedisSentinelNode[]
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinelPassword string
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinelRole string
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinelUsername string
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    serverName string
    A string representing an SNI (server name indication) value for TLS.
    socket string
    The Redis unix socket path.
    ssl boolean
    If set to true, uses SSL to connect to Redis.
    sslVerify boolean
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username string
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    cluster_max_redirections float
    Maximum retry attempts for redirection.
    cluster_nodes Sequence[GetGatewayPluginOpenidConnectConfigRedisClusterNode]
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connect_timeout float
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connection_is_proxied bool
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database float
    Database to use for the Redis connection when using the redis strategy
    host str
    A string representing a host name, such as example.com.
    keepalive_backlog float
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalive_pool_size float
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password str
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port float
    An integer representing a port number between 0 and 65535, inclusive.
    prefix str
    The Redis session key prefix.
    read_timeout float
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    send_timeout float
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinel_master str
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinel_nodes Sequence[GetGatewayPluginOpenidConnectConfigRedisSentinelNode]
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinel_password str
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinel_role str
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinel_username str
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    server_name str
    A string representing an SNI (server name indication) value for TLS.
    socket str
    The Redis unix socket path.
    ssl bool
    If set to true, uses SSL to connect to Redis.
    ssl_verify bool
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username str
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
    clusterMaxRedirections Number
    Maximum retry attempts for redirection.
    clusterNodes List<Property Map>
    Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
    connectTimeout Number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    connectionIsProxied Boolean
    If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.
    database Number
    Database to use for the Redis connection when using the redis strategy
    host String
    A string representing a host name, such as example.com.
    keepaliveBacklog Number
    Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.
    keepalivePoolSize Number
    The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn't specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
    password String
    Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
    port Number
    An integer representing a port number between 0 and 65535, inclusive.
    prefix String
    The Redis session key prefix.
    readTimeout Number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sendTimeout Number
    An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.
    sentinelMaster String
    Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.
    sentinelNodes List<Property Map>
    Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
    sentinelPassword String
    Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
    sentinelRole String
    Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
    sentinelUsername String
    Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.
    serverName String
    A string representing an SNI (server name indication) value for TLS.
    socket String
    The Redis unix socket path.
    ssl Boolean
    If set to true, uses SSL to connect to Redis.
    sslVerify Boolean
    If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.
    username String
    Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.

    GetGatewayPluginOpenidConnectConfigRedisClusterNode

    Ip string
    A string representing a host name, such as example.com.
    Port double
    An integer representing a port number between 0 and 65535, inclusive.
    Ip string
    A string representing a host name, such as example.com.
    Port float64
    An integer representing a port number between 0 and 65535, inclusive.
    ip String
    A string representing a host name, such as example.com.
    port Double
    An integer representing a port number between 0 and 65535, inclusive.
    ip string
    A string representing a host name, such as example.com.
    port number
    An integer representing a port number between 0 and 65535, inclusive.
    ip str
    A string representing a host name, such as example.com.
    port float
    An integer representing a port number between 0 and 65535, inclusive.
    ip String
    A string representing a host name, such as example.com.
    port Number
    An integer representing a port number between 0 and 65535, inclusive.

    GetGatewayPluginOpenidConnectConfigRedisSentinelNode

    Host string
    A string representing a host name, such as example.com.
    Port double
    An integer representing a port number between 0 and 65535, inclusive.
    Host string
    A string representing a host name, such as example.com.
    Port float64
    An integer representing a port number between 0 and 65535, inclusive.
    host String
    A string representing a host name, such as example.com.
    port Double
    An integer representing a port number between 0 and 65535, inclusive.
    host string
    A string representing a host name, such as example.com.
    port number
    An integer representing a port number between 0 and 65535, inclusive.
    host str
    A string representing a host name, such as example.com.
    port float
    An integer representing a port number between 0 and 65535, inclusive.
    host String
    A string representing a host name, such as example.com.
    port Number
    An integer representing a port number between 0 and 65535, inclusive.

    GetGatewayPluginOpenidConnectOrdering

    GetGatewayPluginOpenidConnectOrderingAfter

    Accesses List<string>
    Accesses []string
    accesses List<String>
    accesses string[]
    accesses Sequence[str]
    accesses List<String>

    GetGatewayPluginOpenidConnectOrderingBefore

    Accesses List<string>
    Accesses []string
    accesses List<String>
    accesses string[]
    accesses Sequence[str]
    accesses List<String>

    GetGatewayPluginOpenidConnectRoute

    Id string
    Id string
    id String
    id string
    id str
    id String

    GetGatewayPluginOpenidConnectService

    Id string
    Id string
    id String
    id string
    id str
    id String

    Package Details

    Repository
    konnect kong/terraform-provider-konnect
    License
    Notes
    This Pulumi package is based on the konnect Terraform Provider.
    konnect logo
    konnect 2.4.1 published on Thursday, Mar 13, 2025 by kong
    kong/terraform-provider-konnect