konnect 3.4.1 published on Wednesday, Oct 29, 2025 by kong
konnect.GatewayPluginJwtSigner
Start a Neo task
Explain and create a konnect.GatewayPluginJwtSigner resource
GatewayPluginJwtSigner Resource
Example Usage
Example coming soon!
Example coming soon!
Example coming soon!
Example coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.konnect.GatewayPluginJwtSigner;
import com.pulumi.konnect.GatewayPluginJwtSignerArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerConfigArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingAfterArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingBeforeArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerPartialArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerRouteArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerServiceArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myGatewaypluginjwtsigner = new GatewayPluginJwtSigner("myGatewaypluginjwtsigner", GatewayPluginJwtSignerArgs.builder()
.config(GatewayPluginJwtSignerConfigArgs.builder()
.access_token_audience_claim("...")
.access_token_audiences_allowed("...")
.access_token_consumer_by("custom_id")
.access_token_consumer_claim("...")
.access_token_expiry_claim("...")
.access_token_introspection_audience_claim("...")
.access_token_introspection_audiences_allowed("...")
.access_token_introspection_authorization("...my_access_token_introspection_authorization...")
.access_token_introspection_body_args("...my_access_token_introspection_body_args...")
.access_token_introspection_consumer_by("custom_id")
.access_token_introspection_consumer_claim("...")
.access_token_introspection_endpoint("...my_access_token_introspection_endpoint...")
.access_token_introspection_expiry_claim("...")
.access_token_introspection_hint("...my_access_token_introspection_hint...")
.access_token_introspection_issuer_claim("...")
.access_token_introspection_issuers_allowed("...")
.access_token_introspection_jwt_claim("...")
.access_token_introspection_leeway(6.18)
.access_token_introspection_notbefore_claim("...")
.access_token_introspection_optional_claims()
.access_token_introspection_required_claims()
.access_token_introspection_scopes_claim("...")
.access_token_introspection_scopes_required("...")
.access_token_introspection_subject_claim("...")
.access_token_introspection_subjects_allowed("...")
.access_token_introspection_timeout(4.24)
.access_token_issuer("...my_access_token_issuer...")
.access_token_issuer_claim("...")
.access_token_issuers_allowed("...")
.access_token_jwks_uri("...my_access_token_jwks_uri...")
.access_token_jwks_uri_client_certificate(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.access_token_jwks_uri_client_password("...my_access_token_jwks_uri_client_password...")
.access_token_jwks_uri_client_username("...my_access_token_jwks_uri_client_username...")
.access_token_jwks_uri_rotate_period(0.18)
.access_token_keyset("...my_access_token_keyset...")
.access_token_keyset_client_certificate(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.access_token_keyset_client_password("...my_access_token_keyset_client_password...")
.access_token_keyset_client_username("...my_access_token_keyset_client_username...")
.access_token_keyset_rotate_period(4.53)
.access_token_leeway(0.51)
.access_token_notbefore_claim("...")
.access_token_optional(false)
.access_token_optional_claims()
.access_token_request_header("...my_access_token_request_header...")
.access_token_required_claims()
.access_token_scopes_claim("...")
.access_token_scopes_required("...")
.access_token_signing(true)
.access_token_signing_algorithm("PS384")
.access_token_subject_claim("...")
.access_token_subjects_allowed("...")
.access_token_upstream_header("...my_access_token_upstream_header...")
.access_token_upstream_leeway(1.88)
.add_access_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.add_channel_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.add_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.cache_access_token_introspection(false)
.cache_channel_token_introspection(true)
.channel_token_audience_claim("...")
.channel_token_audiences_allowed("...")
.channel_token_consumer_by("id")
.channel_token_consumer_claim("...")
.channel_token_expiry_claim("...")
.channel_token_introspection_audience_claim("...")
.channel_token_introspection_audiences_allowed("...")
.channel_token_introspection_authorization("...my_channel_token_introspection_authorization...")
.channel_token_introspection_body_args("...my_channel_token_introspection_body_args...")
.channel_token_introspection_consumer_by("custom_id")
.channel_token_introspection_consumer_claim("...")
.channel_token_introspection_endpoint("...my_channel_token_introspection_endpoint...")
.channel_token_introspection_expiry_claim("...")
.channel_token_introspection_hint("...my_channel_token_introspection_hint...")
.channel_token_introspection_issuer_claim("...")
.channel_token_introspection_issuers_allowed("...")
.channel_token_introspection_jwt_claim("...")
.channel_token_introspection_leeway(4.31)
.channel_token_introspection_notbefore_claim("...")
.channel_token_introspection_optional_claims()
.channel_token_introspection_required_claims()
.channel_token_introspection_scopes_claim("...")
.channel_token_introspection_scopes_required("...")
.channel_token_introspection_subject_claim("...")
.channel_token_introspection_subjects_allowed("...")
.channel_token_introspection_timeout(6.9)
.channel_token_issuer("...my_channel_token_issuer...")
.channel_token_issuer_claim("...")
.channel_token_issuers_allowed("...")
.channel_token_jwks_uri("...my_channel_token_jwks_uri...")
.channel_token_jwks_uri_client_certificate(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.channel_token_jwks_uri_client_password("...my_channel_token_jwks_uri_client_password...")
.channel_token_jwks_uri_client_username("...my_channel_token_jwks_uri_client_username...")
.channel_token_jwks_uri_rotate_period(9.27)
.channel_token_keyset("...my_channel_token_keyset...")
.channel_token_keyset_client_certificate(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.channel_token_keyset_client_password("...my_channel_token_keyset_client_password...")
.channel_token_keyset_client_username("...my_channel_token_keyset_client_username...")
.channel_token_keyset_rotate_period(0.98)
.channel_token_leeway(4.86)
.channel_token_notbefore_claim("...")
.channel_token_optional(false)
.channel_token_optional_claims()
.channel_token_request_header("...my_channel_token_request_header...")
.channel_token_required_claims()
.channel_token_scopes_claim("...")
.channel_token_scopes_required("...")
.channel_token_signing(false)
.channel_token_signing_algorithm("PS512")
.channel_token_subject_claim("...")
.channel_token_subjects_allowed("...")
.channel_token_upstream_header("...my_channel_token_upstream_header...")
.channel_token_upstream_leeway(5.01)
.enable_access_token_introspection(false)
.enable_channel_token_introspection(true)
.enable_hs_signatures(false)
.enable_instrumentation(true)
.original_access_token_upstream_header("...my_original_access_token_upstream_header...")
.original_channel_token_upstream_header("...my_original_channel_token_upstream_header...")
.realm("...my_realm...")
.remove_access_token_claims("...")
.remove_channel_token_claims("...")
.set_access_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.set_channel_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.set_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.trust_access_token_introspection(true)
.trust_channel_token_introspection(false)
.verify_access_token_audience(true)
.verify_access_token_expiry(true)
.verify_access_token_introspection_audience(true)
.verify_access_token_introspection_expiry(false)
.verify_access_token_introspection_issuer(true)
.verify_access_token_introspection_notbefore(true)
.verify_access_token_introspection_scopes(false)
.verify_access_token_introspection_subject(false)
.verify_access_token_issuer(true)
.verify_access_token_notbefore(true)
.verify_access_token_scopes(false)
.verify_access_token_signature(true)
.verify_access_token_subject(false)
.verify_channel_token_audience(true)
.verify_channel_token_expiry(false)
.verify_channel_token_introspection_audience(false)
.verify_channel_token_introspection_expiry(false)
.verify_channel_token_introspection_issuer(true)
.verify_channel_token_introspection_notbefore(false)
.verify_channel_token_introspection_scopes(true)
.verify_channel_token_introspection_subject(false)
.verify_channel_token_issuer(true)
.verify_channel_token_notbefore(true)
.verify_channel_token_scopes(false)
.verify_channel_token_signature(false)
.verify_channel_token_subject(true)
.build())
.controlPlaneId("9524ec7d-36d9-465d-a8c5-83a3c9390458")
.createdAt(8)
.enabled(false)
.gatewayPluginJwtSignerId("...my_id...")
.instanceName("...my_instance_name...")
.ordering(GatewayPluginJwtSignerOrderingArgs.builder()
.after(GatewayPluginJwtSignerOrderingAfterArgs.builder()
.access("...")
.build())
.before(GatewayPluginJwtSignerOrderingBeforeArgs.builder()
.access("...")
.build())
.build())
.partials(GatewayPluginJwtSignerPartialArgs.builder()
.id("...my_id...")
.name("...my_name...")
.path("...my_path...")
.build())
.protocols("https")
.route(GatewayPluginJwtSignerRouteArgs.builder()
.id("...my_id...")
.build())
.service(GatewayPluginJwtSignerServiceArgs.builder()
.id("...my_id...")
.build())
.tags("...")
.updatedAt(5)
.build());
}
}
resources:
myGatewaypluginjwtsigner:
type: konnect:GatewayPluginJwtSigner
properties:
config:
access_token_audience_claim:
- '...'
access_token_audiences_allowed:
- '...'
access_token_consumer_by:
- custom_id
access_token_consumer_claim:
- '...'
access_token_expiry_claim:
- '...'
access_token_introspection_audience_claim:
- '...'
access_token_introspection_audiences_allowed:
- '...'
access_token_introspection_authorization: '...my_access_token_introspection_authorization...'
access_token_introspection_body_args: '...my_access_token_introspection_body_args...'
access_token_introspection_consumer_by:
- custom_id
access_token_introspection_consumer_claim:
- '...'
access_token_introspection_endpoint: '...my_access_token_introspection_endpoint...'
access_token_introspection_expiry_claim:
- '...'
access_token_introspection_hint: '...my_access_token_introspection_hint...'
access_token_introspection_issuer_claim:
- '...'
access_token_introspection_issuers_allowed:
- '...'
access_token_introspection_jwt_claim:
- '...'
access_token_introspection_leeway: 6.18
access_token_introspection_notbefore_claim:
- '...'
access_token_introspection_optional_claims:
- []
access_token_introspection_required_claims:
- []
access_token_introspection_scopes_claim:
- '...'
access_token_introspection_scopes_required:
- '...'
access_token_introspection_subject_claim:
- '...'
access_token_introspection_subjects_allowed:
- '...'
access_token_introspection_timeout: 4.24
access_token_issuer: '...my_access_token_issuer...'
access_token_issuer_claim:
- '...'
access_token_issuers_allowed:
- '...'
access_token_jwks_uri: '...my_access_token_jwks_uri...'
access_token_jwks_uri_client_certificate:
id: '...my_id...'
access_token_jwks_uri_client_password: '...my_access_token_jwks_uri_client_password...'
access_token_jwks_uri_client_username: '...my_access_token_jwks_uri_client_username...'
access_token_jwks_uri_rotate_period: 0.18
access_token_keyset: '...my_access_token_keyset...'
access_token_keyset_client_certificate:
id: '...my_id...'
access_token_keyset_client_password: '...my_access_token_keyset_client_password...'
access_token_keyset_client_username: '...my_access_token_keyset_client_username...'
access_token_keyset_rotate_period: 4.53
access_token_leeway: 0.51
access_token_notbefore_claim:
- '...'
access_token_optional: false
access_token_optional_claims:
- []
access_token_request_header: '...my_access_token_request_header...'
access_token_required_claims:
- []
access_token_scopes_claim:
- '...'
access_token_scopes_required:
- '...'
access_token_signing: true
access_token_signing_algorithm: PS384
access_token_subject_claim:
- '...'
access_token_subjects_allowed:
- '...'
access_token_upstream_header: '...my_access_token_upstream_header...'
access_token_upstream_leeway: 1.88
add_access_token_claims:
key:
fn::toJSON: value
add_channel_token_claims:
key:
fn::toJSON: value
add_claims:
key:
fn::toJSON: value
cache_access_token_introspection: false
cache_channel_token_introspection: true
channel_token_audience_claim:
- '...'
channel_token_audiences_allowed:
- '...'
channel_token_consumer_by:
- id
channel_token_consumer_claim:
- '...'
channel_token_expiry_claim:
- '...'
channel_token_introspection_audience_claim:
- '...'
channel_token_introspection_audiences_allowed:
- '...'
channel_token_introspection_authorization: '...my_channel_token_introspection_authorization...'
channel_token_introspection_body_args: '...my_channel_token_introspection_body_args...'
channel_token_introspection_consumer_by:
- custom_id
channel_token_introspection_consumer_claim:
- '...'
channel_token_introspection_endpoint: '...my_channel_token_introspection_endpoint...'
channel_token_introspection_expiry_claim:
- '...'
channel_token_introspection_hint: '...my_channel_token_introspection_hint...'
channel_token_introspection_issuer_claim:
- '...'
channel_token_introspection_issuers_allowed:
- '...'
channel_token_introspection_jwt_claim:
- '...'
channel_token_introspection_leeway: 4.31
channel_token_introspection_notbefore_claim:
- '...'
channel_token_introspection_optional_claims:
- []
channel_token_introspection_required_claims:
- []
channel_token_introspection_scopes_claim:
- '...'
channel_token_introspection_scopes_required:
- '...'
channel_token_introspection_subject_claim:
- '...'
channel_token_introspection_subjects_allowed:
- '...'
channel_token_introspection_timeout: 6.9
channel_token_issuer: '...my_channel_token_issuer...'
channel_token_issuer_claim:
- '...'
channel_token_issuers_allowed:
- '...'
channel_token_jwks_uri: '...my_channel_token_jwks_uri...'
channel_token_jwks_uri_client_certificate:
id: '...my_id...'
channel_token_jwks_uri_client_password: '...my_channel_token_jwks_uri_client_password...'
channel_token_jwks_uri_client_username: '...my_channel_token_jwks_uri_client_username...'
channel_token_jwks_uri_rotate_period: 9.27
channel_token_keyset: '...my_channel_token_keyset...'
channel_token_keyset_client_certificate:
id: '...my_id...'
channel_token_keyset_client_password: '...my_channel_token_keyset_client_password...'
channel_token_keyset_client_username: '...my_channel_token_keyset_client_username...'
channel_token_keyset_rotate_period: 0.98
channel_token_leeway: 4.86
channel_token_notbefore_claim:
- '...'
channel_token_optional: false
channel_token_optional_claims:
- []
channel_token_request_header: '...my_channel_token_request_header...'
channel_token_required_claims:
- []
channel_token_scopes_claim:
- '...'
channel_token_scopes_required:
- '...'
channel_token_signing: false
channel_token_signing_algorithm: PS512
channel_token_subject_claim:
- '...'
channel_token_subjects_allowed:
- '...'
channel_token_upstream_header: '...my_channel_token_upstream_header...'
channel_token_upstream_leeway: 5.01
enable_access_token_introspection: false
enable_channel_token_introspection: true
enable_hs_signatures: false
enable_instrumentation: true
original_access_token_upstream_header: '...my_original_access_token_upstream_header...'
original_channel_token_upstream_header: '...my_original_channel_token_upstream_header...'
realm: '...my_realm...'
remove_access_token_claims:
- '...'
remove_channel_token_claims:
- '...'
set_access_token_claims:
key:
fn::toJSON: value
set_channel_token_claims:
key:
fn::toJSON: value
set_claims:
key:
fn::toJSON: value
trust_access_token_introspection: true
trust_channel_token_introspection: false
verify_access_token_audience: true
verify_access_token_expiry: true
verify_access_token_introspection_audience: true
verify_access_token_introspection_expiry: false
verify_access_token_introspection_issuer: true
verify_access_token_introspection_notbefore: true
verify_access_token_introspection_scopes: false
verify_access_token_introspection_subject: false
verify_access_token_issuer: true
verify_access_token_notbefore: true
verify_access_token_scopes: false
verify_access_token_signature: true
verify_access_token_subject: false
verify_channel_token_audience: true
verify_channel_token_expiry: false
verify_channel_token_introspection_audience: false
verify_channel_token_introspection_expiry: false
verify_channel_token_introspection_issuer: true
verify_channel_token_introspection_notbefore: false
verify_channel_token_introspection_scopes: true
verify_channel_token_introspection_subject: false
verify_channel_token_issuer: true
verify_channel_token_notbefore: true
verify_channel_token_scopes: false
verify_channel_token_signature: false
verify_channel_token_subject: true
controlPlaneId: 9524ec7d-36d9-465d-a8c5-83a3c9390458
createdAt: 8
enabled: false
gatewayPluginJwtSignerId: '...my_id...'
instanceName: '...my_instance_name...'
ordering:
after:
access:
- '...'
before:
access:
- '...'
partials:
- id: '...my_id...'
name: '...my_name...'
path: '...my_path...'
protocols:
- https
route:
id: '...my_id...'
service:
id: '...my_id...'
tags:
- '...'
updatedAt: 5
Create GatewayPluginJwtSigner Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GatewayPluginJwtSigner(name: string, args: GatewayPluginJwtSignerArgs, opts?: CustomResourceOptions);@overload
def GatewayPluginJwtSigner(resource_name: str,
args: GatewayPluginJwtSignerArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GatewayPluginJwtSigner(resource_name: str,
opts: Optional[ResourceOptions] = None,
control_plane_id: Optional[str] = None,
ordering: Optional[GatewayPluginJwtSignerOrderingArgs] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_jwt_signer_id: Optional[str] = None,
instance_name: Optional[str] = None,
config: Optional[GatewayPluginJwtSignerConfigArgs] = None,
partials: Optional[Sequence[GatewayPluginJwtSignerPartialArgs]] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginJwtSignerRouteArgs] = None,
service: Optional[GatewayPluginJwtSignerServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None)func NewGatewayPluginJwtSigner(ctx *Context, name string, args GatewayPluginJwtSignerArgs, opts ...ResourceOption) (*GatewayPluginJwtSigner, error)public GatewayPluginJwtSigner(string name, GatewayPluginJwtSignerArgs args, CustomResourceOptions? opts = null)
public GatewayPluginJwtSigner(String name, GatewayPluginJwtSignerArgs args)
public GatewayPluginJwtSigner(String name, GatewayPluginJwtSignerArgs args, CustomResourceOptions options)
type: konnect:GatewayPluginJwtSigner
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var gatewayPluginJwtSignerResource = new Konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", new()
{
ControlPlaneId = "string",
Ordering = new Konnect.Inputs.GatewayPluginJwtSignerOrderingArgs
{
After = new Konnect.Inputs.GatewayPluginJwtSignerOrderingAfterArgs
{
Accesses = new[]
{
"string",
},
},
Before = new Konnect.Inputs.GatewayPluginJwtSignerOrderingBeforeArgs
{
Accesses = new[]
{
"string",
},
},
},
CreatedAt = 0,
Enabled = false,
GatewayPluginJwtSignerId = "string",
InstanceName = "string",
Config = new Konnect.Inputs.GatewayPluginJwtSignerConfigArgs
{
AccessTokenAudienceClaims = new[]
{
"string",
},
AccessTokenAudiencesAlloweds = new[]
{
"string",
},
AccessTokenConsumerBies = new[]
{
"string",
},
AccessTokenConsumerClaims = new[]
{
"string",
},
AccessTokenExpiryClaims = new[]
{
"string",
},
AccessTokenIntrospectionAudienceClaims = new[]
{
"string",
},
AccessTokenIntrospectionAudiencesAlloweds = new[]
{
"string",
},
AccessTokenIntrospectionAuthorization = "string",
AccessTokenIntrospectionBodyArgs = "string",
AccessTokenIntrospectionConsumerBies = new[]
{
"string",
},
AccessTokenIntrospectionConsumerClaims = new[]
{
"string",
},
AccessTokenIntrospectionEndpoint = "string",
AccessTokenIntrospectionExpiryClaims = new[]
{
"string",
},
AccessTokenIntrospectionHint = "string",
AccessTokenIntrospectionIssuerClaims = new[]
{
"string",
},
AccessTokenIntrospectionIssuersAlloweds = new[]
{
"string",
},
AccessTokenIntrospectionJwtClaims = new[]
{
"string",
},
AccessTokenIntrospectionLeeway = 0,
AccessTokenIntrospectionNotbeforeClaims = new[]
{
"string",
},
AccessTokenIntrospectionOptionalClaims = new[]
{
new[]
{
"string",
},
},
AccessTokenIntrospectionRequiredClaims = new[]
{
new[]
{
"string",
},
},
AccessTokenIntrospectionScopesClaims = new[]
{
"string",
},
AccessTokenIntrospectionScopesRequireds = new[]
{
"string",
},
AccessTokenIntrospectionSubjectClaims = new[]
{
"string",
},
AccessTokenIntrospectionSubjectsAlloweds = new[]
{
"string",
},
AccessTokenIntrospectionTimeout = 0,
AccessTokenIssuer = "string",
AccessTokenIssuerClaims = new[]
{
"string",
},
AccessTokenIssuersAlloweds = new[]
{
"string",
},
AccessTokenJwksUri = "string",
AccessTokenJwksUriClientCertificate = new Konnect.Inputs.GatewayPluginJwtSignerConfigAccessTokenJwksUriClientCertificateArgs
{
Id = "string",
},
AccessTokenJwksUriClientPassword = "string",
AccessTokenJwksUriClientUsername = "string",
AccessTokenJwksUriRotatePeriod = 0,
AccessTokenKeyset = "string",
AccessTokenKeysetClientCertificate = new Konnect.Inputs.GatewayPluginJwtSignerConfigAccessTokenKeysetClientCertificateArgs
{
Id = "string",
},
AccessTokenKeysetClientPassword = "string",
AccessTokenKeysetClientUsername = "string",
AccessTokenKeysetRotatePeriod = 0,
AccessTokenLeeway = 0,
AccessTokenNotbeforeClaims = new[]
{
"string",
},
AccessTokenOptional = false,
AccessTokenOptionalClaims = new[]
{
new[]
{
"string",
},
},
AccessTokenRequestHeader = "string",
AccessTokenRequiredClaims = new[]
{
new[]
{
"string",
},
},
AccessTokenScopesClaims = new[]
{
"string",
},
AccessTokenScopesRequireds = new[]
{
"string",
},
AccessTokenSigning = false,
AccessTokenSigningAlgorithm = "string",
AccessTokenSubjectClaims = new[]
{
"string",
},
AccessTokenSubjectsAlloweds = new[]
{
"string",
},
AccessTokenUpstreamHeader = "string",
AccessTokenUpstreamLeeway = 0,
AddAccessTokenClaims =
{
{ "string", "string" },
},
AddChannelTokenClaims =
{
{ "string", "string" },
},
AddClaims =
{
{ "string", "string" },
},
CacheAccessTokenIntrospection = false,
CacheChannelTokenIntrospection = false,
ChannelTokenAudienceClaims = new[]
{
"string",
},
ChannelTokenAudiencesAlloweds = new[]
{
"string",
},
ChannelTokenConsumerBies = new[]
{
"string",
},
ChannelTokenConsumerClaims = new[]
{
"string",
},
ChannelTokenExpiryClaims = new[]
{
"string",
},
ChannelTokenIntrospectionAudienceClaims = new[]
{
"string",
},
ChannelTokenIntrospectionAudiencesAlloweds = new[]
{
"string",
},
ChannelTokenIntrospectionAuthorization = "string",
ChannelTokenIntrospectionBodyArgs = "string",
ChannelTokenIntrospectionConsumerBies = new[]
{
"string",
},
ChannelTokenIntrospectionConsumerClaims = new[]
{
"string",
},
ChannelTokenIntrospectionEndpoint = "string",
ChannelTokenIntrospectionExpiryClaims = new[]
{
"string",
},
ChannelTokenIntrospectionHint = "string",
ChannelTokenIntrospectionIssuerClaims = new[]
{
"string",
},
ChannelTokenIntrospectionIssuersAlloweds = new[]
{
"string",
},
ChannelTokenIntrospectionJwtClaims = new[]
{
"string",
},
ChannelTokenIntrospectionLeeway = 0,
ChannelTokenIntrospectionNotbeforeClaims = new[]
{
"string",
},
ChannelTokenIntrospectionOptionalClaims = new[]
{
new[]
{
"string",
},
},
ChannelTokenIntrospectionRequiredClaims = new[]
{
new[]
{
"string",
},
},
ChannelTokenIntrospectionScopesClaims = new[]
{
"string",
},
ChannelTokenIntrospectionScopesRequireds = new[]
{
"string",
},
ChannelTokenIntrospectionSubjectClaims = new[]
{
"string",
},
ChannelTokenIntrospectionSubjectsAlloweds = new[]
{
"string",
},
ChannelTokenIntrospectionTimeout = 0,
ChannelTokenIssuer = "string",
ChannelTokenIssuerClaims = new[]
{
"string",
},
ChannelTokenIssuersAlloweds = new[]
{
"string",
},
ChannelTokenJwksUri = "string",
ChannelTokenJwksUriClientCertificate = new Konnect.Inputs.GatewayPluginJwtSignerConfigChannelTokenJwksUriClientCertificateArgs
{
Id = "string",
},
ChannelTokenJwksUriClientPassword = "string",
ChannelTokenJwksUriClientUsername = "string",
ChannelTokenJwksUriRotatePeriod = 0,
ChannelTokenKeyset = "string",
ChannelTokenKeysetClientCertificate = new Konnect.Inputs.GatewayPluginJwtSignerConfigChannelTokenKeysetClientCertificateArgs
{
Id = "string",
},
ChannelTokenKeysetClientPassword = "string",
ChannelTokenKeysetClientUsername = "string",
ChannelTokenKeysetRotatePeriod = 0,
ChannelTokenLeeway = 0,
ChannelTokenNotbeforeClaims = new[]
{
"string",
},
ChannelTokenOptional = false,
ChannelTokenOptionalClaims = new[]
{
new[]
{
"string",
},
},
ChannelTokenRequestHeader = "string",
ChannelTokenRequiredClaims = new[]
{
new[]
{
"string",
},
},
ChannelTokenScopesClaims = new[]
{
"string",
},
ChannelTokenScopesRequireds = new[]
{
"string",
},
ChannelTokenSigning = false,
ChannelTokenSigningAlgorithm = "string",
ChannelTokenSubjectClaims = new[]
{
"string",
},
ChannelTokenSubjectsAlloweds = new[]
{
"string",
},
ChannelTokenUpstreamHeader = "string",
ChannelTokenUpstreamLeeway = 0,
EnableAccessTokenIntrospection = false,
EnableChannelTokenIntrospection = false,
EnableHsSignatures = false,
EnableInstrumentation = false,
OriginalAccessTokenUpstreamHeader = "string",
OriginalChannelTokenUpstreamHeader = "string",
Realm = "string",
RemoveAccessTokenClaims = new[]
{
"string",
},
RemoveChannelTokenClaims = new[]
{
"string",
},
SetAccessTokenClaims =
{
{ "string", "string" },
},
SetChannelTokenClaims =
{
{ "string", "string" },
},
SetClaims =
{
{ "string", "string" },
},
TrustAccessTokenIntrospection = false,
TrustChannelTokenIntrospection = false,
VerifyAccessTokenAudience = false,
VerifyAccessTokenExpiry = false,
VerifyAccessTokenIntrospectionAudience = false,
VerifyAccessTokenIntrospectionExpiry = false,
VerifyAccessTokenIntrospectionIssuer = false,
VerifyAccessTokenIntrospectionNotbefore = false,
VerifyAccessTokenIntrospectionScopes = false,
VerifyAccessTokenIntrospectionSubject = false,
VerifyAccessTokenIssuer = false,
VerifyAccessTokenNotbefore = false,
VerifyAccessTokenScopes = false,
VerifyAccessTokenSignature = false,
VerifyAccessTokenSubject = false,
VerifyChannelTokenAudience = false,
VerifyChannelTokenExpiry = false,
VerifyChannelTokenIntrospectionAudience = false,
VerifyChannelTokenIntrospectionExpiry = false,
VerifyChannelTokenIntrospectionIssuer = false,
VerifyChannelTokenIntrospectionNotbefore = false,
VerifyChannelTokenIntrospectionScopes = false,
VerifyChannelTokenIntrospectionSubject = false,
VerifyChannelTokenIssuer = false,
VerifyChannelTokenNotbefore = false,
VerifyChannelTokenScopes = false,
VerifyChannelTokenSignature = false,
VerifyChannelTokenSubject = false,
},
Partials = new[]
{
new Konnect.Inputs.GatewayPluginJwtSignerPartialArgs
{
Id = "string",
Name = "string",
Path = "string",
},
},
Protocols = new[]
{
"string",
},
Route = new Konnect.Inputs.GatewayPluginJwtSignerRouteArgs
{
Id = "string",
},
Service = new Konnect.Inputs.GatewayPluginJwtSignerServiceArgs
{
Id = "string",
},
Tags = new[]
{
"string",
},
UpdatedAt = 0,
});
example, err := konnect.NewGatewayPluginJwtSigner(ctx, "gatewayPluginJwtSignerResource", &konnect.GatewayPluginJwtSignerArgs{
ControlPlaneId: pulumi.String("string"),
Ordering: &konnect.GatewayPluginJwtSignerOrderingArgs{
After: &konnect.GatewayPluginJwtSignerOrderingAfterArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
Before: &konnect.GatewayPluginJwtSignerOrderingBeforeArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
},
CreatedAt: pulumi.Float64(0),
Enabled: pulumi.Bool(false),
GatewayPluginJwtSignerId: pulumi.String("string"),
InstanceName: pulumi.String("string"),
Config: &konnect.GatewayPluginJwtSignerConfigArgs{
AccessTokenAudienceClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenAudiencesAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenExpiryClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionAudienceClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionAudiencesAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionAuthorization: pulumi.String("string"),
AccessTokenIntrospectionBodyArgs: pulumi.String("string"),
AccessTokenIntrospectionConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionEndpoint: pulumi.String("string"),
AccessTokenIntrospectionExpiryClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionHint: pulumi.String("string"),
AccessTokenIntrospectionIssuerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionIssuersAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionJwtClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionLeeway: pulumi.Float64(0),
AccessTokenIntrospectionNotbeforeClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionOptionalClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
AccessTokenIntrospectionRequiredClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
AccessTokenIntrospectionScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionSubjectClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionSubjectsAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionTimeout: pulumi.Float64(0),
AccessTokenIssuer: pulumi.String("string"),
AccessTokenIssuerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIssuersAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenJwksUri: pulumi.String("string"),
AccessTokenJwksUriClientCertificate: &konnect.GatewayPluginJwtSignerConfigAccessTokenJwksUriClientCertificateArgs{
Id: pulumi.String("string"),
},
AccessTokenJwksUriClientPassword: pulumi.String("string"),
AccessTokenJwksUriClientUsername: pulumi.String("string"),
AccessTokenJwksUriRotatePeriod: pulumi.Float64(0),
AccessTokenKeyset: pulumi.String("string"),
AccessTokenKeysetClientCertificate: &konnect.GatewayPluginJwtSignerConfigAccessTokenKeysetClientCertificateArgs{
Id: pulumi.String("string"),
},
AccessTokenKeysetClientPassword: pulumi.String("string"),
AccessTokenKeysetClientUsername: pulumi.String("string"),
AccessTokenKeysetRotatePeriod: pulumi.Float64(0),
AccessTokenLeeway: pulumi.Float64(0),
AccessTokenNotbeforeClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenOptional: pulumi.Bool(false),
AccessTokenOptionalClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
AccessTokenRequestHeader: pulumi.String("string"),
AccessTokenRequiredClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
AccessTokenScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenSigning: pulumi.Bool(false),
AccessTokenSigningAlgorithm: pulumi.String("string"),
AccessTokenSubjectClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenSubjectsAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenUpstreamHeader: pulumi.String("string"),
AccessTokenUpstreamLeeway: pulumi.Float64(0),
AddAccessTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
AddChannelTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
AddClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
CacheAccessTokenIntrospection: pulumi.Bool(false),
CacheChannelTokenIntrospection: pulumi.Bool(false),
ChannelTokenAudienceClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenAudiencesAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenExpiryClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionAudienceClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionAudiencesAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionAuthorization: pulumi.String("string"),
ChannelTokenIntrospectionBodyArgs: pulumi.String("string"),
ChannelTokenIntrospectionConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionEndpoint: pulumi.String("string"),
ChannelTokenIntrospectionExpiryClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionHint: pulumi.String("string"),
ChannelTokenIntrospectionIssuerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionIssuersAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionJwtClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionLeeway: pulumi.Float64(0),
ChannelTokenIntrospectionNotbeforeClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionOptionalClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
ChannelTokenIntrospectionRequiredClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
ChannelTokenIntrospectionScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionSubjectClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionSubjectsAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionTimeout: pulumi.Float64(0),
ChannelTokenIssuer: pulumi.String("string"),
ChannelTokenIssuerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIssuersAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenJwksUri: pulumi.String("string"),
ChannelTokenJwksUriClientCertificate: &konnect.GatewayPluginJwtSignerConfigChannelTokenJwksUriClientCertificateArgs{
Id: pulumi.String("string"),
},
ChannelTokenJwksUriClientPassword: pulumi.String("string"),
ChannelTokenJwksUriClientUsername: pulumi.String("string"),
ChannelTokenJwksUriRotatePeriod: pulumi.Float64(0),
ChannelTokenKeyset: pulumi.String("string"),
ChannelTokenKeysetClientCertificate: &konnect.GatewayPluginJwtSignerConfigChannelTokenKeysetClientCertificateArgs{
Id: pulumi.String("string"),
},
ChannelTokenKeysetClientPassword: pulumi.String("string"),
ChannelTokenKeysetClientUsername: pulumi.String("string"),
ChannelTokenKeysetRotatePeriod: pulumi.Float64(0),
ChannelTokenLeeway: pulumi.Float64(0),
ChannelTokenNotbeforeClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenOptional: pulumi.Bool(false),
ChannelTokenOptionalClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
ChannelTokenRequestHeader: pulumi.String("string"),
ChannelTokenRequiredClaims: pulumi.StringArrayArray{
pulumi.StringArray{
pulumi.String("string"),
},
},
ChannelTokenScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenSigning: pulumi.Bool(false),
ChannelTokenSigningAlgorithm: pulumi.String("string"),
ChannelTokenSubjectClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenSubjectsAlloweds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenUpstreamHeader: pulumi.String("string"),
ChannelTokenUpstreamLeeway: pulumi.Float64(0),
EnableAccessTokenIntrospection: pulumi.Bool(false),
EnableChannelTokenIntrospection: pulumi.Bool(false),
EnableHsSignatures: pulumi.Bool(false),
EnableInstrumentation: pulumi.Bool(false),
OriginalAccessTokenUpstreamHeader: pulumi.String("string"),
OriginalChannelTokenUpstreamHeader: pulumi.String("string"),
Realm: pulumi.String("string"),
RemoveAccessTokenClaims: pulumi.StringArray{
pulumi.String("string"),
},
RemoveChannelTokenClaims: pulumi.StringArray{
pulumi.String("string"),
},
SetAccessTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
SetChannelTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
SetClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
TrustAccessTokenIntrospection: pulumi.Bool(false),
TrustChannelTokenIntrospection: pulumi.Bool(false),
VerifyAccessTokenAudience: pulumi.Bool(false),
VerifyAccessTokenExpiry: pulumi.Bool(false),
VerifyAccessTokenIntrospectionAudience: pulumi.Bool(false),
VerifyAccessTokenIntrospectionExpiry: pulumi.Bool(false),
VerifyAccessTokenIntrospectionIssuer: pulumi.Bool(false),
VerifyAccessTokenIntrospectionNotbefore: pulumi.Bool(false),
VerifyAccessTokenIntrospectionScopes: pulumi.Bool(false),
VerifyAccessTokenIntrospectionSubject: pulumi.Bool(false),
VerifyAccessTokenIssuer: pulumi.Bool(false),
VerifyAccessTokenNotbefore: pulumi.Bool(false),
VerifyAccessTokenScopes: pulumi.Bool(false),
VerifyAccessTokenSignature: pulumi.Bool(false),
VerifyAccessTokenSubject: pulumi.Bool(false),
VerifyChannelTokenAudience: pulumi.Bool(false),
VerifyChannelTokenExpiry: pulumi.Bool(false),
VerifyChannelTokenIntrospectionAudience: pulumi.Bool(false),
VerifyChannelTokenIntrospectionExpiry: pulumi.Bool(false),
VerifyChannelTokenIntrospectionIssuer: pulumi.Bool(false),
VerifyChannelTokenIntrospectionNotbefore: pulumi.Bool(false),
VerifyChannelTokenIntrospectionScopes: pulumi.Bool(false),
VerifyChannelTokenIntrospectionSubject: pulumi.Bool(false),
VerifyChannelTokenIssuer: pulumi.Bool(false),
VerifyChannelTokenNotbefore: pulumi.Bool(false),
VerifyChannelTokenScopes: pulumi.Bool(false),
VerifyChannelTokenSignature: pulumi.Bool(false),
VerifyChannelTokenSubject: pulumi.Bool(false),
},
Partials: konnect.GatewayPluginJwtSignerPartialArray{
&konnect.GatewayPluginJwtSignerPartialArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Path: pulumi.String("string"),
},
},
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
Route: &konnect.GatewayPluginJwtSignerRouteArgs{
Id: pulumi.String("string"),
},
Service: &konnect.GatewayPluginJwtSignerServiceArgs{
Id: pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
UpdatedAt: pulumi.Float64(0),
})
var gatewayPluginJwtSignerResource = new GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", GatewayPluginJwtSignerArgs.builder()
.controlPlaneId("string")
.ordering(GatewayPluginJwtSignerOrderingArgs.builder()
.after(GatewayPluginJwtSignerOrderingAfterArgs.builder()
.accesses("string")
.build())
.before(GatewayPluginJwtSignerOrderingBeforeArgs.builder()
.accesses("string")
.build())
.build())
.createdAt(0.0)
.enabled(false)
.gatewayPluginJwtSignerId("string")
.instanceName("string")
.config(GatewayPluginJwtSignerConfigArgs.builder()
.accessTokenAudienceClaims("string")
.accessTokenAudiencesAlloweds("string")
.accessTokenConsumerBies("string")
.accessTokenConsumerClaims("string")
.accessTokenExpiryClaims("string")
.accessTokenIntrospectionAudienceClaims("string")
.accessTokenIntrospectionAudiencesAlloweds("string")
.accessTokenIntrospectionAuthorization("string")
.accessTokenIntrospectionBodyArgs("string")
.accessTokenIntrospectionConsumerBies("string")
.accessTokenIntrospectionConsumerClaims("string")
.accessTokenIntrospectionEndpoint("string")
.accessTokenIntrospectionExpiryClaims("string")
.accessTokenIntrospectionHint("string")
.accessTokenIntrospectionIssuerClaims("string")
.accessTokenIntrospectionIssuersAlloweds("string")
.accessTokenIntrospectionJwtClaims("string")
.accessTokenIntrospectionLeeway(0.0)
.accessTokenIntrospectionNotbeforeClaims("string")
.accessTokenIntrospectionOptionalClaims("string")
.accessTokenIntrospectionRequiredClaims("string")
.accessTokenIntrospectionScopesClaims("string")
.accessTokenIntrospectionScopesRequireds("string")
.accessTokenIntrospectionSubjectClaims("string")
.accessTokenIntrospectionSubjectsAlloweds("string")
.accessTokenIntrospectionTimeout(0.0)
.accessTokenIssuer("string")
.accessTokenIssuerClaims("string")
.accessTokenIssuersAlloweds("string")
.accessTokenJwksUri("string")
.accessTokenJwksUriClientCertificate(GatewayPluginJwtSignerConfigAccessTokenJwksUriClientCertificateArgs.builder()
.id("string")
.build())
.accessTokenJwksUriClientPassword("string")
.accessTokenJwksUriClientUsername("string")
.accessTokenJwksUriRotatePeriod(0.0)
.accessTokenKeyset("string")
.accessTokenKeysetClientCertificate(GatewayPluginJwtSignerConfigAccessTokenKeysetClientCertificateArgs.builder()
.id("string")
.build())
.accessTokenKeysetClientPassword("string")
.accessTokenKeysetClientUsername("string")
.accessTokenKeysetRotatePeriod(0.0)
.accessTokenLeeway(0.0)
.accessTokenNotbeforeClaims("string")
.accessTokenOptional(false)
.accessTokenOptionalClaims("string")
.accessTokenRequestHeader("string")
.accessTokenRequiredClaims("string")
.accessTokenScopesClaims("string")
.accessTokenScopesRequireds("string")
.accessTokenSigning(false)
.accessTokenSigningAlgorithm("string")
.accessTokenSubjectClaims("string")
.accessTokenSubjectsAlloweds("string")
.accessTokenUpstreamHeader("string")
.accessTokenUpstreamLeeway(0.0)
.addAccessTokenClaims(Map.of("string", "string"))
.addChannelTokenClaims(Map.of("string", "string"))
.addClaims(Map.of("string", "string"))
.cacheAccessTokenIntrospection(false)
.cacheChannelTokenIntrospection(false)
.channelTokenAudienceClaims("string")
.channelTokenAudiencesAlloweds("string")
.channelTokenConsumerBies("string")
.channelTokenConsumerClaims("string")
.channelTokenExpiryClaims("string")
.channelTokenIntrospectionAudienceClaims("string")
.channelTokenIntrospectionAudiencesAlloweds("string")
.channelTokenIntrospectionAuthorization("string")
.channelTokenIntrospectionBodyArgs("string")
.channelTokenIntrospectionConsumerBies("string")
.channelTokenIntrospectionConsumerClaims("string")
.channelTokenIntrospectionEndpoint("string")
.channelTokenIntrospectionExpiryClaims("string")
.channelTokenIntrospectionHint("string")
.channelTokenIntrospectionIssuerClaims("string")
.channelTokenIntrospectionIssuersAlloweds("string")
.channelTokenIntrospectionJwtClaims("string")
.channelTokenIntrospectionLeeway(0.0)
.channelTokenIntrospectionNotbeforeClaims("string")
.channelTokenIntrospectionOptionalClaims("string")
.channelTokenIntrospectionRequiredClaims("string")
.channelTokenIntrospectionScopesClaims("string")
.channelTokenIntrospectionScopesRequireds("string")
.channelTokenIntrospectionSubjectClaims("string")
.channelTokenIntrospectionSubjectsAlloweds("string")
.channelTokenIntrospectionTimeout(0.0)
.channelTokenIssuer("string")
.channelTokenIssuerClaims("string")
.channelTokenIssuersAlloweds("string")
.channelTokenJwksUri("string")
.channelTokenJwksUriClientCertificate(GatewayPluginJwtSignerConfigChannelTokenJwksUriClientCertificateArgs.builder()
.id("string")
.build())
.channelTokenJwksUriClientPassword("string")
.channelTokenJwksUriClientUsername("string")
.channelTokenJwksUriRotatePeriod(0.0)
.channelTokenKeyset("string")
.channelTokenKeysetClientCertificate(GatewayPluginJwtSignerConfigChannelTokenKeysetClientCertificateArgs.builder()
.id("string")
.build())
.channelTokenKeysetClientPassword("string")
.channelTokenKeysetClientUsername("string")
.channelTokenKeysetRotatePeriod(0.0)
.channelTokenLeeway(0.0)
.channelTokenNotbeforeClaims("string")
.channelTokenOptional(false)
.channelTokenOptionalClaims("string")
.channelTokenRequestHeader("string")
.channelTokenRequiredClaims("string")
.channelTokenScopesClaims("string")
.channelTokenScopesRequireds("string")
.channelTokenSigning(false)
.channelTokenSigningAlgorithm("string")
.channelTokenSubjectClaims("string")
.channelTokenSubjectsAlloweds("string")
.channelTokenUpstreamHeader("string")
.channelTokenUpstreamLeeway(0.0)
.enableAccessTokenIntrospection(false)
.enableChannelTokenIntrospection(false)
.enableHsSignatures(false)
.enableInstrumentation(false)
.originalAccessTokenUpstreamHeader("string")
.originalChannelTokenUpstreamHeader("string")
.realm("string")
.removeAccessTokenClaims("string")
.removeChannelTokenClaims("string")
.setAccessTokenClaims(Map.of("string", "string"))
.setChannelTokenClaims(Map.of("string", "string"))
.setClaims(Map.of("string", "string"))
.trustAccessTokenIntrospection(false)
.trustChannelTokenIntrospection(false)
.verifyAccessTokenAudience(false)
.verifyAccessTokenExpiry(false)
.verifyAccessTokenIntrospectionAudience(false)
.verifyAccessTokenIntrospectionExpiry(false)
.verifyAccessTokenIntrospectionIssuer(false)
.verifyAccessTokenIntrospectionNotbefore(false)
.verifyAccessTokenIntrospectionScopes(false)
.verifyAccessTokenIntrospectionSubject(false)
.verifyAccessTokenIssuer(false)
.verifyAccessTokenNotbefore(false)
.verifyAccessTokenScopes(false)
.verifyAccessTokenSignature(false)
.verifyAccessTokenSubject(false)
.verifyChannelTokenAudience(false)
.verifyChannelTokenExpiry(false)
.verifyChannelTokenIntrospectionAudience(false)
.verifyChannelTokenIntrospectionExpiry(false)
.verifyChannelTokenIntrospectionIssuer(false)
.verifyChannelTokenIntrospectionNotbefore(false)
.verifyChannelTokenIntrospectionScopes(false)
.verifyChannelTokenIntrospectionSubject(false)
.verifyChannelTokenIssuer(false)
.verifyChannelTokenNotbefore(false)
.verifyChannelTokenScopes(false)
.verifyChannelTokenSignature(false)
.verifyChannelTokenSubject(false)
.build())
.partials(GatewayPluginJwtSignerPartialArgs.builder()
.id("string")
.name("string")
.path("string")
.build())
.protocols("string")
.route(GatewayPluginJwtSignerRouteArgs.builder()
.id("string")
.build())
.service(GatewayPluginJwtSignerServiceArgs.builder()
.id("string")
.build())
.tags("string")
.updatedAt(0.0)
.build());
gateway_plugin_jwt_signer_resource = konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource",
control_plane_id="string",
ordering={
"after": {
"accesses": ["string"],
},
"before": {
"accesses": ["string"],
},
},
created_at=0,
enabled=False,
gateway_plugin_jwt_signer_id="string",
instance_name="string",
config={
"access_token_audience_claims": ["string"],
"access_token_audiences_alloweds": ["string"],
"access_token_consumer_bies": ["string"],
"access_token_consumer_claims": ["string"],
"access_token_expiry_claims": ["string"],
"access_token_introspection_audience_claims": ["string"],
"access_token_introspection_audiences_alloweds": ["string"],
"access_token_introspection_authorization": "string",
"access_token_introspection_body_args": "string",
"access_token_introspection_consumer_bies": ["string"],
"access_token_introspection_consumer_claims": ["string"],
"access_token_introspection_endpoint": "string",
"access_token_introspection_expiry_claims": ["string"],
"access_token_introspection_hint": "string",
"access_token_introspection_issuer_claims": ["string"],
"access_token_introspection_issuers_alloweds": ["string"],
"access_token_introspection_jwt_claims": ["string"],
"access_token_introspection_leeway": 0,
"access_token_introspection_notbefore_claims": ["string"],
"access_token_introspection_optional_claims": [["string"]],
"access_token_introspection_required_claims": [["string"]],
"access_token_introspection_scopes_claims": ["string"],
"access_token_introspection_scopes_requireds": ["string"],
"access_token_introspection_subject_claims": ["string"],
"access_token_introspection_subjects_alloweds": ["string"],
"access_token_introspection_timeout": 0,
"access_token_issuer": "string",
"access_token_issuer_claims": ["string"],
"access_token_issuers_alloweds": ["string"],
"access_token_jwks_uri": "string",
"access_token_jwks_uri_client_certificate": {
"id": "string",
},
"access_token_jwks_uri_client_password": "string",
"access_token_jwks_uri_client_username": "string",
"access_token_jwks_uri_rotate_period": 0,
"access_token_keyset": "string",
"access_token_keyset_client_certificate": {
"id": "string",
},
"access_token_keyset_client_password": "string",
"access_token_keyset_client_username": "string",
"access_token_keyset_rotate_period": 0,
"access_token_leeway": 0,
"access_token_notbefore_claims": ["string"],
"access_token_optional": False,
"access_token_optional_claims": [["string"]],
"access_token_request_header": "string",
"access_token_required_claims": [["string"]],
"access_token_scopes_claims": ["string"],
"access_token_scopes_requireds": ["string"],
"access_token_signing": False,
"access_token_signing_algorithm": "string",
"access_token_subject_claims": ["string"],
"access_token_subjects_alloweds": ["string"],
"access_token_upstream_header": "string",
"access_token_upstream_leeway": 0,
"add_access_token_claims": {
"string": "string",
},
"add_channel_token_claims": {
"string": "string",
},
"add_claims": {
"string": "string",
},
"cache_access_token_introspection": False,
"cache_channel_token_introspection": False,
"channel_token_audience_claims": ["string"],
"channel_token_audiences_alloweds": ["string"],
"channel_token_consumer_bies": ["string"],
"channel_token_consumer_claims": ["string"],
"channel_token_expiry_claims": ["string"],
"channel_token_introspection_audience_claims": ["string"],
"channel_token_introspection_audiences_alloweds": ["string"],
"channel_token_introspection_authorization": "string",
"channel_token_introspection_body_args": "string",
"channel_token_introspection_consumer_bies": ["string"],
"channel_token_introspection_consumer_claims": ["string"],
"channel_token_introspection_endpoint": "string",
"channel_token_introspection_expiry_claims": ["string"],
"channel_token_introspection_hint": "string",
"channel_token_introspection_issuer_claims": ["string"],
"channel_token_introspection_issuers_alloweds": ["string"],
"channel_token_introspection_jwt_claims": ["string"],
"channel_token_introspection_leeway": 0,
"channel_token_introspection_notbefore_claims": ["string"],
"channel_token_introspection_optional_claims": [["string"]],
"channel_token_introspection_required_claims": [["string"]],
"channel_token_introspection_scopes_claims": ["string"],
"channel_token_introspection_scopes_requireds": ["string"],
"channel_token_introspection_subject_claims": ["string"],
"channel_token_introspection_subjects_alloweds": ["string"],
"channel_token_introspection_timeout": 0,
"channel_token_issuer": "string",
"channel_token_issuer_claims": ["string"],
"channel_token_issuers_alloweds": ["string"],
"channel_token_jwks_uri": "string",
"channel_token_jwks_uri_client_certificate": {
"id": "string",
},
"channel_token_jwks_uri_client_password": "string",
"channel_token_jwks_uri_client_username": "string",
"channel_token_jwks_uri_rotate_period": 0,
"channel_token_keyset": "string",
"channel_token_keyset_client_certificate": {
"id": "string",
},
"channel_token_keyset_client_password": "string",
"channel_token_keyset_client_username": "string",
"channel_token_keyset_rotate_period": 0,
"channel_token_leeway": 0,
"channel_token_notbefore_claims": ["string"],
"channel_token_optional": False,
"channel_token_optional_claims": [["string"]],
"channel_token_request_header": "string",
"channel_token_required_claims": [["string"]],
"channel_token_scopes_claims": ["string"],
"channel_token_scopes_requireds": ["string"],
"channel_token_signing": False,
"channel_token_signing_algorithm": "string",
"channel_token_subject_claims": ["string"],
"channel_token_subjects_alloweds": ["string"],
"channel_token_upstream_header": "string",
"channel_token_upstream_leeway": 0,
"enable_access_token_introspection": False,
"enable_channel_token_introspection": False,
"enable_hs_signatures": False,
"enable_instrumentation": False,
"original_access_token_upstream_header": "string",
"original_channel_token_upstream_header": "string",
"realm": "string",
"remove_access_token_claims": ["string"],
"remove_channel_token_claims": ["string"],
"set_access_token_claims": {
"string": "string",
},
"set_channel_token_claims": {
"string": "string",
},
"set_claims": {
"string": "string",
},
"trust_access_token_introspection": False,
"trust_channel_token_introspection": False,
"verify_access_token_audience": False,
"verify_access_token_expiry": False,
"verify_access_token_introspection_audience": False,
"verify_access_token_introspection_expiry": False,
"verify_access_token_introspection_issuer": False,
"verify_access_token_introspection_notbefore": False,
"verify_access_token_introspection_scopes": False,
"verify_access_token_introspection_subject": False,
"verify_access_token_issuer": False,
"verify_access_token_notbefore": False,
"verify_access_token_scopes": False,
"verify_access_token_signature": False,
"verify_access_token_subject": False,
"verify_channel_token_audience": False,
"verify_channel_token_expiry": False,
"verify_channel_token_introspection_audience": False,
"verify_channel_token_introspection_expiry": False,
"verify_channel_token_introspection_issuer": False,
"verify_channel_token_introspection_notbefore": False,
"verify_channel_token_introspection_scopes": False,
"verify_channel_token_introspection_subject": False,
"verify_channel_token_issuer": False,
"verify_channel_token_notbefore": False,
"verify_channel_token_scopes": False,
"verify_channel_token_signature": False,
"verify_channel_token_subject": False,
},
partials=[{
"id": "string",
"name": "string",
"path": "string",
}],
protocols=["string"],
route={
"id": "string",
},
service={
"id": "string",
},
tags=["string"],
updated_at=0)
const gatewayPluginJwtSignerResource = new konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", {
controlPlaneId: "string",
ordering: {
after: {
accesses: ["string"],
},
before: {
accesses: ["string"],
},
},
createdAt: 0,
enabled: false,
gatewayPluginJwtSignerId: "string",
instanceName: "string",
config: {
accessTokenAudienceClaims: ["string"],
accessTokenAudiencesAlloweds: ["string"],
accessTokenConsumerBies: ["string"],
accessTokenConsumerClaims: ["string"],
accessTokenExpiryClaims: ["string"],
accessTokenIntrospectionAudienceClaims: ["string"],
accessTokenIntrospectionAudiencesAlloweds: ["string"],
accessTokenIntrospectionAuthorization: "string",
accessTokenIntrospectionBodyArgs: "string",
accessTokenIntrospectionConsumerBies: ["string"],
accessTokenIntrospectionConsumerClaims: ["string"],
accessTokenIntrospectionEndpoint: "string",
accessTokenIntrospectionExpiryClaims: ["string"],
accessTokenIntrospectionHint: "string",
accessTokenIntrospectionIssuerClaims: ["string"],
accessTokenIntrospectionIssuersAlloweds: ["string"],
accessTokenIntrospectionJwtClaims: ["string"],
accessTokenIntrospectionLeeway: 0,
accessTokenIntrospectionNotbeforeClaims: ["string"],
accessTokenIntrospectionOptionalClaims: [["string"]],
accessTokenIntrospectionRequiredClaims: [["string"]],
accessTokenIntrospectionScopesClaims: ["string"],
accessTokenIntrospectionScopesRequireds: ["string"],
accessTokenIntrospectionSubjectClaims: ["string"],
accessTokenIntrospectionSubjectsAlloweds: ["string"],
accessTokenIntrospectionTimeout: 0,
accessTokenIssuer: "string",
accessTokenIssuerClaims: ["string"],
accessTokenIssuersAlloweds: ["string"],
accessTokenJwksUri: "string",
accessTokenJwksUriClientCertificate: {
id: "string",
},
accessTokenJwksUriClientPassword: "string",
accessTokenJwksUriClientUsername: "string",
accessTokenJwksUriRotatePeriod: 0,
accessTokenKeyset: "string",
accessTokenKeysetClientCertificate: {
id: "string",
},
accessTokenKeysetClientPassword: "string",
accessTokenKeysetClientUsername: "string",
accessTokenKeysetRotatePeriod: 0,
accessTokenLeeway: 0,
accessTokenNotbeforeClaims: ["string"],
accessTokenOptional: false,
accessTokenOptionalClaims: [["string"]],
accessTokenRequestHeader: "string",
accessTokenRequiredClaims: [["string"]],
accessTokenScopesClaims: ["string"],
accessTokenScopesRequireds: ["string"],
accessTokenSigning: false,
accessTokenSigningAlgorithm: "string",
accessTokenSubjectClaims: ["string"],
accessTokenSubjectsAlloweds: ["string"],
accessTokenUpstreamHeader: "string",
accessTokenUpstreamLeeway: 0,
addAccessTokenClaims: {
string: "string",
},
addChannelTokenClaims: {
string: "string",
},
addClaims: {
string: "string",
},
cacheAccessTokenIntrospection: false,
cacheChannelTokenIntrospection: false,
channelTokenAudienceClaims: ["string"],
channelTokenAudiencesAlloweds: ["string"],
channelTokenConsumerBies: ["string"],
channelTokenConsumerClaims: ["string"],
channelTokenExpiryClaims: ["string"],
channelTokenIntrospectionAudienceClaims: ["string"],
channelTokenIntrospectionAudiencesAlloweds: ["string"],
channelTokenIntrospectionAuthorization: "string",
channelTokenIntrospectionBodyArgs: "string",
channelTokenIntrospectionConsumerBies: ["string"],
channelTokenIntrospectionConsumerClaims: ["string"],
channelTokenIntrospectionEndpoint: "string",
channelTokenIntrospectionExpiryClaims: ["string"],
channelTokenIntrospectionHint: "string",
channelTokenIntrospectionIssuerClaims: ["string"],
channelTokenIntrospectionIssuersAlloweds: ["string"],
channelTokenIntrospectionJwtClaims: ["string"],
channelTokenIntrospectionLeeway: 0,
channelTokenIntrospectionNotbeforeClaims: ["string"],
channelTokenIntrospectionOptionalClaims: [["string"]],
channelTokenIntrospectionRequiredClaims: [["string"]],
channelTokenIntrospectionScopesClaims: ["string"],
channelTokenIntrospectionScopesRequireds: ["string"],
channelTokenIntrospectionSubjectClaims: ["string"],
channelTokenIntrospectionSubjectsAlloweds: ["string"],
channelTokenIntrospectionTimeout: 0,
channelTokenIssuer: "string",
channelTokenIssuerClaims: ["string"],
channelTokenIssuersAlloweds: ["string"],
channelTokenJwksUri: "string",
channelTokenJwksUriClientCertificate: {
id: "string",
},
channelTokenJwksUriClientPassword: "string",
channelTokenJwksUriClientUsername: "string",
channelTokenJwksUriRotatePeriod: 0,
channelTokenKeyset: "string",
channelTokenKeysetClientCertificate: {
id: "string",
},
channelTokenKeysetClientPassword: "string",
channelTokenKeysetClientUsername: "string",
channelTokenKeysetRotatePeriod: 0,
channelTokenLeeway: 0,
channelTokenNotbeforeClaims: ["string"],
channelTokenOptional: false,
channelTokenOptionalClaims: [["string"]],
channelTokenRequestHeader: "string",
channelTokenRequiredClaims: [["string"]],
channelTokenScopesClaims: ["string"],
channelTokenScopesRequireds: ["string"],
channelTokenSigning: false,
channelTokenSigningAlgorithm: "string",
channelTokenSubjectClaims: ["string"],
channelTokenSubjectsAlloweds: ["string"],
channelTokenUpstreamHeader: "string",
channelTokenUpstreamLeeway: 0,
enableAccessTokenIntrospection: false,
enableChannelTokenIntrospection: false,
enableHsSignatures: false,
enableInstrumentation: false,
originalAccessTokenUpstreamHeader: "string",
originalChannelTokenUpstreamHeader: "string",
realm: "string",
removeAccessTokenClaims: ["string"],
removeChannelTokenClaims: ["string"],
setAccessTokenClaims: {
string: "string",
},
setChannelTokenClaims: {
string: "string",
},
setClaims: {
string: "string",
},
trustAccessTokenIntrospection: false,
trustChannelTokenIntrospection: false,
verifyAccessTokenAudience: false,
verifyAccessTokenExpiry: false,
verifyAccessTokenIntrospectionAudience: false,
verifyAccessTokenIntrospectionExpiry: false,
verifyAccessTokenIntrospectionIssuer: false,
verifyAccessTokenIntrospectionNotbefore: false,
verifyAccessTokenIntrospectionScopes: false,
verifyAccessTokenIntrospectionSubject: false,
verifyAccessTokenIssuer: false,
verifyAccessTokenNotbefore: false,
verifyAccessTokenScopes: false,
verifyAccessTokenSignature: false,
verifyAccessTokenSubject: false,
verifyChannelTokenAudience: false,
verifyChannelTokenExpiry: false,
verifyChannelTokenIntrospectionAudience: false,
verifyChannelTokenIntrospectionExpiry: false,
verifyChannelTokenIntrospectionIssuer: false,
verifyChannelTokenIntrospectionNotbefore: false,
verifyChannelTokenIntrospectionScopes: false,
verifyChannelTokenIntrospectionSubject: false,
verifyChannelTokenIssuer: false,
verifyChannelTokenNotbefore: false,
verifyChannelTokenScopes: false,
verifyChannelTokenSignature: false,
verifyChannelTokenSubject: false,
},
partials: [{
id: "string",
name: "string",
path: "string",
}],
protocols: ["string"],
route: {
id: "string",
},
service: {
id: "string",
},
tags: ["string"],
updatedAt: 0,
});
type: konnect:GatewayPluginJwtSigner
properties:
config:
accessTokenAudienceClaims:
- string
accessTokenAudiencesAlloweds:
- string
accessTokenConsumerBies:
- string
accessTokenConsumerClaims:
- string
accessTokenExpiryClaims:
- string
accessTokenIntrospectionAudienceClaims:
- string
accessTokenIntrospectionAudiencesAlloweds:
- string
accessTokenIntrospectionAuthorization: string
accessTokenIntrospectionBodyArgs: string
accessTokenIntrospectionConsumerBies:
- string
accessTokenIntrospectionConsumerClaims:
- string
accessTokenIntrospectionEndpoint: string
accessTokenIntrospectionExpiryClaims:
- string
accessTokenIntrospectionHint: string
accessTokenIntrospectionIssuerClaims:
- string
accessTokenIntrospectionIssuersAlloweds:
- string
accessTokenIntrospectionJwtClaims:
- string
accessTokenIntrospectionLeeway: 0
accessTokenIntrospectionNotbeforeClaims:
- string
accessTokenIntrospectionOptionalClaims:
- - string
accessTokenIntrospectionRequiredClaims:
- - string
accessTokenIntrospectionScopesClaims:
- string
accessTokenIntrospectionScopesRequireds:
- string
accessTokenIntrospectionSubjectClaims:
- string
accessTokenIntrospectionSubjectsAlloweds:
- string
accessTokenIntrospectionTimeout: 0
accessTokenIssuer: string
accessTokenIssuerClaims:
- string
accessTokenIssuersAlloweds:
- string
accessTokenJwksUri: string
accessTokenJwksUriClientCertificate:
id: string
accessTokenJwksUriClientPassword: string
accessTokenJwksUriClientUsername: string
accessTokenJwksUriRotatePeriod: 0
accessTokenKeyset: string
accessTokenKeysetClientCertificate:
id: string
accessTokenKeysetClientPassword: string
accessTokenKeysetClientUsername: string
accessTokenKeysetRotatePeriod: 0
accessTokenLeeway: 0
accessTokenNotbeforeClaims:
- string
accessTokenOptional: false
accessTokenOptionalClaims:
- - string
accessTokenRequestHeader: string
accessTokenRequiredClaims:
- - string
accessTokenScopesClaims:
- string
accessTokenScopesRequireds:
- string
accessTokenSigning: false
accessTokenSigningAlgorithm: string
accessTokenSubjectClaims:
- string
accessTokenSubjectsAlloweds:
- string
accessTokenUpstreamHeader: string
accessTokenUpstreamLeeway: 0
addAccessTokenClaims:
string: string
addChannelTokenClaims:
string: string
addClaims:
string: string
cacheAccessTokenIntrospection: false
cacheChannelTokenIntrospection: false
channelTokenAudienceClaims:
- string
channelTokenAudiencesAlloweds:
- string
channelTokenConsumerBies:
- string
channelTokenConsumerClaims:
- string
channelTokenExpiryClaims:
- string
channelTokenIntrospectionAudienceClaims:
- string
channelTokenIntrospectionAudiencesAlloweds:
- string
channelTokenIntrospectionAuthorization: string
channelTokenIntrospectionBodyArgs: string
channelTokenIntrospectionConsumerBies:
- string
channelTokenIntrospectionConsumerClaims:
- string
channelTokenIntrospectionEndpoint: string
channelTokenIntrospectionExpiryClaims:
- string
channelTokenIntrospectionHint: string
channelTokenIntrospectionIssuerClaims:
- string
channelTokenIntrospectionIssuersAlloweds:
- string
channelTokenIntrospectionJwtClaims:
- string
channelTokenIntrospectionLeeway: 0
channelTokenIntrospectionNotbeforeClaims:
- string
channelTokenIntrospectionOptionalClaims:
- - string
channelTokenIntrospectionRequiredClaims:
- - string
channelTokenIntrospectionScopesClaims:
- string
channelTokenIntrospectionScopesRequireds:
- string
channelTokenIntrospectionSubjectClaims:
- string
channelTokenIntrospectionSubjectsAlloweds:
- string
channelTokenIntrospectionTimeout: 0
channelTokenIssuer: string
channelTokenIssuerClaims:
- string
channelTokenIssuersAlloweds:
- string
channelTokenJwksUri: string
channelTokenJwksUriClientCertificate:
id: string
channelTokenJwksUriClientPassword: string
channelTokenJwksUriClientUsername: string
channelTokenJwksUriRotatePeriod: 0
channelTokenKeyset: string
channelTokenKeysetClientCertificate:
id: string
channelTokenKeysetClientPassword: string
channelTokenKeysetClientUsername: string
channelTokenKeysetRotatePeriod: 0
channelTokenLeeway: 0
channelTokenNotbeforeClaims:
- string
channelTokenOptional: false
channelTokenOptionalClaims:
- - string
channelTokenRequestHeader: string
channelTokenRequiredClaims:
- - string
channelTokenScopesClaims:
- string
channelTokenScopesRequireds:
- string
channelTokenSigning: false
channelTokenSigningAlgorithm: string
channelTokenSubjectClaims:
- string
channelTokenSubjectsAlloweds:
- string
channelTokenUpstreamHeader: string
channelTokenUpstreamLeeway: 0
enableAccessTokenIntrospection: false
enableChannelTokenIntrospection: false
enableHsSignatures: false
enableInstrumentation: false
originalAccessTokenUpstreamHeader: string
originalChannelTokenUpstreamHeader: string
realm: string
removeAccessTokenClaims:
- string
removeChannelTokenClaims:
- string
setAccessTokenClaims:
string: string
setChannelTokenClaims:
string: string
setClaims:
string: string
trustAccessTokenIntrospection: false
trustChannelTokenIntrospection: false
verifyAccessTokenAudience: false
verifyAccessTokenExpiry: false
verifyAccessTokenIntrospectionAudience: false
verifyAccessTokenIntrospectionExpiry: false
verifyAccessTokenIntrospectionIssuer: false
verifyAccessTokenIntrospectionNotbefore: false
verifyAccessTokenIntrospectionScopes: false
verifyAccessTokenIntrospectionSubject: false
verifyAccessTokenIssuer: false
verifyAccessTokenNotbefore: false
verifyAccessTokenScopes: false
verifyAccessTokenSignature: false
verifyAccessTokenSubject: false
verifyChannelTokenAudience: false
verifyChannelTokenExpiry: false
verifyChannelTokenIntrospectionAudience: false
verifyChannelTokenIntrospectionExpiry: false
verifyChannelTokenIntrospectionIssuer: false
verifyChannelTokenIntrospectionNotbefore: false
verifyChannelTokenIntrospectionScopes: false
verifyChannelTokenIntrospectionSubject: false
verifyChannelTokenIssuer: false
verifyChannelTokenNotbefore: false
verifyChannelTokenScopes: false
verifyChannelTokenSignature: false
verifyChannelTokenSubject: false
controlPlaneId: string
createdAt: 0
enabled: false
gatewayPluginJwtSignerId: string
instanceName: string
ordering:
after:
accesses:
- string
before:
accesses:
- string
partials:
- id: string
name: string
path: string
protocols:
- string
route:
id: string
service:
id: string
tags:
- string
updatedAt: 0
GatewayPluginJwtSigner Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GatewayPluginJwtSigner resource accepts the following input properties:
- Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Config
Gateway
Plugin Jwt Signer Config - Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringJwt Signer Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Jwt Signer Ordering - Partials
List<Gateway
Plugin Jwt Signer Partial> - A list of partials to be used by the plugin.
- Protocols List<string>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Config
Gateway
Plugin Jwt Signer Config Args - Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringJwt Signer Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Jwt Signer Ordering Args - Partials
[]Gateway
Plugin Jwt Signer Partial Args - A list of partials to be used by the plugin.
- Protocols []string
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config
Gateway
Plugin Jwt Signer Config - created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringJwt Signer Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Jwt Signer Ordering - partials
List<Gateway
Plugin Jwt Signer Partial> - A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config
Gateway
Plugin Jwt Signer Config - created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin stringJwt Signer Id - A string representing a UUID (universally unique identifier).
- instance
Name string - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Jwt Signer Ordering - partials
Gateway
Plugin Jwt Signer Partial[] - A list of partials to be used by the plugin.
- protocols string[]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config
Gateway
Plugin Jwt Signer Config Args - created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied. Default: true
- gateway_
plugin_ strjwt_ signer_ id - A string representing a UUID (universally unique identifier).
- instance_
name str - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Jwt Signer Ordering Args - partials
Sequence[Gateway
Plugin Jwt Signer Partial Args] - A list of partials to be used by the plugin.
- protocols Sequence[str]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config Property Map
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringJwt Signer Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering Property Map
- partials List<Property Map>
- A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Outputs
All input properties are implicitly available as output properties. Additionally, the GatewayPluginJwtSigner resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing GatewayPluginJwtSigner Resource
Get an existing GatewayPluginJwtSigner resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GatewayPluginJwtSignerState, opts?: CustomResourceOptions): GatewayPluginJwtSigner@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
config: Optional[GatewayPluginJwtSignerConfigArgs] = None,
control_plane_id: Optional[str] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_jwt_signer_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginJwtSignerOrderingArgs] = None,
partials: Optional[Sequence[GatewayPluginJwtSignerPartialArgs]] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginJwtSignerRouteArgs] = None,
service: Optional[GatewayPluginJwtSignerServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None) -> GatewayPluginJwtSignerfunc GetGatewayPluginJwtSigner(ctx *Context, name string, id IDInput, state *GatewayPluginJwtSignerState, opts ...ResourceOption) (*GatewayPluginJwtSigner, error)public static GatewayPluginJwtSigner Get(string name, Input<string> id, GatewayPluginJwtSignerState? state, CustomResourceOptions? opts = null)public static GatewayPluginJwtSigner get(String name, Output<String> id, GatewayPluginJwtSignerState state, CustomResourceOptions options)resources: _: type: konnect:GatewayPluginJwtSigner get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Config
Gateway
Plugin Jwt Signer Config - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringJwt Signer Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Jwt Signer Ordering - Partials
List<Gateway
Plugin Jwt Signer Partial> - A list of partials to be used by the plugin.
- Protocols List<string>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Config
Gateway
Plugin Jwt Signer Config Args - Control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied. Default: true
- Gateway
Plugin stringJwt Signer Id - A string representing a UUID (universally unique identifier).
- Instance
Name string - A unique string representing a UTF-8 encoded name.
- Ordering
Gateway
Plugin Jwt Signer Ordering Args - Partials
[]Gateway
Plugin Jwt Signer Partial Args - A list of partials to be used by the plugin.
- Protocols []string
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- Route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config - control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringJwt Signer Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Jwt Signer Ordering - partials
List<Gateway
Plugin Jwt Signer Partial> - A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config - control
Plane stringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin stringJwt Signer Id - A string representing a UUID (universally unique identifier).
- instance
Name string - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Jwt Signer Ordering - partials
Gateway
Plugin Jwt Signer Partial[] - A list of partials to be used by the plugin.
- protocols string[]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config Args - control_
plane_ strid - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied. Default: true
- gateway_
plugin_ strjwt_ signer_ id - A string representing a UUID (universally unique identifier).
- instance_
name str - A unique string representing a UTF-8 encoded name.
- ordering
Gateway
Plugin Jwt Signer Ordering Args - partials
Sequence[Gateway
Plugin Jwt Signer Partial Args] - A list of partials to be used by the plugin.
- protocols Sequence[str]
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- config Property Map
- control
Plane StringId - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied. Default: true
- gateway
Plugin StringJwt Signer Id - A string representing a UUID (universally unique identifier).
- instance
Name String - A unique string representing a UTF-8 encoded name.
- ordering Property Map
- partials List<Property Map>
- A list of partials to be used by the plugin.
- protocols List<String>
- A set of strings representing HTTP protocols. Default: ["grpc","grpcs","http","https"]
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Supporting Types
GatewayPluginJwtSignerConfig, GatewayPluginJwtSignerConfigArgs
- Access
Token List<string>Audience Claims - Specify the claim in an access token to verify against values of
config.access_token_audiences_allowed. Default: ["aud"] - Access
Token List<string>Audiences Alloweds - The audiences allowed to be present in the access token claim specified by
config.access_token_audience_claim. - Access
Token List<string>Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. Default: ["custom_id","username"] - Access
Token List<string>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - Access
Token List<string>Expiry Claims - Specify the expiry claim in an access token to verify if the default
expis not used. Default: ["exp"] - Access
Token List<string>Introspection Audience Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_audiences_allowed. Default: ["aud"] - Access
Token List<string>Introspection Audiences Alloweds - The audiences allowed to be present in the access token introspection claim specified by
config.access_token_introspection_audience_claim. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - Access
Token stringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - Access
Token List<string>Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Default: ["custom_id","username"]
- Access
Token List<string>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - Access
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - Access
Token List<string>Introspection Expiry Claims - Specify the expiry claim in an access token introspection to verify if the default
expis not used. Default: ["exp"] - Access
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. Default: "access_token" - Access
Token List<string>Introspection Issuer Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_issuers_allowed. Default: ["iss"] - Access
Token List<string>Introspection Issuers Alloweds - The issuers allowed to be present in the access token introspection claim specified by
config.access_token_introspection_issuer_claim. - Access
Token List<string>Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - Access
Token doubleIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. Default: 0 - Access
Token List<string>Introspection Notbefore Claims - Specify the notbefore claim in an access token introspection to verify if the default
nbfis not used. Default: ["nbf"] - Access
Token List<ImmutableIntrospection Optional Claims Array<string>> - Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token List<ImmutableIntrospection Required Claims Array<string>> - Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token List<string>Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. Default: ["scope"] - Access
Token List<string>Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - Access
Token List<string>Introspection Subject Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_subjects_allowed. Default: ["sub"] - Access
Token List<string>Introspection Subjects Alloweds - The subjects allowed to be present in the access token introspection claim specified by
config.access_token_introspection_subject_claim. - Access
Token doubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - Access
Token stringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. Default: "kong" - Access
Token List<string>Issuer Claims - Specify the claim in an access token to verify against values of
config.access_token_issuers_allowed. Default: ["iss"] - Access
Token List<string>Issuers Alloweds - The issuers allowed to be present in the access token claim specified by
config.access_token_issuer_claim. - Access
Token stringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- Access
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Access Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Access
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - Access
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - Access
Token doubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - Access
Token stringKeyset - The name of the keyset containing signing keys. Default: "kong"
- Access
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Access Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - Access
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - Access
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - Access
Token doubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. Default: 0 - Access
Token doubleLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. Default: 0 - Access
Token List<string>Notbefore Claims - Specify the notbefore claim in an access token to verify if the default
nbfis not used. Default: ["nbf"] - Access
Token boolOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect. Default: false - Access
Token List<ImmutableOptional Claims Array<string>> - Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token stringRequest Header - This parameter tells the name of the header where to look for the access token. Default: "Authorization"
- Access
Token List<ImmutableRequired Claims Array<string>> - Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token List<string>Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. Default: ["scope"] - Access
Token List<string>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - Access
Token boolSigning - Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- Access
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Access
Token List<string>Subject Claims - Specify the claim in an access token to verify against values of
config.access_token_subjects_allowed. Default: ["sub"] - Access
Token List<string>Subjects Alloweds - The subjects allowed to be present in the access token claim specified by
config.access_token_subject_claim. - Access
Token stringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. Default: "Authorization:Bearer" - Access
Token doubleUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. Default: 0 - Add
Access Dictionary<string, string>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Channel Dictionary<string, string>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Claims Dictionary<string, string> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Cache
Access boolToken Introspection - Whether to cache access token introspection results. Default: true
- Cache
Channel boolToken Introspection - Whether to cache channel token introspection results. Default: true
- Channel
Token List<string>Audience Claims - Specify the claim in a channel token to verify against values of
config.channel_token_audiences_allowed. Default: ["aud"] - Channel
Token List<string>Audiences Alloweds - The audiences allowed to be present in the channel token claim specified by
config.channel_token_audience_claim. - Channel
Token List<string>Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. Default: ["custom_id","username"] - Channel
Token List<string>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - Channel
Token List<string>Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - Channel
Token List<string>Introspection Audience Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_audiences_allowed. Default: ["aud"] - Channel
Token List<string>Introspection Audiences Alloweds - The audiences allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_audience_claim. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - Channel
Token stringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - Channel
Token List<string>Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. Default: ["custom_id","username"] - Channel
Token List<string>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - Channel
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - Channel
Token List<string>Introspection Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - Channel
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - Channel
Token List<string>Introspection Issuer Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_issuers_allowed. Default: ["iss"] - Channel
Token List<string>Introspection Issuers Alloweds - The issuers allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_issuer_claim. - Channel
Token List<string>Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - Channel
Token doubleIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. Default: 0 - Channel
Token List<string>Introspection Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - Channel
Token List<ImmutableIntrospection Optional Claims Array<string>> - Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token List<ImmutableIntrospection Required Claims Array<string>> - Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token List<string>Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. Default: ["scope"] - Channel
Token List<string>Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - Channel
Token List<string>Introspection Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_introspection_subjects_allowed. Default: ["sub"] - Channel
Token List<string>Introspection Subjects Alloweds - The subjects allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_subject_claim. - Channel
Token doubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - Channel
Token stringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. Default: "kong" - Channel
Token List<string>Issuer Claims - Specify the claim in a channel token to verify against values of
config.channel_token_issuers_allowed. Default: ["iss"] - Channel
Token List<string>Issuers Alloweds - The issuers allowed to be present in the channel token claim specified by
config.channel_token_issuer_claim. - Channel
Token stringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - Channel
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Channel Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Channel
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - Channel
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - Channel
Token doubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - Channel
Token stringKeyset - The name of the keyset containing signing keys. Default: "kong"
- Channel
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Channel Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - Channel
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - Channel
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - Channel
Token doubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. Default: 0 - Channel
Token doubleLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. Default: 0 - Channel
Token List<string>Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - Channel
Token boolOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect. Default: false - Channel
Token List<ImmutableOptional Claims Array<string>> - Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token stringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - Channel
Token List<ImmutableRequired Claims Array<string>> - Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token List<string>Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. Default: ["scope"] - Channel
Token List<string>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - Channel
Token boolSigning - Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- Channel
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Channel
Token List<string>Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_subjects_allowed. Default: ["sub"] - Channel
Token List<string>Subjects Alloweds - The subjects allowed to be present in the channel token claim specified by
config.channel_token_subject_claim. - Channel
Token stringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - Channel
Token doubleUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. Default: 0 - Enable
Access boolToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. Default: true - Enable
Channel boolToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. Default: true - Enable
Hs boolSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. Default: false - Enable
Instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. Default: false - Original
Access stringToken Upstream Header - The HTTP header name used to store the original access token.
- Original
Channel stringToken Upstream Header - The HTTP header name used to store the original channel token.
- Realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - Remove
Access List<string>Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- Remove
Channel List<string>Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- Set
Access Dictionary<string, string>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Channel Dictionary<string, string>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Claims Dictionary<string, string> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Trust
Access boolToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. Default: true - Trust
Channel boolToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked. Default: true
- Verify
Access boolToken Audience - Quickly turn off and on the access token required audiences verification, specified with
config.access_token_audiences_required. Default: true - Verify
Access boolToken Expiry - Quickly turn access token expiry verification off and on as needed. Default: true
- Verify
Access boolToken Introspection Audience - Quickly turn off and on the access token introspection required audiences verification, specified with
config.access_token_introspection_audiences_required. Default: true - Verify
Access boolToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed. Default: true
- Verify
Access boolToken Introspection Issuer - Quickly turn off and on the access token introspection allowed issuers verification, specified with
config.access_token_introspection_issuers_allowed. Default: true - Verify
Access boolToken Introspection Notbefore - Quickly turn off and on the access token introspection notbefore verification. Default: false
- Verify
Access boolToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. Default: true - Verify
Access boolToken Introspection Subject - Quickly turn off and on the access token introspection required subjects verification, specified with
config.access_token_introspection_subjects_required. Default: true - Verify
Access boolToken Issuer - Quickly turn off and on the access token allowed issuers verification, specified with
config.access_token_issuers_allowed. Default: true - Verify
Access boolToken Notbefore - Quickly turn off and on the access token notbefore verification. Default: false
- Verify
Access boolToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. Default: true - Verify
Access boolToken Signature - Quickly turn access token signature verification off and on as needed. Default: true
- Verify
Access boolToken Subject - Quickly turn off and on the access token required subjects verification, specified with
config.access_token_subjects_required. Default: true - Verify
Channel boolToken Audience - Quickly turn off and on the channel token required audiences verification, specified with
config.channel_token_audiences_required. Default: true - Verify
Channel boolToken Expiry - Default: true
- Verify
Channel boolToken Introspection Audience - Quickly turn off and on the channel token introspection required audiences verification, specified with
config.channel_token_introspection_audiences_required. Default: true - Verify
Channel boolToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification. Default: true
- Verify
Channel boolToken Introspection Issuer - Quickly turn off and on the channel token introspection allowed issuers verification, specified with
config.channel_token_introspection_issuers_allowed. Default: true - Verify
Channel boolToken Introspection Notbefore - Quickly turn off and on the channel token introspection notbefore verification. Default: false
- Verify
Channel boolToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. Default: true - Verify
Channel boolToken Introspection Subject - Quickly turn off and on the channel token introspection required subjects verification, specified with
config.channel_token_introspection_subjects_required. Default: true - Verify
Channel boolToken Issuer - Quickly turn off and on the channel token allowed issuers verification, specified with
config.channel_token_issuers_allowed. Default: true - Verify
Channel boolToken Notbefore - Quickly turn off and on the channel token notbefore verification. Default: false
- Verify
Channel boolToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. Default: true - Verify
Channel boolToken Signature - Quickly turn on/off the channel token signature verification. Default: true
- Verify
Channel boolToken Subject - Quickly turn off and on the channel token required subjects verification, specified with
config.channel_token_subjects_required. Default: true
- Access
Token []stringAudience Claims - Specify the claim in an access token to verify against values of
config.access_token_audiences_allowed. Default: ["aud"] - Access
Token []stringAudiences Alloweds - The audiences allowed to be present in the access token claim specified by
config.access_token_audience_claim. - Access
Token []stringConsumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. Default: ["custom_id","username"] - Access
Token []stringConsumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - Access
Token []stringExpiry Claims - Specify the expiry claim in an access token to verify if the default
expis not used. Default: ["exp"] - Access
Token []stringIntrospection Audience Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_audiences_allowed. Default: ["aud"] - Access
Token []stringIntrospection Audiences Alloweds - The audiences allowed to be present in the access token introspection claim specified by
config.access_token_introspection_audience_claim. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - Access
Token stringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - Access
Token []stringIntrospection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Default: ["custom_id","username"]
- Access
Token []stringIntrospection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - Access
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - Access
Token []stringIntrospection Expiry Claims - Specify the expiry claim in an access token introspection to verify if the default
expis not used. Default: ["exp"] - Access
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. Default: "access_token" - Access
Token []stringIntrospection Issuer Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_issuers_allowed. Default: ["iss"] - Access
Token []stringIntrospection Issuers Alloweds - The issuers allowed to be present in the access token introspection claim specified by
config.access_token_introspection_issuer_claim. - Access
Token []stringIntrospection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - Access
Token float64Introspection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. Default: 0 - Access
Token []stringIntrospection Notbefore Claims - Specify the notbefore claim in an access token introspection to verify if the default
nbfis not used. Default: ["nbf"] - Access
Token [][]stringIntrospection Optional Claims - Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token [][]stringIntrospection Required Claims - Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token []stringIntrospection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. Default: ["scope"] - Access
Token []stringIntrospection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - Access
Token []stringIntrospection Subject Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_subjects_allowed. Default: ["sub"] - Access
Token []stringIntrospection Subjects Alloweds - The subjects allowed to be present in the access token introspection claim specified by
config.access_token_introspection_subject_claim. - Access
Token float64Introspection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - Access
Token stringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. Default: "kong" - Access
Token []stringIssuer Claims - Specify the claim in an access token to verify against values of
config.access_token_issuers_allowed. Default: ["iss"] - Access
Token []stringIssuers Alloweds - The issuers allowed to be present in the access token claim specified by
config.access_token_issuer_claim. - Access
Token stringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- Access
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Access Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Access
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - Access
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - Access
Token float64Jwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - Access
Token stringKeyset - The name of the keyset containing signing keys. Default: "kong"
- Access
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Access Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - Access
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - Access
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - Access
Token float64Keyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. Default: 0 - Access
Token float64Leeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. Default: 0 - Access
Token []stringNotbefore Claims - Specify the notbefore claim in an access token to verify if the default
nbfis not used. Default: ["nbf"] - Access
Token boolOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect. Default: false - Access
Token [][]stringOptional Claims - Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token stringRequest Header - This parameter tells the name of the header where to look for the access token. Default: "Authorization"
- Access
Token [][]stringRequired Claims - Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Access
Token []stringScopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. Default: ["scope"] - Access
Token []stringScopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - Access
Token boolSigning - Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- Access
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Access
Token []stringSubject Claims - Specify the claim in an access token to verify against values of
config.access_token_subjects_allowed. Default: ["sub"] - Access
Token []stringSubjects Alloweds - The subjects allowed to be present in the access token claim specified by
config.access_token_subject_claim. - Access
Token stringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. Default: "Authorization:Bearer" - Access
Token float64Upstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. Default: 0 - Add
Access map[string]stringToken Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Channel map[string]stringToken Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Claims map[string]string - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Cache
Access boolToken Introspection - Whether to cache access token introspection results. Default: true
- Cache
Channel boolToken Introspection - Whether to cache channel token introspection results. Default: true
- Channel
Token []stringAudience Claims - Specify the claim in a channel token to verify against values of
config.channel_token_audiences_allowed. Default: ["aud"] - Channel
Token []stringAudiences Alloweds - The audiences allowed to be present in the channel token claim specified by
config.channel_token_audience_claim. - Channel
Token []stringConsumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. Default: ["custom_id","username"] - Channel
Token []stringConsumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - Channel
Token []stringExpiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - Channel
Token []stringIntrospection Audience Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_audiences_allowed. Default: ["aud"] - Channel
Token []stringIntrospection Audiences Alloweds - The audiences allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_audience_claim. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - Channel
Token stringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - Channel
Token []stringIntrospection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. Default: ["custom_id","username"] - Channel
Token []stringIntrospection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - Channel
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - Channel
Token []stringIntrospection Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - Channel
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - Channel
Token []stringIntrospection Issuer Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_issuers_allowed. Default: ["iss"] - Channel
Token []stringIntrospection Issuers Alloweds - The issuers allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_issuer_claim. - Channel
Token []stringIntrospection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - Channel
Token float64Introspection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. Default: 0 - Channel
Token []stringIntrospection Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - Channel
Token [][]stringIntrospection Optional Claims - Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token [][]stringIntrospection Required Claims - Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token []stringIntrospection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. Default: ["scope"] - Channel
Token []stringIntrospection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - Channel
Token []stringIntrospection Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_introspection_subjects_allowed. Default: ["sub"] - Channel
Token []stringIntrospection Subjects Alloweds - The subjects allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_subject_claim. - Channel
Token float64Introspection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - Channel
Token stringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. Default: "kong" - Channel
Token []stringIssuer Claims - Specify the claim in a channel token to verify against values of
config.channel_token_issuers_allowed. Default: ["iss"] - Channel
Token []stringIssuers Alloweds - The issuers allowed to be present in the channel token claim specified by
config.channel_token_issuer_claim. - Channel
Token stringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - Channel
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Channel Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Channel
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - Channel
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - Channel
Token float64Jwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - Channel
Token stringKeyset - The name of the keyset containing signing keys. Default: "kong"
- Channel
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Channel Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - Channel
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - Channel
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - Channel
Token float64Keyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. Default: 0 - Channel
Token float64Leeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. Default: 0 - Channel
Token []stringNotbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - Channel
Token boolOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect. Default: false - Channel
Token [][]stringOptional Claims - Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token stringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - Channel
Token [][]stringRequired Claims - Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- Channel
Token []stringScopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. Default: ["scope"] - Channel
Token []stringScopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - Channel
Token boolSigning - Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- Channel
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Channel
Token []stringSubject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_subjects_allowed. Default: ["sub"] - Channel
Token []stringSubjects Alloweds - The subjects allowed to be present in the channel token claim specified by
config.channel_token_subject_claim. - Channel
Token stringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - Channel
Token float64Upstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. Default: 0 - Enable
Access boolToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. Default: true - Enable
Channel boolToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. Default: true - Enable
Hs boolSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. Default: false - Enable
Instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. Default: false - Original
Access stringToken Upstream Header - The HTTP header name used to store the original access token.
- Original
Channel stringToken Upstream Header - The HTTP header name used to store the original channel token.
- Realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - Remove
Access []stringToken Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- Remove
Channel []stringToken Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- Set
Access map[string]stringToken Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Channel map[string]stringToken Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Claims map[string]string - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Trust
Access boolToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. Default: true - Trust
Channel boolToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked. Default: true
- Verify
Access boolToken Audience - Quickly turn off and on the access token required audiences verification, specified with
config.access_token_audiences_required. Default: true - Verify
Access boolToken Expiry - Quickly turn access token expiry verification off and on as needed. Default: true
- Verify
Access boolToken Introspection Audience - Quickly turn off and on the access token introspection required audiences verification, specified with
config.access_token_introspection_audiences_required. Default: true - Verify
Access boolToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed. Default: true
- Verify
Access boolToken Introspection Issuer - Quickly turn off and on the access token introspection allowed issuers verification, specified with
config.access_token_introspection_issuers_allowed. Default: true - Verify
Access boolToken Introspection Notbefore - Quickly turn off and on the access token introspection notbefore verification. Default: false
- Verify
Access boolToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. Default: true - Verify
Access boolToken Introspection Subject - Quickly turn off and on the access token introspection required subjects verification, specified with
config.access_token_introspection_subjects_required. Default: true - Verify
Access boolToken Issuer - Quickly turn off and on the access token allowed issuers verification, specified with
config.access_token_issuers_allowed. Default: true - Verify
Access boolToken Notbefore - Quickly turn off and on the access token notbefore verification. Default: false
- Verify
Access boolToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. Default: true - Verify
Access boolToken Signature - Quickly turn access token signature verification off and on as needed. Default: true
- Verify
Access boolToken Subject - Quickly turn off and on the access token required subjects verification, specified with
config.access_token_subjects_required. Default: true - Verify
Channel boolToken Audience - Quickly turn off and on the channel token required audiences verification, specified with
config.channel_token_audiences_required. Default: true - Verify
Channel boolToken Expiry - Default: true
- Verify
Channel boolToken Introspection Audience - Quickly turn off and on the channel token introspection required audiences verification, specified with
config.channel_token_introspection_audiences_required. Default: true - Verify
Channel boolToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification. Default: true
- Verify
Channel boolToken Introspection Issuer - Quickly turn off and on the channel token introspection allowed issuers verification, specified with
config.channel_token_introspection_issuers_allowed. Default: true - Verify
Channel boolToken Introspection Notbefore - Quickly turn off and on the channel token introspection notbefore verification. Default: false
- Verify
Channel boolToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. Default: true - Verify
Channel boolToken Introspection Subject - Quickly turn off and on the channel token introspection required subjects verification, specified with
config.channel_token_introspection_subjects_required. Default: true - Verify
Channel boolToken Issuer - Quickly turn off and on the channel token allowed issuers verification, specified with
config.channel_token_issuers_allowed. Default: true - Verify
Channel boolToken Notbefore - Quickly turn off and on the channel token notbefore verification. Default: false
- Verify
Channel boolToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. Default: true - Verify
Channel boolToken Signature - Quickly turn on/off the channel token signature verification. Default: true
- Verify
Channel boolToken Subject - Quickly turn off and on the channel token required subjects verification, specified with
config.channel_token_subjects_required. Default: true
- access
Token List<String>Audience Claims - Specify the claim in an access token to verify against values of
config.access_token_audiences_allowed. Default: ["aud"] - access
Token List<String>Audiences Alloweds - The audiences allowed to be present in the access token claim specified by
config.access_token_audience_claim. - access
Token List<String>Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. Default: ["custom_id","username"] - access
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - access
Token List<String>Expiry Claims - Specify the expiry claim in an access token to verify if the default
expis not used. Default: ["exp"] - access
Token List<String>Introspection Audience Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_audiences_allowed. Default: ["aud"] - access
Token List<String>Introspection Audiences Alloweds - The audiences allowed to be present in the access token introspection claim specified by
config.access_token_introspection_audience_claim. - String
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token StringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token List<String>Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Default: ["custom_id","username"]
- access
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token List<String>Introspection Expiry Claims - Specify the expiry claim in an access token introspection to verify if the default
expis not used. Default: ["exp"] - access
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. Default: "access_token" - access
Token List<String>Introspection Issuer Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_issuers_allowed. Default: ["iss"] - access
Token List<String>Introspection Issuers Alloweds - The issuers allowed to be present in the access token introspection claim specified by
config.access_token_introspection_issuer_claim. - access
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token DoubleIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. Default: 0 - access
Token List<String>Introspection Notbefore Claims - Specify the notbefore claim in an access token introspection to verify if the default
nbfis not used. Default: ["nbf"] - access
Token List<List<String>>Introspection Optional Claims - Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token List<List<String>>Introspection Required Claims - Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token List<String>Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. Default: ["scope"] - access
Token List<String>Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token List<String>Introspection Subject Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_subjects_allowed. Default: ["sub"] - access
Token List<String>Introspection Subjects Alloweds - The subjects allowed to be present in the access token introspection claim specified by
config.access_token_introspection_subject_claim. - access
Token DoubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token StringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. Default: "kong" - access
Token List<String>Issuer Claims - Specify the claim in an access token to verify against values of
config.access_token_issuers_allowed. Default: ["iss"] - access
Token List<String>Issuers Alloweds - The issuers allowed to be present in the access token claim specified by
config.access_token_issuer_claim. - access
Token StringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Access Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token DoubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - access
Token StringKeyset - The name of the keyset containing signing keys. Default: "kong"
- access
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Access Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token DoubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. Default: 0 - access
Token DoubleLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. Default: 0 - access
Token List<String>Notbefore Claims - Specify the notbefore claim in an access token to verify if the default
nbfis not used. Default: ["nbf"] - access
Token BooleanOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect. Default: false - access
Token List<List<String>>Optional Claims - Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token StringRequest Header - This parameter tells the name of the header where to look for the access token. Default: "Authorization"
- access
Token List<List<String>>Required Claims - Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token List<String>Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. Default: ["scope"] - access
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token BooleanSigning - Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- access
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token List<String>Subject Claims - Specify the claim in an access token to verify against values of
config.access_token_subjects_allowed. Default: ["sub"] - access
Token List<String>Subjects Alloweds - The subjects allowed to be present in the access token claim specified by
config.access_token_subject_claim. - access
Token StringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. Default: "Authorization:Bearer" - access
Token DoubleUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. Default: 0 - add
Access Map<String,String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Map<String,String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims Map<String,String> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access BooleanToken Introspection - Whether to cache access token introspection results. Default: true
- cache
Channel BooleanToken Introspection - Whether to cache channel token introspection results. Default: true
- channel
Token List<String>Audience Claims - Specify the claim in a channel token to verify against values of
config.channel_token_audiences_allowed. Default: ["aud"] - channel
Token List<String>Audiences Alloweds - The audiences allowed to be present in the channel token claim specified by
config.channel_token_audience_claim. - channel
Token List<String>Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. Default: ["custom_id","username"] - channel
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - channel
Token List<String>Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel
Token List<String>Introspection Audience Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_audiences_allowed. Default: ["aud"] - channel
Token List<String>Introspection Audiences Alloweds - The audiences allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_audience_claim. - String
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token StringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token List<String>Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. Default: ["custom_id","username"] - channel
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token List<String>Introspection Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token List<String>Introspection Issuer Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_issuers_allowed. Default: ["iss"] - channel
Token List<String>Introspection Issuers Alloweds - The issuers allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_issuer_claim. - channel
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token DoubleIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. Default: 0 - channel
Token List<String>Introspection Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel
Token List<List<String>>Introspection Optional Claims - Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token List<List<String>>Introspection Required Claims - Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token List<String>Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. Default: ["scope"] - channel
Token List<String>Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token List<String>Introspection Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_introspection_subjects_allowed. Default: ["sub"] - channel
Token List<String>Introspection Subjects Alloweds - The subjects allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_subject_claim. - channel
Token DoubleIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token StringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. Default: "kong" - channel
Token List<String>Issuer Claims - Specify the claim in a channel token to verify against values of
config.channel_token_issuers_allowed. Default: ["iss"] - channel
Token List<String>Issuers Alloweds - The issuers allowed to be present in the channel token claim specified by
config.channel_token_issuer_claim. - channel
Token StringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Channel Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token DoubleJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - channel
Token StringKeyset - The name of the keyset containing signing keys. Default: "kong"
- channel
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Channel Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token DoubleKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. Default: 0 - channel
Token DoubleLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. Default: 0 - channel
Token List<String>Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel
Token BooleanOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect. Default: false - channel
Token List<List<String>>Optional Claims - Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token StringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token List<List<String>>Required Claims - Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token List<String>Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. Default: ["scope"] - channel
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token BooleanSigning - Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- channel
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token List<String>Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_subjects_allowed. Default: ["sub"] - channel
Token List<String>Subjects Alloweds - The subjects allowed to be present in the channel token claim specified by
config.channel_token_subject_claim. - channel
Token StringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token DoubleUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. Default: 0 - enable
Access BooleanToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. Default: true - enable
Channel BooleanToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. Default: true - enable
Hs BooleanSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. Default: false - enable
Instrumentation Boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. Default: false - original
Access StringToken Upstream Header - The HTTP header name used to store the original access token.
- original
Channel StringToken Upstream Header - The HTTP header name used to store the original channel token.
- realm String
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- remove
Channel List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- set
Access Map<String,String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Map<String,String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims Map<String,String> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access BooleanToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. Default: true - trust
Channel BooleanToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked. Default: true
- verify
Access BooleanToken Audience - Quickly turn off and on the access token required audiences verification, specified with
config.access_token_audiences_required. Default: true - verify
Access BooleanToken Expiry - Quickly turn access token expiry verification off and on as needed. Default: true
- verify
Access BooleanToken Introspection Audience - Quickly turn off and on the access token introspection required audiences verification, specified with
config.access_token_introspection_audiences_required. Default: true - verify
Access BooleanToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed. Default: true
- verify
Access BooleanToken Introspection Issuer - Quickly turn off and on the access token introspection allowed issuers verification, specified with
config.access_token_introspection_issuers_allowed. Default: true - verify
Access BooleanToken Introspection Notbefore - Quickly turn off and on the access token introspection notbefore verification. Default: false
- verify
Access BooleanToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. Default: true - verify
Access BooleanToken Introspection Subject - Quickly turn off and on the access token introspection required subjects verification, specified with
config.access_token_introspection_subjects_required. Default: true - verify
Access BooleanToken Issuer - Quickly turn off and on the access token allowed issuers verification, specified with
config.access_token_issuers_allowed. Default: true - verify
Access BooleanToken Notbefore - Quickly turn off and on the access token notbefore verification. Default: false
- verify
Access BooleanToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. Default: true - verify
Access BooleanToken Signature - Quickly turn access token signature verification off and on as needed. Default: true
- verify
Access BooleanToken Subject - Quickly turn off and on the access token required subjects verification, specified with
config.access_token_subjects_required. Default: true - verify
Channel BooleanToken Audience - Quickly turn off and on the channel token required audiences verification, specified with
config.channel_token_audiences_required. Default: true - verify
Channel BooleanToken Expiry - Default: true
- verify
Channel BooleanToken Introspection Audience - Quickly turn off and on the channel token introspection required audiences verification, specified with
config.channel_token_introspection_audiences_required. Default: true - verify
Channel BooleanToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification. Default: true
- verify
Channel BooleanToken Introspection Issuer - Quickly turn off and on the channel token introspection allowed issuers verification, specified with
config.channel_token_introspection_issuers_allowed. Default: true - verify
Channel BooleanToken Introspection Notbefore - Quickly turn off and on the channel token introspection notbefore verification. Default: false
- verify
Channel BooleanToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. Default: true - verify
Channel BooleanToken Introspection Subject - Quickly turn off and on the channel token introspection required subjects verification, specified with
config.channel_token_introspection_subjects_required. Default: true - verify
Channel BooleanToken Issuer - Quickly turn off and on the channel token allowed issuers verification, specified with
config.channel_token_issuers_allowed. Default: true - verify
Channel BooleanToken Notbefore - Quickly turn off and on the channel token notbefore verification. Default: false
- verify
Channel BooleanToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. Default: true - verify
Channel BooleanToken Signature - Quickly turn on/off the channel token signature verification. Default: true
- verify
Channel BooleanToken Subject - Quickly turn off and on the channel token required subjects verification, specified with
config.channel_token_subjects_required. Default: true
- access
Token string[]Audience Claims - Specify the claim in an access token to verify against values of
config.access_token_audiences_allowed. Default: ["aud"] - access
Token string[]Audiences Alloweds - The audiences allowed to be present in the access token claim specified by
config.access_token_audience_claim. - access
Token string[]Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. Default: ["custom_id","username"] - access
Token string[]Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - access
Token string[]Expiry Claims - Specify the expiry claim in an access token to verify if the default
expis not used. Default: ["exp"] - access
Token string[]Introspection Audience Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_audiences_allowed. Default: ["aud"] - access
Token string[]Introspection Audiences Alloweds - The audiences allowed to be present in the access token introspection claim specified by
config.access_token_introspection_audience_claim. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token stringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token string[]Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Default: ["custom_id","username"]
- access
Token string[]Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token string[]Introspection Expiry Claims - Specify the expiry claim in an access token introspection to verify if the default
expis not used. Default: ["exp"] - access
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. Default: "access_token" - access
Token string[]Introspection Issuer Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_issuers_allowed. Default: ["iss"] - access
Token string[]Introspection Issuers Alloweds - The issuers allowed to be present in the access token introspection claim specified by
config.access_token_introspection_issuer_claim. - access
Token string[]Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token numberIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. Default: 0 - access
Token string[]Introspection Notbefore Claims - Specify the notbefore claim in an access token introspection to verify if the default
nbfis not used. Default: ["nbf"] - access
Token string[][]Introspection Optional Claims - Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token string[][]Introspection Required Claims - Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token string[]Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. Default: ["scope"] - access
Token string[]Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token string[]Introspection Subject Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_subjects_allowed. Default: ["sub"] - access
Token string[]Introspection Subjects Alloweds - The subjects allowed to be present in the access token introspection claim specified by
config.access_token_introspection_subject_claim. - access
Token numberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token stringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. Default: "kong" - access
Token string[]Issuer Claims - Specify the claim in an access token to verify against values of
config.access_token_issuers_allowed. Default: ["iss"] - access
Token string[]Issuers Alloweds - The issuers allowed to be present in the access token claim specified by
config.access_token_issuer_claim. - access
Token stringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Access Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token numberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - access
Token stringKeyset - The name of the keyset containing signing keys. Default: "kong"
- access
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Access Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token numberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. Default: 0 - access
Token numberLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. Default: 0 - access
Token string[]Notbefore Claims - Specify the notbefore claim in an access token to verify if the default
nbfis not used. Default: ["nbf"] - access
Token booleanOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect. Default: false - access
Token string[][]Optional Claims - Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token stringRequest Header - This parameter tells the name of the header where to look for the access token. Default: "Authorization"
- access
Token string[][]Required Claims - Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token string[]Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. Default: ["scope"] - access
Token string[]Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token booleanSigning - Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- access
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token string[]Subject Claims - Specify the claim in an access token to verify against values of
config.access_token_subjects_allowed. Default: ["sub"] - access
Token string[]Subjects Alloweds - The subjects allowed to be present in the access token claim specified by
config.access_token_subject_claim. - access
Token stringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. Default: "Authorization:Bearer" - access
Token numberUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. Default: 0 - add
Access {[key: string]: string}Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel {[key: string]: string}Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims {[key: string]: string} - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access booleanToken Introspection - Whether to cache access token introspection results. Default: true
- cache
Channel booleanToken Introspection - Whether to cache channel token introspection results. Default: true
- channel
Token string[]Audience Claims - Specify the claim in a channel token to verify against values of
config.channel_token_audiences_allowed. Default: ["aud"] - channel
Token string[]Audiences Alloweds - The audiences allowed to be present in the channel token claim specified by
config.channel_token_audience_claim. - channel
Token string[]Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. Default: ["custom_id","username"] - channel
Token string[]Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - channel
Token string[]Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel
Token string[]Introspection Audience Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_audiences_allowed. Default: ["aud"] - channel
Token string[]Introspection Audiences Alloweds - The audiences allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_audience_claim. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token stringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token string[]Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. Default: ["custom_id","username"] - channel
Token string[]Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token stringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token string[]Introspection Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel
Token stringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token string[]Introspection Issuer Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_issuers_allowed. Default: ["iss"] - channel
Token string[]Introspection Issuers Alloweds - The issuers allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_issuer_claim. - channel
Token string[]Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token numberIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. Default: 0 - channel
Token string[]Introspection Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel
Token string[][]Introspection Optional Claims - Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token string[][]Introspection Required Claims - Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token string[]Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. Default: ["scope"] - channel
Token string[]Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token string[]Introspection Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_introspection_subjects_allowed. Default: ["sub"] - channel
Token string[]Introspection Subjects Alloweds - The subjects allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_subject_claim. - channel
Token numberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token stringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. Default: "kong" - channel
Token string[]Issuer Claims - Specify the claim in a channel token to verify against values of
config.channel_token_issuers_allowed. Default: ["iss"] - channel
Token string[]Issuers Alloweds - The issuers allowed to be present in the channel token claim specified by
config.channel_token_issuer_claim. - channel
Token stringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token GatewayJwks Uri Client Certificate Plugin Jwt Signer Config Channel Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token stringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token stringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token numberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - channel
Token stringKeyset - The name of the keyset containing signing keys. Default: "kong"
- channel
Token GatewayKeyset Client Certificate Plugin Jwt Signer Config Channel Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token stringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token stringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token numberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. Default: 0 - channel
Token numberLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. Default: 0 - channel
Token string[]Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel
Token booleanOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect. Default: false - channel
Token string[][]Optional Claims - Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token stringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token string[][]Required Claims - Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token string[]Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. Default: ["scope"] - channel
Token string[]Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token booleanSigning - Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- channel
Token stringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token string[]Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_subjects_allowed. Default: ["sub"] - channel
Token string[]Subjects Alloweds - The subjects allowed to be present in the channel token claim specified by
config.channel_token_subject_claim. - channel
Token stringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token numberUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. Default: 0 - enable
Access booleanToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. Default: true - enable
Channel booleanToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. Default: true - enable
Hs booleanSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. Default: false - enable
Instrumentation boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. Default: false - original
Access stringToken Upstream Header - The HTTP header name used to store the original access token.
- original
Channel stringToken Upstream Header - The HTTP header name used to store the original channel token.
- realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access string[]Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- remove
Channel string[]Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- set
Access {[key: string]: string}Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel {[key: string]: string}Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims {[key: string]: string} - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access booleanToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. Default: true - trust
Channel booleanToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked. Default: true
- verify
Access booleanToken Audience - Quickly turn off and on the access token required audiences verification, specified with
config.access_token_audiences_required. Default: true - verify
Access booleanToken Expiry - Quickly turn access token expiry verification off and on as needed. Default: true
- verify
Access booleanToken Introspection Audience - Quickly turn off and on the access token introspection required audiences verification, specified with
config.access_token_introspection_audiences_required. Default: true - verify
Access booleanToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed. Default: true
- verify
Access booleanToken Introspection Issuer - Quickly turn off and on the access token introspection allowed issuers verification, specified with
config.access_token_introspection_issuers_allowed. Default: true - verify
Access booleanToken Introspection Notbefore - Quickly turn off and on the access token introspection notbefore verification. Default: false
- verify
Access booleanToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. Default: true - verify
Access booleanToken Introspection Subject - Quickly turn off and on the access token introspection required subjects verification, specified with
config.access_token_introspection_subjects_required. Default: true - verify
Access booleanToken Issuer - Quickly turn off and on the access token allowed issuers verification, specified with
config.access_token_issuers_allowed. Default: true - verify
Access booleanToken Notbefore - Quickly turn off and on the access token notbefore verification. Default: false
- verify
Access booleanToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. Default: true - verify
Access booleanToken Signature - Quickly turn access token signature verification off and on as needed. Default: true
- verify
Access booleanToken Subject - Quickly turn off and on the access token required subjects verification, specified with
config.access_token_subjects_required. Default: true - verify
Channel booleanToken Audience - Quickly turn off and on the channel token required audiences verification, specified with
config.channel_token_audiences_required. Default: true - verify
Channel booleanToken Expiry - Default: true
- verify
Channel booleanToken Introspection Audience - Quickly turn off and on the channel token introspection required audiences verification, specified with
config.channel_token_introspection_audiences_required. Default: true - verify
Channel booleanToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification. Default: true
- verify
Channel booleanToken Introspection Issuer - Quickly turn off and on the channel token introspection allowed issuers verification, specified with
config.channel_token_introspection_issuers_allowed. Default: true - verify
Channel booleanToken Introspection Notbefore - Quickly turn off and on the channel token introspection notbefore verification. Default: false
- verify
Channel booleanToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. Default: true - verify
Channel booleanToken Introspection Subject - Quickly turn off and on the channel token introspection required subjects verification, specified with
config.channel_token_introspection_subjects_required. Default: true - verify
Channel booleanToken Issuer - Quickly turn off and on the channel token allowed issuers verification, specified with
config.channel_token_issuers_allowed. Default: true - verify
Channel booleanToken Notbefore - Quickly turn off and on the channel token notbefore verification. Default: false
- verify
Channel booleanToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. Default: true - verify
Channel booleanToken Signature - Quickly turn on/off the channel token signature verification. Default: true
- verify
Channel booleanToken Subject - Quickly turn off and on the channel token required subjects verification, specified with
config.channel_token_subjects_required. Default: true
- access_
token_ Sequence[str]audience_ claims - Specify the claim in an access token to verify against values of
config.access_token_audiences_allowed. Default: ["aud"] - access_
token_ Sequence[str]audiences_ alloweds - The audiences allowed to be present in the access token claim specified by
config.access_token_audience_claim. - access_
token_ Sequence[str]consumer_ bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. Default: ["custom_id","username"] - access_
token_ Sequence[str]consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - access_
token_ Sequence[str]expiry_ claims - Specify the expiry claim in an access token to verify if the default
expis not used. Default: ["exp"] - access_
token_ Sequence[str]introspection_ audience_ claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_audiences_allowed. Default: ["aud"] - access_
token_ Sequence[str]introspection_ audiences_ alloweds - The audiences allowed to be present in the access token introspection claim specified by
config.access_token_introspection_audience_claim. - str
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access_
token_ strintrospection_ body_ args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access_
token_ Sequence[str]introspection_ consumer_ bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Default: ["custom_id","username"]
- access_
token_ Sequence[str]introspection_ consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access_
token_ strintrospection_ endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access_
token_ Sequence[str]introspection_ expiry_ claims - Specify the expiry claim in an access token introspection to verify if the default
expis not used. Default: ["exp"] - access_
token_ strintrospection_ hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. Default: "access_token" - access_
token_ Sequence[str]introspection_ issuer_ claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_issuers_allowed. Default: ["iss"] - access_
token_ Sequence[str]introspection_ issuers_ alloweds - The issuers allowed to be present in the access token introspection claim specified by
config.access_token_introspection_issuer_claim. - access_
token_ Sequence[str]introspection_ jwt_ claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access_
token_ floatintrospection_ leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. Default: 0 - access_
token_ Sequence[str]introspection_ notbefore_ claims - Specify the notbefore claim in an access token introspection to verify if the default
nbfis not used. Default: ["nbf"] - access_
token_ Sequence[Sequence[str]]introspection_ optional_ claims - Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access_
token_ Sequence[Sequence[str]]introspection_ required_ claims - Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access_
token_ Sequence[str]introspection_ scopes_ claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. Default: ["scope"] - access_
token_ Sequence[str]introspection_ scopes_ requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access_
token_ Sequence[str]introspection_ subject_ claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_subjects_allowed. Default: ["sub"] - access_
token_ Sequence[str]introspection_ subjects_ alloweds - The subjects allowed to be present in the access token introspection claim specified by
config.access_token_introspection_subject_claim. - access_
token_ floatintrospection_ timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access_
token_ strissuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. Default: "kong" - access_
token_ Sequence[str]issuer_ claims - Specify the claim in an access token to verify against values of
config.access_token_issuers_allowed. Default: ["iss"] - access_
token_ Sequence[str]issuers_ alloweds - The issuers allowed to be present in the access token claim specified by
config.access_token_issuer_claim. - access_
token_ strjwks_ uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access_
token_ Gatewayjwks_ uri_ client_ certificate Plugin Jwt Signer Config Access Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access_
token_ strjwks_ uri_ client_ password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access_
token_ strjwks_ uri_ client_ username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access_
token_ floatjwks_ uri_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - access_
token_ strkeyset - The name of the keyset containing signing keys. Default: "kong"
- access_
token_ Gatewaykeyset_ client_ certificate Plugin Jwt Signer Config Access Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access_
token_ strkeyset_ client_ password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access_
token_ strkeyset_ client_ username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access_
token_ floatkeyset_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. Default: 0 - access_
token_ floatleeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. Default: 0 - access_
token_ Sequence[str]notbefore_ claims - Specify the notbefore claim in an access token to verify if the default
nbfis not used. Default: ["nbf"] - access_
token_ booloptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect. Default: false - access_
token_ Sequence[Sequence[str]]optional_ claims - Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access_
token_ strrequest_ header - This parameter tells the name of the header where to look for the access token. Default: "Authorization"
- access_
token_ Sequence[Sequence[str]]required_ claims - Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access_
token_ Sequence[str]scopes_ claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. Default: ["scope"] - access_
token_ Sequence[str]scopes_ requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access_
token_ boolsigning - Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- access_
token_ strsigning_ algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access_
token_ Sequence[str]subject_ claims - Specify the claim in an access token to verify against values of
config.access_token_subjects_allowed. Default: ["sub"] - access_
token_ Sequence[str]subjects_ alloweds - The subjects allowed to be present in the access token claim specified by
config.access_token_subject_claim. - access_
token_ strupstream_ header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. Default: "Authorization:Bearer" - access_
token_ floatupstream_ leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. Default: 0 - add_
access_ Mapping[str, str]token_ claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add_
channel_ Mapping[str, str]token_ claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add_
claims Mapping[str, str] - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache_
access_ booltoken_ introspection - Whether to cache access token introspection results. Default: true
- cache_
channel_ booltoken_ introspection - Whether to cache channel token introspection results. Default: true
- channel_
token_ Sequence[str]audience_ claims - Specify the claim in a channel token to verify against values of
config.channel_token_audiences_allowed. Default: ["aud"] - channel_
token_ Sequence[str]audiences_ alloweds - The audiences allowed to be present in the channel token claim specified by
config.channel_token_audience_claim. - channel_
token_ Sequence[str]consumer_ bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. Default: ["custom_id","username"] - channel_
token_ Sequence[str]consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - channel_
token_ Sequence[str]expiry_ claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel_
token_ Sequence[str]introspection_ audience_ claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_audiences_allowed. Default: ["aud"] - channel_
token_ Sequence[str]introspection_ audiences_ alloweds - The audiences allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_audience_claim. - str
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel_
token_ strintrospection_ body_ args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel_
token_ Sequence[str]introspection_ consumer_ bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. Default: ["custom_id","username"] - channel_
token_ Sequence[str]introspection_ consumer_ claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel_
token_ strintrospection_ endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel_
token_ Sequence[str]introspection_ expiry_ claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel_
token_ strintrospection_ hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel_
token_ Sequence[str]introspection_ issuer_ claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_issuers_allowed. Default: ["iss"] - channel_
token_ Sequence[str]introspection_ issuers_ alloweds - The issuers allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_issuer_claim. - channel_
token_ Sequence[str]introspection_ jwt_ claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel_
token_ floatintrospection_ leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. Default: 0 - channel_
token_ Sequence[str]introspection_ notbefore_ claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel_
token_ Sequence[Sequence[str]]introspection_ optional_ claims - Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel_
token_ Sequence[Sequence[str]]introspection_ required_ claims - Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel_
token_ Sequence[str]introspection_ scopes_ claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. Default: ["scope"] - channel_
token_ Sequence[str]introspection_ scopes_ requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel_
token_ Sequence[str]introspection_ subject_ claims - Specify the claim in a channel token to verify against values of
config.channel_token_introspection_subjects_allowed. Default: ["sub"] - channel_
token_ Sequence[str]introspection_ subjects_ alloweds - The subjects allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_subject_claim. - channel_
token_ floatintrospection_ timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel_
token_ strissuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. Default: "kong" - channel_
token_ Sequence[str]issuer_ claims - Specify the claim in a channel token to verify against values of
config.channel_token_issuers_allowed. Default: ["iss"] - channel_
token_ Sequence[str]issuers_ alloweds - The issuers allowed to be present in the channel token claim specified by
config.channel_token_issuer_claim. - channel_
token_ strjwks_ uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel_
token_ Gatewayjwks_ uri_ client_ certificate Plugin Jwt Signer Config Channel Token Jwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel_
token_ strjwks_ uri_ client_ password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel_
token_ strjwks_ uri_ client_ username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel_
token_ floatjwks_ uri_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - channel_
token_ strkeyset - The name of the keyset containing signing keys. Default: "kong"
- channel_
token_ Gatewaykeyset_ client_ certificate Plugin Jwt Signer Config Channel Token Keyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel_
token_ strkeyset_ client_ password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel_
token_ strkeyset_ client_ username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel_
token_ floatkeyset_ rotate_ period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. Default: 0 - channel_
token_ floatleeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. Default: 0 - channel_
token_ Sequence[str]notbefore_ claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel_
token_ booloptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect. Default: false - channel_
token_ Sequence[Sequence[str]]optional_ claims - Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel_
token_ strrequest_ header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel_
token_ Sequence[Sequence[str]]required_ claims - Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel_
token_ Sequence[str]scopes_ claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. Default: ["scope"] - channel_
token_ Sequence[str]scopes_ requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel_
token_ boolsigning - Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- channel_
token_ strsigning_ algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel_
token_ Sequence[str]subject_ claims - Specify the claim in a channel token to verify against values of
config.channel_token_subjects_allowed. Default: ["sub"] - channel_
token_ Sequence[str]subjects_ alloweds - The subjects allowed to be present in the channel token claim specified by
config.channel_token_subject_claim. - channel_
token_ strupstream_ header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel_
token_ floatupstream_ leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. Default: 0 - enable_
access_ booltoken_ introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. Default: true - enable_
channel_ booltoken_ introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. Default: true - enable_
hs_ boolsignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. Default: false - enable_
instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. Default: false - original_
access_ strtoken_ upstream_ header - The HTTP header name used to store the original access token.
- original_
channel_ strtoken_ upstream_ header - The HTTP header name used to store the original channel token.
- realm str
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove_
access_ Sequence[str]token_ claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- remove_
channel_ Sequence[str]token_ claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- set_
access_ Mapping[str, str]token_ claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set_
channel_ Mapping[str, str]token_ claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set_
claims Mapping[str, str] - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust_
access_ booltoken_ introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. Default: true - trust_
channel_ booltoken_ introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked. Default: true
- verify_
access_ booltoken_ audience - Quickly turn off and on the access token required audiences verification, specified with
config.access_token_audiences_required. Default: true - verify_
access_ booltoken_ expiry - Quickly turn access token expiry verification off and on as needed. Default: true
- verify_
access_ booltoken_ introspection_ audience - Quickly turn off and on the access token introspection required audiences verification, specified with
config.access_token_introspection_audiences_required. Default: true - verify_
access_ booltoken_ introspection_ expiry - Quickly turn access token introspection expiry verification off and on as needed. Default: true
- verify_
access_ booltoken_ introspection_ issuer - Quickly turn off and on the access token introspection allowed issuers verification, specified with
config.access_token_introspection_issuers_allowed. Default: true - verify_
access_ booltoken_ introspection_ notbefore - Quickly turn off and on the access token introspection notbefore verification. Default: false
- verify_
access_ booltoken_ introspection_ scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. Default: true - verify_
access_ booltoken_ introspection_ subject - Quickly turn off and on the access token introspection required subjects verification, specified with
config.access_token_introspection_subjects_required. Default: true - verify_
access_ booltoken_ issuer - Quickly turn off and on the access token allowed issuers verification, specified with
config.access_token_issuers_allowed. Default: true - verify_
access_ booltoken_ notbefore - Quickly turn off and on the access token notbefore verification. Default: false
- verify_
access_ booltoken_ scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. Default: true - verify_
access_ booltoken_ signature - Quickly turn access token signature verification off and on as needed. Default: true
- verify_
access_ booltoken_ subject - Quickly turn off and on the access token required subjects verification, specified with
config.access_token_subjects_required. Default: true - verify_
channel_ booltoken_ audience - Quickly turn off and on the channel token required audiences verification, specified with
config.channel_token_audiences_required. Default: true - verify_
channel_ booltoken_ expiry - Default: true
- verify_
channel_ booltoken_ introspection_ audience - Quickly turn off and on the channel token introspection required audiences verification, specified with
config.channel_token_introspection_audiences_required. Default: true - verify_
channel_ booltoken_ introspection_ expiry - Quickly turn on/off the channel token introspection expiry verification. Default: true
- verify_
channel_ booltoken_ introspection_ issuer - Quickly turn off and on the channel token introspection allowed issuers verification, specified with
config.channel_token_introspection_issuers_allowed. Default: true - verify_
channel_ booltoken_ introspection_ notbefore - Quickly turn off and on the channel token introspection notbefore verification. Default: false
- verify_
channel_ booltoken_ introspection_ scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. Default: true - verify_
channel_ booltoken_ introspection_ subject - Quickly turn off and on the channel token introspection required subjects verification, specified with
config.channel_token_introspection_subjects_required. Default: true - verify_
channel_ booltoken_ issuer - Quickly turn off and on the channel token allowed issuers verification, specified with
config.channel_token_issuers_allowed. Default: true - verify_
channel_ booltoken_ notbefore - Quickly turn off and on the channel token notbefore verification. Default: false
- verify_
channel_ booltoken_ scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. Default: true - verify_
channel_ booltoken_ signature - Quickly turn on/off the channel token signature verification. Default: true
- verify_
channel_ booltoken_ subject - Quickly turn off and on the channel token required subjects verification, specified with
config.channel_token_subjects_required. Default: true
- access
Token List<String>Audience Claims - Specify the claim in an access token to verify against values of
config.access_token_audiences_allowed. Default: ["aud"] - access
Token List<String>Audiences Alloweds - The audiences allowed to be present in the access token claim specified by
config.access_token_audience_claim. - access
Token List<String>Consumer Bies - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. Default: ["custom_id","username"] - access
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - access
Token List<String>Expiry Claims - Specify the expiry claim in an access token to verify if the default
expis not used. Default: ["exp"] - access
Token List<String>Introspection Audience Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_audiences_allowed. Default: ["aud"] - access
Token List<String>Introspection Audiences Alloweds - The audiences allowed to be present in the access token introspection claim specified by
config.access_token_introspection_audience_claim. - String
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token StringIntrospection Body Args - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token List<String>Introspection Consumer Bies - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Default: ["custom_id","username"]
- access
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token List<String>Introspection Expiry Claims - Specify the expiry claim in an access token introspection to verify if the default
expis not used. Default: ["exp"] - access
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. Default: "access_token" - access
Token List<String>Introspection Issuer Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_issuers_allowed. Default: ["iss"] - access
Token List<String>Introspection Issuers Alloweds - The issuers allowed to be present in the access token introspection claim specified by
config.access_token_introspection_issuer_claim. - access
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token NumberIntrospection Leeway - Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. Default: 0 - access
Token List<String>Introspection Notbefore Claims - Specify the notbefore claim in an access token introspection to verify if the default
nbfis not used. Default: ["nbf"] - access
Token List<List<String>>Introspection Optional Claims - Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token List<List<String>>Introspection Required Claims - Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token List<String>Introspection Scopes Claims - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. Default: ["scope"] - access
Token List<String>Introspection Scopes Requireds - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token List<String>Introspection Subject Claims - Specify the claim in an access token introspection to verify against values of
config.access_token_introspection_subjects_allowed. Default: ["sub"] - access
Token List<String>Introspection Subjects Alloweds - The subjects allowed to be present in the access token introspection claim specified by
config.access_token_introspection_subject_claim. - access
Token NumberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token StringIssuer - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. Default: "kong" - access
Token List<String>Issuer Claims - Specify the claim in an access token to verify against values of
config.access_token_issuers_allowed. Default: ["iss"] - access
Token List<String>Issuers Alloweds - The issuers allowed to be present in the access token claim specified by
config.access_token_issuer_claim. - access
Token StringJwks Uri - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token Property MapJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token NumberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - access
Token StringKeyset - The name of the keyset containing signing keys. Default: "kong"
- access
Token Property MapKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token NumberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. Default: 0 - access
Token NumberLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. Default: 0 - access
Token List<String>Notbefore Claims - Specify the notbefore claim in an access token to verify if the default
nbfis not used. Default: ["nbf"] - access
Token BooleanOptional - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect. Default: false - access
Token List<List<String>>Optional Claims - Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token StringRequest Header - This parameter tells the name of the header where to look for the access token. Default: "Authorization"
- access
Token List<List<String>>Required Claims - Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- access
Token List<String>Scopes Claims - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. Default: ["scope"] - access
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token BooleanSigning - Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- access
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token List<String>Subject Claims - Specify the claim in an access token to verify against values of
config.access_token_subjects_allowed. Default: ["sub"] - access
Token List<String>Subjects Alloweds - The subjects allowed to be present in the access token claim specified by
config.access_token_subject_claim. - access
Token StringUpstream Header - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. Default: "Authorization:Bearer" - access
Token NumberUpstream Leeway - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. Default: 0 - add
Access Map<String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Map<String>Token Claims - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims Map<String> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access BooleanToken Introspection - Whether to cache access token introspection results. Default: true
- cache
Channel BooleanToken Introspection - Whether to cache channel token introspection results. Default: true
- channel
Token List<String>Audience Claims - Specify the claim in a channel token to verify against values of
config.channel_token_audiences_allowed. Default: ["aud"] - channel
Token List<String>Audiences Alloweds - The audiences allowed to be present in the channel token claim specified by
config.channel_token_audience_claim. - channel
Token List<String>Consumer Bies - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. Default: ["custom_id","username"] - channel
Token List<String>Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - channel
Token List<String>Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel
Token List<String>Introspection Audience Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_audiences_allowed. Default: ["aud"] - channel
Token List<String>Introspection Audiences Alloweds - The audiences allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_audience_claim. - String
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token StringIntrospection Body Args - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token List<String>Introspection Consumer Bies - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. Default: ["custom_id","username"] - channel
Token List<String>Introspection Consumer Claims - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token StringIntrospection Endpoint - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token List<String>Introspection Expiry Claims - Specify the expiry claim in a channel token to verify if the default
expis not used. Default: ["exp"] - channel
Token StringIntrospection Hint - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token List<String>Introspection Issuer Claims - Specify the claim in a channel token introspection to verify against values of
config.channel_token_introspection_issuers_allowed. Default: ["iss"] - channel
Token List<String>Introspection Issuers Alloweds - The issuers allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_issuer_claim. - channel
Token List<String>Introspection Jwt Claims - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token NumberIntrospection Leeway - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. Default: 0 - channel
Token List<String>Introspection Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel
Token List<List<String>>Introspection Optional Claims - Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token List<List<String>>Introspection Required Claims - Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token List<String>Introspection Scopes Claims - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. Default: ["scope"] - channel
Token List<String>Introspection Scopes Requireds - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token List<String>Introspection Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_introspection_subjects_allowed. Default: ["sub"] - channel
Token List<String>Introspection Subjects Alloweds - The subjects allowed to be present in the channel token introspection claim specified by
config.channel_token_introspection_subject_claim. - channel
Token NumberIntrospection Timeout - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token StringIssuer - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. Default: "kong" - channel
Token List<String>Issuer Claims - Specify the claim in a channel token to verify against values of
config.channel_token_issuers_allowed. Default: ["iss"] - channel
Token List<String>Issuers Alloweds - The issuers allowed to be present in the channel token claim specified by
config.channel_token_issuer_claim. - channel
Token StringJwks Uri - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token Property MapJwks Uri Client Certificate - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token StringJwks Uri Client Password - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token StringJwks Uri Client Username - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token NumberJwks Uri Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. Default: 0 - channel
Token StringKeyset - The name of the keyset containing signing keys. Default: "kong"
- channel
Token Property MapKeyset Client Certificate - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token StringKeyset Client Password - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token StringKeyset Client Username - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token NumberKeyset Rotate Period - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. Default: 0 - channel
Token NumberLeeway - Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. Default: 0 - channel
Token List<String>Notbefore Claims - Specify the notbefore claim in a channel token to verify if the default
nbfis not used. Default: ["nbf"] - channel
Token BooleanOptional - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect. Default: false - channel
Token List<List<String>>Optional Claims - Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token StringRequest Header - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token List<List<String>>Required Claims - Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.
- channel
Token List<String>Scopes Claims - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. Default: ["scope"] - channel
Token List<String>Scopes Requireds - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token BooleanSigning - Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream. Default: true
- channel
Token StringSigning Algorithm - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. Default: "RS256"; must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token List<String>Subject Claims - Specify the claim in a channel token to verify against values of
config.channel_token_subjects_allowed. Default: ["sub"] - channel
Token List<String>Subjects Alloweds - The subjects allowed to be present in the channel token claim specified by
config.channel_token_subject_claim. - channel
Token StringUpstream Header - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token NumberUpstream Leeway - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. Default: 0 - enable
Access BooleanToken Introspection - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. Default: true - enable
Channel BooleanToken Introspection - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. Default: true - enable
Hs BooleanSignatures - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. Default: false - enable
Instrumentation Boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. Default: false - original
Access StringToken Upstream Header - The HTTP header name used to store the original access token.
- original
Channel StringToken Upstream Header - The HTTP header name used to store the original channel token.
- realm String
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- remove
Channel List<String>Token Claims - remove claims. It should be an array, and each element is a claim key string. Default: []
- set
Access Map<String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Map<String>Token Claims - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims Map<String> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access BooleanToken Introspection - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. Default: true - trust
Channel BooleanToken Introspection - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked. Default: true
- verify
Access BooleanToken Audience - Quickly turn off and on the access token required audiences verification, specified with
config.access_token_audiences_required. Default: true - verify
Access BooleanToken Expiry - Quickly turn access token expiry verification off and on as needed. Default: true
- verify
Access BooleanToken Introspection Audience - Quickly turn off and on the access token introspection required audiences verification, specified with
config.access_token_introspection_audiences_required. Default: true - verify
Access BooleanToken Introspection Expiry - Quickly turn access token introspection expiry verification off and on as needed. Default: true
- verify
Access BooleanToken Introspection Issuer - Quickly turn off and on the access token introspection allowed issuers verification, specified with
config.access_token_introspection_issuers_allowed. Default: true - verify
Access BooleanToken Introspection Notbefore - Quickly turn off and on the access token introspection notbefore verification. Default: false
- verify
Access BooleanToken Introspection Scopes - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. Default: true - verify
Access BooleanToken Introspection Subject - Quickly turn off and on the access token introspection required subjects verification, specified with
config.access_token_introspection_subjects_required. Default: true - verify
Access BooleanToken Issuer - Quickly turn off and on the access token allowed issuers verification, specified with
config.access_token_issuers_allowed. Default: true - verify
Access BooleanToken Notbefore - Quickly turn off and on the access token notbefore verification. Default: false
- verify
Access BooleanToken Scopes - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. Default: true - verify
Access BooleanToken Signature - Quickly turn access token signature verification off and on as needed. Default: true
- verify
Access BooleanToken Subject - Quickly turn off and on the access token required subjects verification, specified with
config.access_token_subjects_required. Default: true - verify
Channel BooleanToken Audience - Quickly turn off and on the channel token required audiences verification, specified with
config.channel_token_audiences_required. Default: true - verify
Channel BooleanToken Expiry - Default: true
- verify
Channel BooleanToken Introspection Audience - Quickly turn off and on the channel token introspection required audiences verification, specified with
config.channel_token_introspection_audiences_required. Default: true - verify
Channel BooleanToken Introspection Expiry - Quickly turn on/off the channel token introspection expiry verification. Default: true
- verify
Channel BooleanToken Introspection Issuer - Quickly turn off and on the channel token introspection allowed issuers verification, specified with
config.channel_token_introspection_issuers_allowed. Default: true - verify
Channel BooleanToken Introspection Notbefore - Quickly turn off and on the channel token introspection notbefore verification. Default: false
- verify
Channel BooleanToken Introspection Scopes - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. Default: true - verify
Channel BooleanToken Introspection Subject - Quickly turn off and on the channel token introspection required subjects verification, specified with
config.channel_token_introspection_subjects_required. Default: true - verify
Channel BooleanToken Issuer - Quickly turn off and on the channel token allowed issuers verification, specified with
config.channel_token_issuers_allowed. Default: true - verify
Channel BooleanToken Notbefore - Quickly turn off and on the channel token notbefore verification. Default: false
- verify
Channel BooleanToken Scopes - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. Default: true - verify
Channel BooleanToken Signature - Quickly turn on/off the channel token signature verification. Default: true
- verify
Channel BooleanToken Subject - Quickly turn off and on the channel token required subjects verification, specified with
config.channel_token_subjects_required. Default: true
GatewayPluginJwtSignerConfigAccessTokenJwksUriClientCertificate, GatewayPluginJwtSignerConfigAccessTokenJwksUriClientCertificateArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginJwtSignerConfigAccessTokenKeysetClientCertificate, GatewayPluginJwtSignerConfigAccessTokenKeysetClientCertificateArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginJwtSignerConfigChannelTokenJwksUriClientCertificate, GatewayPluginJwtSignerConfigChannelTokenJwksUriClientCertificateArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginJwtSignerConfigChannelTokenKeysetClientCertificate, GatewayPluginJwtSignerConfigChannelTokenKeysetClientCertificateArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginJwtSignerOrdering, GatewayPluginJwtSignerOrderingArgs
GatewayPluginJwtSignerOrderingAfter, GatewayPluginJwtSignerOrderingAfterArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginJwtSignerOrderingBefore, GatewayPluginJwtSignerOrderingBeforeArgs
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
GatewayPluginJwtSignerPartial, GatewayPluginJwtSignerPartialArgs
GatewayPluginJwtSignerRoute, GatewayPluginJwtSignerRouteArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
GatewayPluginJwtSignerService, GatewayPluginJwtSignerServiceArgs
- Id string
- Id string
- id String
- id string
- id str
- id String
Import
In Terraform v1.5.0 and later, the import block can be used with the id attribute, for example:
terraform
import {
to = konnect_gateway_plugin_jwt_signer.my_konnect_gateway_plugin_jwt_signer
id = jsonencode({
control_plane_id = "9524ec7d-36d9-465d-a8c5-83a3c9390458"
id = "3473c251-5b6c-4f45-b1ff-7ede735a366d"
})
}
The pulumi import command can be used, for example:
$ pulumi import konnect:index/gatewayPluginJwtSigner:GatewayPluginJwtSigner my_konnect_gateway_plugin_jwt_signer '{"control_plane_id": "9524ec7d-36d9-465d-a8c5-83a3c9390458", "id": "3473c251-5b6c-4f45-b1ff-7ede735a366d"}'
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- konnect kong/terraform-provider-konnect
- License
- Notes
- This Pulumi package is based on the
konnectTerraform Provider.
