Docs Home
konnect 2.11.1 published on Tuesday, Jul 15, 2025 by kong
konnect.GatewayPluginJwtSigner
Explore with Pulumi AI
GatewayPluginJwtSigner Resource
Example Usage
Example coming soon!
Example coming soon!
Example coming soon!
Example coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.konnect.GatewayPluginJwtSigner;
import com.pulumi.konnect.GatewayPluginJwtSignerArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerConfigArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingAfterArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerOrderingBeforeArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerPartialArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerRouteArgs;
import com.pulumi.konnect.inputs.GatewayPluginJwtSignerServiceArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myGatewaypluginjwtsigner = new GatewayPluginJwtSigner("myGatewaypluginjwtsigner", GatewayPluginJwtSignerArgs.builder()
.config(GatewayPluginJwtSignerConfigArgs.builder()
.access_token_consumer_by("custom_id")
.access_token_consumer_claim("...")
.access_token_introspection_authorization("...my_access_token_introspection_authorization...")
.access_token_introspection_body_args("...my_access_token_introspection_body_args...")
.access_token_introspection_consumer_by("custom_id")
.access_token_introspection_consumer_claim("...")
.access_token_introspection_endpoint("...my_access_token_introspection_endpoint...")
.access_token_introspection_hint("...my_access_token_introspection_hint...")
.access_token_introspection_jwt_claim("...")
.access_token_introspection_leeway(6.18)
.access_token_introspection_scopes_claim("...")
.access_token_introspection_scopes_required("...")
.access_token_introspection_timeout(4.24)
.access_token_issuer("...my_access_token_issuer...")
.access_token_jwks_uri("...my_access_token_jwks_uri...")
.access_token_jwks_uri_client_certificate("...my_access_token_jwks_uri_client_certificate...")
.access_token_jwks_uri_client_password("...my_access_token_jwks_uri_client_password...")
.access_token_jwks_uri_client_username("...my_access_token_jwks_uri_client_username...")
.access_token_jwks_uri_rotate_period(0.18)
.access_token_keyset("...my_access_token_keyset...")
.access_token_keyset_client_certificate("...my_access_token_keyset_client_certificate...")
.access_token_keyset_client_password("...my_access_token_keyset_client_password...")
.access_token_keyset_client_username("...my_access_token_keyset_client_username...")
.access_token_keyset_rotate_period(4.53)
.access_token_leeway(0.51)
.access_token_optional(false)
.access_token_request_header("...my_access_token_request_header...")
.access_token_scopes_claim("...")
.access_token_scopes_required("...")
.access_token_signing_algorithm("PS384")
.access_token_upstream_header("...my_access_token_upstream_header...")
.access_token_upstream_leeway(1.88)
.add_access_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.add_channel_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.add_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.cache_access_token_introspection(false)
.cache_channel_token_introspection(true)
.channel_token_consumer_by("id")
.channel_token_consumer_claim("...")
.channel_token_introspection_authorization("...my_channel_token_introspection_authorization...")
.channel_token_introspection_body_args("...my_channel_token_introspection_body_args...")
.channel_token_introspection_consumer_by("custom_id")
.channel_token_introspection_consumer_claim("...")
.channel_token_introspection_endpoint("...my_channel_token_introspection_endpoint...")
.channel_token_introspection_hint("...my_channel_token_introspection_hint...")
.channel_token_introspection_jwt_claim("...")
.channel_token_introspection_leeway(4.31)
.channel_token_introspection_scopes_claim("...")
.channel_token_introspection_scopes_required("...")
.channel_token_introspection_timeout(6.9)
.channel_token_issuer("...my_channel_token_issuer...")
.channel_token_jwks_uri("...my_channel_token_jwks_uri...")
.channel_token_jwks_uri_client_certificate("...my_channel_token_jwks_uri_client_certificate...")
.channel_token_jwks_uri_client_password("...my_channel_token_jwks_uri_client_password...")
.channel_token_jwks_uri_client_username("...my_channel_token_jwks_uri_client_username...")
.channel_token_jwks_uri_rotate_period(9.27)
.channel_token_keyset("...my_channel_token_keyset...")
.channel_token_keyset_client_certificate("...my_channel_token_keyset_client_certificate...")
.channel_token_keyset_client_password("...my_channel_token_keyset_client_password...")
.channel_token_keyset_client_username("...my_channel_token_keyset_client_username...")
.channel_token_keyset_rotate_period(0.98)
.channel_token_leeway(4.86)
.channel_token_optional(false)
.channel_token_request_header("...my_channel_token_request_header...")
.channel_token_scopes_claim("...")
.channel_token_scopes_required("...")
.channel_token_signing_algorithm("PS512")
.channel_token_upstream_header("...my_channel_token_upstream_header...")
.channel_token_upstream_leeway(5.01)
.enable_access_token_introspection(false)
.enable_channel_token_introspection(true)
.enable_hs_signatures(false)
.enable_instrumentation(true)
.original_access_token_upstream_header("...my_original_access_token_upstream_header...")
.original_channel_token_upstream_header("...my_original_channel_token_upstream_header...")
.realm("...my_realm...")
.remove_access_token_claims("...")
.remove_channel_token_claims("...")
.set_access_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.set_channel_token_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.set_claims(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.trust_access_token_introspection(true)
.trust_channel_token_introspection(false)
.verify_access_token_expiry(true)
.verify_access_token_introspection_expiry(false)
.verify_access_token_introspection_scopes(false)
.verify_access_token_scopes(false)
.verify_access_token_signature(true)
.verify_channel_token_expiry(false)
.verify_channel_token_introspection_expiry(false)
.verify_channel_token_introspection_scopes(true)
.verify_channel_token_scopes(false)
.verify_channel_token_signature(false)
.build())
.controlPlaneId("9524ec7d-36d9-465d-a8c5-83a3c9390458")
.createdAt(8)
.enabled(false)
.gatewayPluginJwtSignerId("...my_id...")
.instanceName("...my_instance_name...")
.ordering(GatewayPluginJwtSignerOrderingArgs.builder()
.after(GatewayPluginJwtSignerOrderingAfterArgs.builder()
.access("...")
.build())
.before(GatewayPluginJwtSignerOrderingBeforeArgs.builder()
.access("...")
.build())
.build())
.partials(GatewayPluginJwtSignerPartialArgs.builder()
.id("...my_id...")
.name("...my_name...")
.path("...my_path...")
.build())
.protocols("https")
.route(GatewayPluginJwtSignerRouteArgs.builder()
.id("...my_id...")
.build())
.service(GatewayPluginJwtSignerServiceArgs.builder()
.id("...my_id...")
.build())
.tags("...")
.updatedAt(5)
.build());
}
}
resources:
myGatewaypluginjwtsigner:
type: konnect:GatewayPluginJwtSigner
properties:
config:
access_token_consumer_by:
- custom_id
access_token_consumer_claim:
- '...'
access_token_introspection_authorization: '...my_access_token_introspection_authorization...'
access_token_introspection_body_args: '...my_access_token_introspection_body_args...'
access_token_introspection_consumer_by:
- custom_id
access_token_introspection_consumer_claim:
- '...'
access_token_introspection_endpoint: '...my_access_token_introspection_endpoint...'
access_token_introspection_hint: '...my_access_token_introspection_hint...'
access_token_introspection_jwt_claim:
- '...'
access_token_introspection_leeway: 6.18
access_token_introspection_scopes_claim:
- '...'
access_token_introspection_scopes_required:
- '...'
access_token_introspection_timeout: 4.24
access_token_issuer: '...my_access_token_issuer...'
access_token_jwks_uri: '...my_access_token_jwks_uri...'
access_token_jwks_uri_client_certificate: '...my_access_token_jwks_uri_client_certificate...'
access_token_jwks_uri_client_password: '...my_access_token_jwks_uri_client_password...'
access_token_jwks_uri_client_username: '...my_access_token_jwks_uri_client_username...'
access_token_jwks_uri_rotate_period: 0.18
access_token_keyset: '...my_access_token_keyset...'
access_token_keyset_client_certificate: '...my_access_token_keyset_client_certificate...'
access_token_keyset_client_password: '...my_access_token_keyset_client_password...'
access_token_keyset_client_username: '...my_access_token_keyset_client_username...'
access_token_keyset_rotate_period: 4.53
access_token_leeway: 0.51
access_token_optional: false
access_token_request_header: '...my_access_token_request_header...'
access_token_scopes_claim:
- '...'
access_token_scopes_required:
- '...'
access_token_signing_algorithm: PS384
access_token_upstream_header: '...my_access_token_upstream_header...'
access_token_upstream_leeway: 1.88
add_access_token_claims:
key:
fn::toJSON: value
add_channel_token_claims:
key:
fn::toJSON: value
add_claims:
key:
fn::toJSON: value
cache_access_token_introspection: false
cache_channel_token_introspection: true
channel_token_consumer_by:
- id
channel_token_consumer_claim:
- '...'
channel_token_introspection_authorization: '...my_channel_token_introspection_authorization...'
channel_token_introspection_body_args: '...my_channel_token_introspection_body_args...'
channel_token_introspection_consumer_by:
- custom_id
channel_token_introspection_consumer_claim:
- '...'
channel_token_introspection_endpoint: '...my_channel_token_introspection_endpoint...'
channel_token_introspection_hint: '...my_channel_token_introspection_hint...'
channel_token_introspection_jwt_claim:
- '...'
channel_token_introspection_leeway: 4.31
channel_token_introspection_scopes_claim:
- '...'
channel_token_introspection_scopes_required:
- '...'
channel_token_introspection_timeout: 6.9
channel_token_issuer: '...my_channel_token_issuer...'
channel_token_jwks_uri: '...my_channel_token_jwks_uri...'
channel_token_jwks_uri_client_certificate: '...my_channel_token_jwks_uri_client_certificate...'
channel_token_jwks_uri_client_password: '...my_channel_token_jwks_uri_client_password...'
channel_token_jwks_uri_client_username: '...my_channel_token_jwks_uri_client_username...'
channel_token_jwks_uri_rotate_period: 9.27
channel_token_keyset: '...my_channel_token_keyset...'
channel_token_keyset_client_certificate: '...my_channel_token_keyset_client_certificate...'
channel_token_keyset_client_password: '...my_channel_token_keyset_client_password...'
channel_token_keyset_client_username: '...my_channel_token_keyset_client_username...'
channel_token_keyset_rotate_period: 0.98
channel_token_leeway: 4.86
channel_token_optional: false
channel_token_request_header: '...my_channel_token_request_header...'
channel_token_scopes_claim:
- '...'
channel_token_scopes_required:
- '...'
channel_token_signing_algorithm: PS512
channel_token_upstream_header: '...my_channel_token_upstream_header...'
channel_token_upstream_leeway: 5.01
enable_access_token_introspection: false
enable_channel_token_introspection: true
enable_hs_signatures: false
enable_instrumentation: true
original_access_token_upstream_header: '...my_original_access_token_upstream_header...'
original_channel_token_upstream_header: '...my_original_channel_token_upstream_header...'
realm: '...my_realm...'
remove_access_token_claims:
- '...'
remove_channel_token_claims:
- '...'
set_access_token_claims:
key:
fn::toJSON: value
set_channel_token_claims:
key:
fn::toJSON: value
set_claims:
key:
fn::toJSON: value
trust_access_token_introspection: true
trust_channel_token_introspection: false
verify_access_token_expiry: true
verify_access_token_introspection_expiry: false
verify_access_token_introspection_scopes: false
verify_access_token_scopes: false
verify_access_token_signature: true
verify_channel_token_expiry: false
verify_channel_token_introspection_expiry: false
verify_channel_token_introspection_scopes: true
verify_channel_token_scopes: false
verify_channel_token_signature: false
controlPlaneId: 9524ec7d-36d9-465d-a8c5-83a3c9390458
createdAt: 8
enabled: false
gatewayPluginJwtSignerId: '...my_id...'
instanceName: '...my_instance_name...'
ordering:
after:
access:
- '...'
before:
access:
- '...'
partials:
- id: '...my_id...'
name: '...my_name...'
path: '...my_path...'
protocols:
- https
route:
id: '...my_id...'
service:
id: '...my_id...'
tags:
- '...'
updatedAt: 5
Create GatewayPluginJwtSigner Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GatewayPluginJwtSigner(name: string, args: GatewayPluginJwtSignerArgs, opts?: CustomResourceOptions);@overload
def GatewayPluginJwtSigner(resource_name: str,
args: GatewayPluginJwtSignerArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GatewayPluginJwtSigner(resource_name: str,
opts: Optional[ResourceOptions] = None,
control_plane_id: Optional[str] = None,
ordering: Optional[GatewayPluginJwtSignerOrderingArgs] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_jwt_signer_id: Optional[str] = None,
instance_name: Optional[str] = None,
config: Optional[GatewayPluginJwtSignerConfigArgs] = None,
partials: Optional[Sequence[GatewayPluginJwtSignerPartialArgs]] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginJwtSignerRouteArgs] = None,
service: Optional[GatewayPluginJwtSignerServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None)func NewGatewayPluginJwtSigner(ctx *Context, name string, args GatewayPluginJwtSignerArgs, opts ...ResourceOption) (*GatewayPluginJwtSigner, error)public GatewayPluginJwtSigner(string name, GatewayPluginJwtSignerArgs args, CustomResourceOptions? opts = null)public GatewayPluginJwtSigner(String name, GatewayPluginJwtSignerArgs args)
public GatewayPluginJwtSigner(String name, GatewayPluginJwtSignerArgs args, CustomResourceOptions options)
type: konnect:GatewayPluginJwtSigner
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GatewayPluginJwtSignerArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var gatewayPluginJwtSignerResource = new Konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", new()
{
ControlPlaneId = "string",
Ordering = new Konnect.Inputs.GatewayPluginJwtSignerOrderingArgs
{
After = new Konnect.Inputs.GatewayPluginJwtSignerOrderingAfterArgs
{
Accesses = new[]
{
"string",
},
},
Before = new Konnect.Inputs.GatewayPluginJwtSignerOrderingBeforeArgs
{
Accesses = new[]
{
"string",
},
},
},
CreatedAt = 0,
Enabled = false,
GatewayPluginJwtSignerId = "string",
InstanceName = "string",
Config = new Konnect.Inputs.GatewayPluginJwtSignerConfigArgs
{
AccessTokenConsumerBies = new[]
{
"string",
},
AccessTokenConsumerClaims = new[]
{
"string",
},
AccessTokenIntrospectionAuthorization = "string",
AccessTokenIntrospectionBodyArgs = "string",
AccessTokenIntrospectionConsumerBies = new[]
{
"string",
},
AccessTokenIntrospectionConsumerClaims = new[]
{
"string",
},
AccessTokenIntrospectionEndpoint = "string",
AccessTokenIntrospectionHint = "string",
AccessTokenIntrospectionJwtClaims = new[]
{
"string",
},
AccessTokenIntrospectionLeeway = 0,
AccessTokenIntrospectionScopesClaims = new[]
{
"string",
},
AccessTokenIntrospectionScopesRequireds = new[]
{
"string",
},
AccessTokenIntrospectionTimeout = 0,
AccessTokenIssuer = "string",
AccessTokenJwksUri = "string",
AccessTokenJwksUriClientCertificate = "string",
AccessTokenJwksUriClientPassword = "string",
AccessTokenJwksUriClientUsername = "string",
AccessTokenJwksUriRotatePeriod = 0,
AccessTokenKeyset = "string",
AccessTokenKeysetClientCertificate = "string",
AccessTokenKeysetClientPassword = "string",
AccessTokenKeysetClientUsername = "string",
AccessTokenKeysetRotatePeriod = 0,
AccessTokenLeeway = 0,
AccessTokenOptional = false,
AccessTokenRequestHeader = "string",
AccessTokenScopesClaims = new[]
{
"string",
},
AccessTokenScopesRequireds = new[]
{
"string",
},
AccessTokenSigningAlgorithm = "string",
AccessTokenUpstreamHeader = "string",
AccessTokenUpstreamLeeway = 0,
AddAccessTokenClaims =
{
{ "string", "string" },
},
AddChannelTokenClaims =
{
{ "string", "string" },
},
AddClaims =
{
{ "string", "string" },
},
CacheAccessTokenIntrospection = false,
CacheChannelTokenIntrospection = false,
ChannelTokenConsumerBies = new[]
{
"string",
},
ChannelTokenConsumerClaims = new[]
{
"string",
},
ChannelTokenIntrospectionAuthorization = "string",
ChannelTokenIntrospectionBodyArgs = "string",
ChannelTokenIntrospectionConsumerBies = new[]
{
"string",
},
ChannelTokenIntrospectionConsumerClaims = new[]
{
"string",
},
ChannelTokenIntrospectionEndpoint = "string",
ChannelTokenIntrospectionHint = "string",
ChannelTokenIntrospectionJwtClaims = new[]
{
"string",
},
ChannelTokenIntrospectionLeeway = 0,
ChannelTokenIntrospectionScopesClaims = new[]
{
"string",
},
ChannelTokenIntrospectionScopesRequireds = new[]
{
"string",
},
ChannelTokenIntrospectionTimeout = 0,
ChannelTokenIssuer = "string",
ChannelTokenJwksUri = "string",
ChannelTokenJwksUriClientCertificate = "string",
ChannelTokenJwksUriClientPassword = "string",
ChannelTokenJwksUriClientUsername = "string",
ChannelTokenJwksUriRotatePeriod = 0,
ChannelTokenKeyset = "string",
ChannelTokenKeysetClientCertificate = "string",
ChannelTokenKeysetClientPassword = "string",
ChannelTokenKeysetClientUsername = "string",
ChannelTokenKeysetRotatePeriod = 0,
ChannelTokenLeeway = 0,
ChannelTokenOptional = false,
ChannelTokenRequestHeader = "string",
ChannelTokenScopesClaims = new[]
{
"string",
},
ChannelTokenScopesRequireds = new[]
{
"string",
},
ChannelTokenSigningAlgorithm = "string",
ChannelTokenUpstreamHeader = "string",
ChannelTokenUpstreamLeeway = 0,
EnableAccessTokenIntrospection = false,
EnableChannelTokenIntrospection = false,
EnableHsSignatures = false,
EnableInstrumentation = false,
OriginalAccessTokenUpstreamHeader = "string",
OriginalChannelTokenUpstreamHeader = "string",
Realm = "string",
RemoveAccessTokenClaims = new[]
{
"string",
},
RemoveChannelTokenClaims = new[]
{
"string",
},
SetAccessTokenClaims =
{
{ "string", "string" },
},
SetChannelTokenClaims =
{
{ "string", "string" },
},
SetClaims =
{
{ "string", "string" },
},
TrustAccessTokenIntrospection = false,
TrustChannelTokenIntrospection = false,
VerifyAccessTokenExpiry = false,
VerifyAccessTokenIntrospectionExpiry = false,
VerifyAccessTokenIntrospectionScopes = false,
VerifyAccessTokenScopes = false,
VerifyAccessTokenSignature = false,
VerifyChannelTokenExpiry = false,
VerifyChannelTokenIntrospectionExpiry = false,
VerifyChannelTokenIntrospectionScopes = false,
VerifyChannelTokenScopes = false,
VerifyChannelTokenSignature = false,
},
Partials = new[]
{
new Konnect.Inputs.GatewayPluginJwtSignerPartialArgs
{
Id = "string",
Name = "string",
Path = "string",
},
},
Protocols = new[]
{
"string",
},
Route = new Konnect.Inputs.GatewayPluginJwtSignerRouteArgs
{
Id = "string",
},
Service = new Konnect.Inputs.GatewayPluginJwtSignerServiceArgs
{
Id = "string",
},
Tags = new[]
{
"string",
},
UpdatedAt = 0,
});
example, err := konnect.NewGatewayPluginJwtSigner(ctx, "gatewayPluginJwtSignerResource", &konnect.GatewayPluginJwtSignerArgs{
ControlPlaneId: pulumi.String("string"),
Ordering: &konnect.GatewayPluginJwtSignerOrderingArgs{
After: &konnect.GatewayPluginJwtSignerOrderingAfterArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
Before: &konnect.GatewayPluginJwtSignerOrderingBeforeArgs{
Accesses: pulumi.StringArray{
pulumi.String("string"),
},
},
},
CreatedAt: pulumi.Float64(0),
Enabled: pulumi.Bool(false),
GatewayPluginJwtSignerId: pulumi.String("string"),
InstanceName: pulumi.String("string"),
Config: &konnect.GatewayPluginJwtSignerConfigArgs{
AccessTokenConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionAuthorization: pulumi.String("string"),
AccessTokenIntrospectionBodyArgs: pulumi.String("string"),
AccessTokenIntrospectionConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionEndpoint: pulumi.String("string"),
AccessTokenIntrospectionHint: pulumi.String("string"),
AccessTokenIntrospectionJwtClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionLeeway: pulumi.Float64(0),
AccessTokenIntrospectionScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenIntrospectionTimeout: pulumi.Float64(0),
AccessTokenIssuer: pulumi.String("string"),
AccessTokenJwksUri: pulumi.String("string"),
AccessTokenJwksUriClientCertificate: pulumi.String("string"),
AccessTokenJwksUriClientPassword: pulumi.String("string"),
AccessTokenJwksUriClientUsername: pulumi.String("string"),
AccessTokenJwksUriRotatePeriod: pulumi.Float64(0),
AccessTokenKeyset: pulumi.String("string"),
AccessTokenKeysetClientCertificate: pulumi.String("string"),
AccessTokenKeysetClientPassword: pulumi.String("string"),
AccessTokenKeysetClientUsername: pulumi.String("string"),
AccessTokenKeysetRotatePeriod: pulumi.Float64(0),
AccessTokenLeeway: pulumi.Float64(0),
AccessTokenOptional: pulumi.Bool(false),
AccessTokenRequestHeader: pulumi.String("string"),
AccessTokenScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
AccessTokenSigningAlgorithm: pulumi.String("string"),
AccessTokenUpstreamHeader: pulumi.String("string"),
AccessTokenUpstreamLeeway: pulumi.Float64(0),
AddAccessTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
AddChannelTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
AddClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
CacheAccessTokenIntrospection: pulumi.Bool(false),
CacheChannelTokenIntrospection: pulumi.Bool(false),
ChannelTokenConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionAuthorization: pulumi.String("string"),
ChannelTokenIntrospectionBodyArgs: pulumi.String("string"),
ChannelTokenIntrospectionConsumerBies: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionConsumerClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionEndpoint: pulumi.String("string"),
ChannelTokenIntrospectionHint: pulumi.String("string"),
ChannelTokenIntrospectionJwtClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionLeeway: pulumi.Float64(0),
ChannelTokenIntrospectionScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenIntrospectionTimeout: pulumi.Float64(0),
ChannelTokenIssuer: pulumi.String("string"),
ChannelTokenJwksUri: pulumi.String("string"),
ChannelTokenJwksUriClientCertificate: pulumi.String("string"),
ChannelTokenJwksUriClientPassword: pulumi.String("string"),
ChannelTokenJwksUriClientUsername: pulumi.String("string"),
ChannelTokenJwksUriRotatePeriod: pulumi.Float64(0),
ChannelTokenKeyset: pulumi.String("string"),
ChannelTokenKeysetClientCertificate: pulumi.String("string"),
ChannelTokenKeysetClientPassword: pulumi.String("string"),
ChannelTokenKeysetClientUsername: pulumi.String("string"),
ChannelTokenKeysetRotatePeriod: pulumi.Float64(0),
ChannelTokenLeeway: pulumi.Float64(0),
ChannelTokenOptional: pulumi.Bool(false),
ChannelTokenRequestHeader: pulumi.String("string"),
ChannelTokenScopesClaims: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenScopesRequireds: pulumi.StringArray{
pulumi.String("string"),
},
ChannelTokenSigningAlgorithm: pulumi.String("string"),
ChannelTokenUpstreamHeader: pulumi.String("string"),
ChannelTokenUpstreamLeeway: pulumi.Float64(0),
EnableAccessTokenIntrospection: pulumi.Bool(false),
EnableChannelTokenIntrospection: pulumi.Bool(false),
EnableHsSignatures: pulumi.Bool(false),
EnableInstrumentation: pulumi.Bool(false),
OriginalAccessTokenUpstreamHeader: pulumi.String("string"),
OriginalChannelTokenUpstreamHeader: pulumi.String("string"),
Realm: pulumi.String("string"),
RemoveAccessTokenClaims: pulumi.StringArray{
pulumi.String("string"),
},
RemoveChannelTokenClaims: pulumi.StringArray{
pulumi.String("string"),
},
SetAccessTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
SetChannelTokenClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
SetClaims: pulumi.StringMap{
"string": pulumi.String("string"),
},
TrustAccessTokenIntrospection: pulumi.Bool(false),
TrustChannelTokenIntrospection: pulumi.Bool(false),
VerifyAccessTokenExpiry: pulumi.Bool(false),
VerifyAccessTokenIntrospectionExpiry: pulumi.Bool(false),
VerifyAccessTokenIntrospectionScopes: pulumi.Bool(false),
VerifyAccessTokenScopes: pulumi.Bool(false),
VerifyAccessTokenSignature: pulumi.Bool(false),
VerifyChannelTokenExpiry: pulumi.Bool(false),
VerifyChannelTokenIntrospectionExpiry: pulumi.Bool(false),
VerifyChannelTokenIntrospectionScopes: pulumi.Bool(false),
VerifyChannelTokenScopes: pulumi.Bool(false),
VerifyChannelTokenSignature: pulumi.Bool(false),
},
Partials: konnect.GatewayPluginJwtSignerPartialArray{
&konnect.GatewayPluginJwtSignerPartialArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Path: pulumi.String("string"),
},
},
Protocols: pulumi.StringArray{
pulumi.String("string"),
},
Route: &konnect.GatewayPluginJwtSignerRouteArgs{
Id: pulumi.String("string"),
},
Service: &konnect.GatewayPluginJwtSignerServiceArgs{
Id: pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
UpdatedAt: pulumi.Float64(0),
})
var gatewayPluginJwtSignerResource = new GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", GatewayPluginJwtSignerArgs.builder()
.controlPlaneId("string")
.ordering(GatewayPluginJwtSignerOrderingArgs.builder()
.after(GatewayPluginJwtSignerOrderingAfterArgs.builder()
.accesses("string")
.build())
.before(GatewayPluginJwtSignerOrderingBeforeArgs.builder()
.accesses("string")
.build())
.build())
.createdAt(0.0)
.enabled(false)
.gatewayPluginJwtSignerId("string")
.instanceName("string")
.config(GatewayPluginJwtSignerConfigArgs.builder()
.accessTokenConsumerBies("string")
.accessTokenConsumerClaims("string")
.accessTokenIntrospectionAuthorization("string")
.accessTokenIntrospectionBodyArgs("string")
.accessTokenIntrospectionConsumerBies("string")
.accessTokenIntrospectionConsumerClaims("string")
.accessTokenIntrospectionEndpoint("string")
.accessTokenIntrospectionHint("string")
.accessTokenIntrospectionJwtClaims("string")
.accessTokenIntrospectionLeeway(0.0)
.accessTokenIntrospectionScopesClaims("string")
.accessTokenIntrospectionScopesRequireds("string")
.accessTokenIntrospectionTimeout(0.0)
.accessTokenIssuer("string")
.accessTokenJwksUri("string")
.accessTokenJwksUriClientCertificate("string")
.accessTokenJwksUriClientPassword("string")
.accessTokenJwksUriClientUsername("string")
.accessTokenJwksUriRotatePeriod(0.0)
.accessTokenKeyset("string")
.accessTokenKeysetClientCertificate("string")
.accessTokenKeysetClientPassword("string")
.accessTokenKeysetClientUsername("string")
.accessTokenKeysetRotatePeriod(0.0)
.accessTokenLeeway(0.0)
.accessTokenOptional(false)
.accessTokenRequestHeader("string")
.accessTokenScopesClaims("string")
.accessTokenScopesRequireds("string")
.accessTokenSigningAlgorithm("string")
.accessTokenUpstreamHeader("string")
.accessTokenUpstreamLeeway(0.0)
.addAccessTokenClaims(Map.of("string", "string"))
.addChannelTokenClaims(Map.of("string", "string"))
.addClaims(Map.of("string", "string"))
.cacheAccessTokenIntrospection(false)
.cacheChannelTokenIntrospection(false)
.channelTokenConsumerBies("string")
.channelTokenConsumerClaims("string")
.channelTokenIntrospectionAuthorization("string")
.channelTokenIntrospectionBodyArgs("string")
.channelTokenIntrospectionConsumerBies("string")
.channelTokenIntrospectionConsumerClaims("string")
.channelTokenIntrospectionEndpoint("string")
.channelTokenIntrospectionHint("string")
.channelTokenIntrospectionJwtClaims("string")
.channelTokenIntrospectionLeeway(0.0)
.channelTokenIntrospectionScopesClaims("string")
.channelTokenIntrospectionScopesRequireds("string")
.channelTokenIntrospectionTimeout(0.0)
.channelTokenIssuer("string")
.channelTokenJwksUri("string")
.channelTokenJwksUriClientCertificate("string")
.channelTokenJwksUriClientPassword("string")
.channelTokenJwksUriClientUsername("string")
.channelTokenJwksUriRotatePeriod(0.0)
.channelTokenKeyset("string")
.channelTokenKeysetClientCertificate("string")
.channelTokenKeysetClientPassword("string")
.channelTokenKeysetClientUsername("string")
.channelTokenKeysetRotatePeriod(0.0)
.channelTokenLeeway(0.0)
.channelTokenOptional(false)
.channelTokenRequestHeader("string")
.channelTokenScopesClaims("string")
.channelTokenScopesRequireds("string")
.channelTokenSigningAlgorithm("string")
.channelTokenUpstreamHeader("string")
.channelTokenUpstreamLeeway(0.0)
.enableAccessTokenIntrospection(false)
.enableChannelTokenIntrospection(false)
.enableHsSignatures(false)
.enableInstrumentation(false)
.originalAccessTokenUpstreamHeader("string")
.originalChannelTokenUpstreamHeader("string")
.realm("string")
.removeAccessTokenClaims("string")
.removeChannelTokenClaims("string")
.setAccessTokenClaims(Map.of("string", "string"))
.setChannelTokenClaims(Map.of("string", "string"))
.setClaims(Map.of("string", "string"))
.trustAccessTokenIntrospection(false)
.trustChannelTokenIntrospection(false)
.verifyAccessTokenExpiry(false)
.verifyAccessTokenIntrospectionExpiry(false)
.verifyAccessTokenIntrospectionScopes(false)
.verifyAccessTokenScopes(false)
.verifyAccessTokenSignature(false)
.verifyChannelTokenExpiry(false)
.verifyChannelTokenIntrospectionExpiry(false)
.verifyChannelTokenIntrospectionScopes(false)
.verifyChannelTokenScopes(false)
.verifyChannelTokenSignature(false)
.build())
.partials(GatewayPluginJwtSignerPartialArgs.builder()
.id("string")
.name("string")
.path("string")
.build())
.protocols("string")
.route(GatewayPluginJwtSignerRouteArgs.builder()
.id("string")
.build())
.service(GatewayPluginJwtSignerServiceArgs.builder()
.id("string")
.build())
.tags("string")
.updatedAt(0.0)
.build());
gateway_plugin_jwt_signer_resource = konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource",
control_plane_id="string",
ordering={
"after": {
"accesses": ["string"],
},
"before": {
"accesses": ["string"],
},
},
created_at=0,
enabled=False,
gateway_plugin_jwt_signer_id="string",
instance_name="string",
config={
"access_token_consumer_bies": ["string"],
"access_token_consumer_claims": ["string"],
"access_token_introspection_authorization": "string",
"access_token_introspection_body_args": "string",
"access_token_introspection_consumer_bies": ["string"],
"access_token_introspection_consumer_claims": ["string"],
"access_token_introspection_endpoint": "string",
"access_token_introspection_hint": "string",
"access_token_introspection_jwt_claims": ["string"],
"access_token_introspection_leeway": 0,
"access_token_introspection_scopes_claims": ["string"],
"access_token_introspection_scopes_requireds": ["string"],
"access_token_introspection_timeout": 0,
"access_token_issuer": "string",
"access_token_jwks_uri": "string",
"access_token_jwks_uri_client_certificate": "string",
"access_token_jwks_uri_client_password": "string",
"access_token_jwks_uri_client_username": "string",
"access_token_jwks_uri_rotate_period": 0,
"access_token_keyset": "string",
"access_token_keyset_client_certificate": "string",
"access_token_keyset_client_password": "string",
"access_token_keyset_client_username": "string",
"access_token_keyset_rotate_period": 0,
"access_token_leeway": 0,
"access_token_optional": False,
"access_token_request_header": "string",
"access_token_scopes_claims": ["string"],
"access_token_scopes_requireds": ["string"],
"access_token_signing_algorithm": "string",
"access_token_upstream_header": "string",
"access_token_upstream_leeway": 0,
"add_access_token_claims": {
"string": "string",
},
"add_channel_token_claims": {
"string": "string",
},
"add_claims": {
"string": "string",
},
"cache_access_token_introspection": False,
"cache_channel_token_introspection": False,
"channel_token_consumer_bies": ["string"],
"channel_token_consumer_claims": ["string"],
"channel_token_introspection_authorization": "string",
"channel_token_introspection_body_args": "string",
"channel_token_introspection_consumer_bies": ["string"],
"channel_token_introspection_consumer_claims": ["string"],
"channel_token_introspection_endpoint": "string",
"channel_token_introspection_hint": "string",
"channel_token_introspection_jwt_claims": ["string"],
"channel_token_introspection_leeway": 0,
"channel_token_introspection_scopes_claims": ["string"],
"channel_token_introspection_scopes_requireds": ["string"],
"channel_token_introspection_timeout": 0,
"channel_token_issuer": "string",
"channel_token_jwks_uri": "string",
"channel_token_jwks_uri_client_certificate": "string",
"channel_token_jwks_uri_client_password": "string",
"channel_token_jwks_uri_client_username": "string",
"channel_token_jwks_uri_rotate_period": 0,
"channel_token_keyset": "string",
"channel_token_keyset_client_certificate": "string",
"channel_token_keyset_client_password": "string",
"channel_token_keyset_client_username": "string",
"channel_token_keyset_rotate_period": 0,
"channel_token_leeway": 0,
"channel_token_optional": False,
"channel_token_request_header": "string",
"channel_token_scopes_claims": ["string"],
"channel_token_scopes_requireds": ["string"],
"channel_token_signing_algorithm": "string",
"channel_token_upstream_header": "string",
"channel_token_upstream_leeway": 0,
"enable_access_token_introspection": False,
"enable_channel_token_introspection": False,
"enable_hs_signatures": False,
"enable_instrumentation": False,
"original_access_token_upstream_header": "string",
"original_channel_token_upstream_header": "string",
"realm": "string",
"remove_access_token_claims": ["string"],
"remove_channel_token_claims": ["string"],
"set_access_token_claims": {
"string": "string",
},
"set_channel_token_claims": {
"string": "string",
},
"set_claims": {
"string": "string",
},
"trust_access_token_introspection": False,
"trust_channel_token_introspection": False,
"verify_access_token_expiry": False,
"verify_access_token_introspection_expiry": False,
"verify_access_token_introspection_scopes": False,
"verify_access_token_scopes": False,
"verify_access_token_signature": False,
"verify_channel_token_expiry": False,
"verify_channel_token_introspection_expiry": False,
"verify_channel_token_introspection_scopes": False,
"verify_channel_token_scopes": False,
"verify_channel_token_signature": False,
},
partials=[{
"id": "string",
"name": "string",
"path": "string",
}],
protocols=["string"],
route={
"id": "string",
},
service={
"id": "string",
},
tags=["string"],
updated_at=0)
const gatewayPluginJwtSignerResource = new konnect.GatewayPluginJwtSigner("gatewayPluginJwtSignerResource", {
controlPlaneId: "string",
ordering: {
after: {
accesses: ["string"],
},
before: {
accesses: ["string"],
},
},
createdAt: 0,
enabled: false,
gatewayPluginJwtSignerId: "string",
instanceName: "string",
config: {
accessTokenConsumerBies: ["string"],
accessTokenConsumerClaims: ["string"],
accessTokenIntrospectionAuthorization: "string",
accessTokenIntrospectionBodyArgs: "string",
accessTokenIntrospectionConsumerBies: ["string"],
accessTokenIntrospectionConsumerClaims: ["string"],
accessTokenIntrospectionEndpoint: "string",
accessTokenIntrospectionHint: "string",
accessTokenIntrospectionJwtClaims: ["string"],
accessTokenIntrospectionLeeway: 0,
accessTokenIntrospectionScopesClaims: ["string"],
accessTokenIntrospectionScopesRequireds: ["string"],
accessTokenIntrospectionTimeout: 0,
accessTokenIssuer: "string",
accessTokenJwksUri: "string",
accessTokenJwksUriClientCertificate: "string",
accessTokenJwksUriClientPassword: "string",
accessTokenJwksUriClientUsername: "string",
accessTokenJwksUriRotatePeriod: 0,
accessTokenKeyset: "string",
accessTokenKeysetClientCertificate: "string",
accessTokenKeysetClientPassword: "string",
accessTokenKeysetClientUsername: "string",
accessTokenKeysetRotatePeriod: 0,
accessTokenLeeway: 0,
accessTokenOptional: false,
accessTokenRequestHeader: "string",
accessTokenScopesClaims: ["string"],
accessTokenScopesRequireds: ["string"],
accessTokenSigningAlgorithm: "string",
accessTokenUpstreamHeader: "string",
accessTokenUpstreamLeeway: 0,
addAccessTokenClaims: {
string: "string",
},
addChannelTokenClaims: {
string: "string",
},
addClaims: {
string: "string",
},
cacheAccessTokenIntrospection: false,
cacheChannelTokenIntrospection: false,
channelTokenConsumerBies: ["string"],
channelTokenConsumerClaims: ["string"],
channelTokenIntrospectionAuthorization: "string",
channelTokenIntrospectionBodyArgs: "string",
channelTokenIntrospectionConsumerBies: ["string"],
channelTokenIntrospectionConsumerClaims: ["string"],
channelTokenIntrospectionEndpoint: "string",
channelTokenIntrospectionHint: "string",
channelTokenIntrospectionJwtClaims: ["string"],
channelTokenIntrospectionLeeway: 0,
channelTokenIntrospectionScopesClaims: ["string"],
channelTokenIntrospectionScopesRequireds: ["string"],
channelTokenIntrospectionTimeout: 0,
channelTokenIssuer: "string",
channelTokenJwksUri: "string",
channelTokenJwksUriClientCertificate: "string",
channelTokenJwksUriClientPassword: "string",
channelTokenJwksUriClientUsername: "string",
channelTokenJwksUriRotatePeriod: 0,
channelTokenKeyset: "string",
channelTokenKeysetClientCertificate: "string",
channelTokenKeysetClientPassword: "string",
channelTokenKeysetClientUsername: "string",
channelTokenKeysetRotatePeriod: 0,
channelTokenLeeway: 0,
channelTokenOptional: false,
channelTokenRequestHeader: "string",
channelTokenScopesClaims: ["string"],
channelTokenScopesRequireds: ["string"],
channelTokenSigningAlgorithm: "string",
channelTokenUpstreamHeader: "string",
channelTokenUpstreamLeeway: 0,
enableAccessTokenIntrospection: false,
enableChannelTokenIntrospection: false,
enableHsSignatures: false,
enableInstrumentation: false,
originalAccessTokenUpstreamHeader: "string",
originalChannelTokenUpstreamHeader: "string",
realm: "string",
removeAccessTokenClaims: ["string"],
removeChannelTokenClaims: ["string"],
setAccessTokenClaims: {
string: "string",
},
setChannelTokenClaims: {
string: "string",
},
setClaims: {
string: "string",
},
trustAccessTokenIntrospection: false,
trustChannelTokenIntrospection: false,
verifyAccessTokenExpiry: false,
verifyAccessTokenIntrospectionExpiry: false,
verifyAccessTokenIntrospectionScopes: false,
verifyAccessTokenScopes: false,
verifyAccessTokenSignature: false,
verifyChannelTokenExpiry: false,
verifyChannelTokenIntrospectionExpiry: false,
verifyChannelTokenIntrospectionScopes: false,
verifyChannelTokenScopes: false,
verifyChannelTokenSignature: false,
},
partials: [{
id: "string",
name: "string",
path: "string",
}],
protocols: ["string"],
route: {
id: "string",
},
service: {
id: "string",
},
tags: ["string"],
updatedAt: 0,
});
type: konnect:GatewayPluginJwtSigner
properties:
config:
accessTokenConsumerBies:
- string
accessTokenConsumerClaims:
- string
accessTokenIntrospectionAuthorization: string
accessTokenIntrospectionBodyArgs: string
accessTokenIntrospectionConsumerBies:
- string
accessTokenIntrospectionConsumerClaims:
- string
accessTokenIntrospectionEndpoint: string
accessTokenIntrospectionHint: string
accessTokenIntrospectionJwtClaims:
- string
accessTokenIntrospectionLeeway: 0
accessTokenIntrospectionScopesClaims:
- string
accessTokenIntrospectionScopesRequireds:
- string
accessTokenIntrospectionTimeout: 0
accessTokenIssuer: string
accessTokenJwksUri: string
accessTokenJwksUriClientCertificate: string
accessTokenJwksUriClientPassword: string
accessTokenJwksUriClientUsername: string
accessTokenJwksUriRotatePeriod: 0
accessTokenKeyset: string
accessTokenKeysetClientCertificate: string
accessTokenKeysetClientPassword: string
accessTokenKeysetClientUsername: string
accessTokenKeysetRotatePeriod: 0
accessTokenLeeway: 0
accessTokenOptional: false
accessTokenRequestHeader: string
accessTokenScopesClaims:
- string
accessTokenScopesRequireds:
- string
accessTokenSigningAlgorithm: string
accessTokenUpstreamHeader: string
accessTokenUpstreamLeeway: 0
addAccessTokenClaims:
string: string
addChannelTokenClaims:
string: string
addClaims:
string: string
cacheAccessTokenIntrospection: false
cacheChannelTokenIntrospection: false
channelTokenConsumerBies:
- string
channelTokenConsumerClaims:
- string
channelTokenIntrospectionAuthorization: string
channelTokenIntrospectionBodyArgs: string
channelTokenIntrospectionConsumerBies:
- string
channelTokenIntrospectionConsumerClaims:
- string
channelTokenIntrospectionEndpoint: string
channelTokenIntrospectionHint: string
channelTokenIntrospectionJwtClaims:
- string
channelTokenIntrospectionLeeway: 0
channelTokenIntrospectionScopesClaims:
- string
channelTokenIntrospectionScopesRequireds:
- string
channelTokenIntrospectionTimeout: 0
channelTokenIssuer: string
channelTokenJwksUri: string
channelTokenJwksUriClientCertificate: string
channelTokenJwksUriClientPassword: string
channelTokenJwksUriClientUsername: string
channelTokenJwksUriRotatePeriod: 0
channelTokenKeyset: string
channelTokenKeysetClientCertificate: string
channelTokenKeysetClientPassword: string
channelTokenKeysetClientUsername: string
channelTokenKeysetRotatePeriod: 0
channelTokenLeeway: 0
channelTokenOptional: false
channelTokenRequestHeader: string
channelTokenScopesClaims:
- string
channelTokenScopesRequireds:
- string
channelTokenSigningAlgorithm: string
channelTokenUpstreamHeader: string
channelTokenUpstreamLeeway: 0
enableAccessTokenIntrospection: false
enableChannelTokenIntrospection: false
enableHsSignatures: false
enableInstrumentation: false
originalAccessTokenUpstreamHeader: string
originalChannelTokenUpstreamHeader: string
realm: string
removeAccessTokenClaims:
- string
removeChannelTokenClaims:
- string
setAccessTokenClaims:
string: string
setChannelTokenClaims:
string: string
setClaims:
string: string
trustAccessTokenIntrospection: false
trustChannelTokenIntrospection: false
verifyAccessTokenExpiry: false
verifyAccessTokenIntrospectionExpiry: false
verifyAccessTokenIntrospectionScopes: false
verifyAccessTokenScopes: false
verifyAccessTokenSignature: false
verifyChannelTokenExpiry: false
verifyChannelTokenIntrospectionExpiry: false
verifyChannelTokenIntrospectionScopes: false
verifyChannelTokenScopes: false
verifyChannelTokenSignature: false
controlPlaneId: string
createdAt: 0
enabled: false
gatewayPluginJwtSignerId: string
instanceName: string
ordering:
after:
accesses:
- string
before:
accesses:
- string
partials:
- id: string
name: string
path: string
protocols:
- string
route:
id: string
service:
id: string
tags:
- string
updatedAt: 0
GatewayPluginJwtSigner Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GatewayPluginJwtSigner resource accepts the following input properties:
- Control
Plane Id string - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Config
Gateway
Plugin Jwt Signer Config - Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin Jwt Signer Id string - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering - Partials
List<Gateway
Plugin Jwt Signer Partial> - Protocols List<string>
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Control
Plane Id string - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Config
Gateway
Plugin Jwt Signer Config Args - Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin Jwt Signer Id string - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering Args - Partials
[]Gateway
Plugin Jwt Signer Partial Args - Protocols []string
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- control
Plane Id String - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config
Gateway
Plugin Jwt Signer Config - created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin Jwt Signer Id String - The ID of this resource.
- instance
Name String - ordering
Gateway
Plugin Jwt Signer Ordering - partials
List<Gateway
Plugin Jwt Signer Partial> - protocols List<String>
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- control
Plane Id string - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config
Gateway
Plugin Jwt Signer Config - created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied.
- gateway
Plugin Jwt Signer Id string - The ID of this resource.
- instance
Name string - ordering
Gateway
Plugin Jwt Signer Ordering - partials
Gateway
Plugin Jwt Signer Partial[] - protocols string[]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- control_
plane_ id str - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config
Gateway
Plugin Jwt Signer Config Args - created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied.
- gateway_
plugin_ jwt_ signer_ id str - The ID of this resource.
- instance_
name str - ordering
Gateway
Plugin Jwt Signer Ordering Args - partials
Sequence[Gateway
Plugin Jwt Signer Partial Args] - protocols Sequence[str]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- control
Plane Id String - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- config Property Map
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin Jwt Signer Id String - The ID of this resource.
- instance
Name String - ordering Property Map
- partials List<Property Map>
- protocols List<String>
- A set of strings representing HTTP protocols.
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Outputs
All input properties are implicitly available as output properties. Additionally, the GatewayPluginJwtSigner resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing GatewayPluginJwtSigner Resource
Get an existing GatewayPluginJwtSigner resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GatewayPluginJwtSignerState, opts?: CustomResourceOptions): GatewayPluginJwtSigner@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
config: Optional[GatewayPluginJwtSignerConfigArgs] = None,
control_plane_id: Optional[str] = None,
created_at: Optional[float] = None,
enabled: Optional[bool] = None,
gateway_plugin_jwt_signer_id: Optional[str] = None,
instance_name: Optional[str] = None,
ordering: Optional[GatewayPluginJwtSignerOrderingArgs] = None,
partials: Optional[Sequence[GatewayPluginJwtSignerPartialArgs]] = None,
protocols: Optional[Sequence[str]] = None,
route: Optional[GatewayPluginJwtSignerRouteArgs] = None,
service: Optional[GatewayPluginJwtSignerServiceArgs] = None,
tags: Optional[Sequence[str]] = None,
updated_at: Optional[float] = None) -> GatewayPluginJwtSignerfunc GetGatewayPluginJwtSigner(ctx *Context, name string, id IDInput, state *GatewayPluginJwtSignerState, opts ...ResourceOption) (*GatewayPluginJwtSigner, error)public static GatewayPluginJwtSigner Get(string name, Input<string> id, GatewayPluginJwtSignerState? state, CustomResourceOptions? opts = null)public static GatewayPluginJwtSigner get(String name, Output<String> id, GatewayPluginJwtSignerState state, CustomResourceOptions options)resources: _: type: konnect:GatewayPluginJwtSigner get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Config
Gateway
Plugin Jwt Signer Config - Control
Plane Id string - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At double - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin Jwt Signer Id string - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering - Partials
List<Gateway
Plugin Jwt Signer Partial> - Protocols List<string>
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<string>
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At double - Unix epoch when the resource was last updated.
- Config
Gateway
Plugin Jwt Signer Config Args - Control
Plane Id string - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- Created
At float64 - Unix epoch when the resource was created.
- Enabled bool
- Whether the plugin is applied.
- Gateway
Plugin Jwt Signer Id string - The ID of this resource.
- Instance
Name string - Ordering
Gateway
Plugin Jwt Signer Ordering Args - Partials
[]Gateway
Plugin Jwt Signer Partial Args - Protocols []string
- A set of strings representing HTTP protocols.
- Route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- Service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- []string
- An optional set of strings associated with the Plugin for grouping and filtering.
- Updated
At float64 - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config - control
Plane Id String - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Double - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin Jwt Signer Id String - The ID of this resource.
- instance
Name String - ordering
Gateway
Plugin Jwt Signer Ordering - partials
List<Gateway
Plugin Jwt Signer Partial> - protocols List<String>
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Double - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config - control
Plane Id string - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At number - Unix epoch when the resource was created.
- enabled boolean
- Whether the plugin is applied.
- gateway
Plugin Jwt Signer Id string - The ID of this resource.
- instance
Name string - ordering
Gateway
Plugin Jwt Signer Ordering - partials
Gateway
Plugin Jwt Signer Partial[] - protocols string[]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- string[]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At number - Unix epoch when the resource was last updated.
- config
Gateway
Plugin Jwt Signer Config Args - control_
plane_ id str - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created_
at float - Unix epoch when the resource was created.
- enabled bool
- Whether the plugin is applied.
- gateway_
plugin_ jwt_ signer_ id str - The ID of this resource.
- instance_
name str - ordering
Gateway
Plugin Jwt Signer Ordering Args - partials
Sequence[Gateway
Plugin Jwt Signer Partial Args] - protocols Sequence[str]
- A set of strings representing HTTP protocols.
- route
Gateway
Plugin Jwt Signer Route Args - If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service
Gateway
Plugin Jwt Signer Service Args - If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- Sequence[str]
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated_
at float - Unix epoch when the resource was last updated.
- config Property Map
- control
Plane Id String - The UUID of your control plane. This variable is available in the Konnect manager. Requires replacement if changed.
- created
At Number - Unix epoch when the resource was created.
- enabled Boolean
- Whether the plugin is applied.
- gateway
Plugin Jwt Signer Id String - The ID of this resource.
- instance
Name String - ordering Property Map
- partials List<Property Map>
- protocols List<String>
- A set of strings representing HTTP protocols.
- route Property Map
- If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.
- service Property Map
- If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.
- List<String>
- An optional set of strings associated with the Plugin for grouping and filtering.
- updated
At Number - Unix epoch when the resource was last updated.
Supporting Types
Gateway, Gateway
- Access
Token Consumer Bies List<string> - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - Access
Token Consumer Claims List<string> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - Access
Token Introspection Body Args string - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - Access
Token Introspection Consumer Bies List<string> - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- Access
Token Introspection Consumer Claims List<string> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - Access
Token Introspection Endpoint string - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - Access
Token Introspection Hint string - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - Access
Token Introspection Jwt Claims List<string> - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - Access
Token Introspection Leeway double - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - Access
Token Introspection Scopes Claims List<string> - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - Access
Token Introspection Scopes Requireds List<string> - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - Access
Token Introspection Timeout double - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - Access
Token Issuer string - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - Access
Token Jwks Uri string - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- Access
Token Jwks Uri Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Access
Token Jwks Uri Client Password string - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - Access
Token Jwks Uri Client Username string - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - Access
Token Jwks Uri Rotate Period double - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - Access
Token Keyset string - The name of the keyset containing signing keys.
- Access
Token Keyset Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - Access
Token Keyset Client Password string - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - Access
Token Keyset Client Username string - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - Access
Token Keyset Rotate Period double - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - Access
Token Leeway double - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - Access
Token Optional bool - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - Access
Token Request Header string - This parameter tells the name of the header where to look for the access token.
- Access
Token Scopes Claims List<string> - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - Access
Token Scopes Requireds List<string> - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - Access
Token Signing Algorithm string - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Access
Token Upstream Header string - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - Access
Token Upstream Leeway double - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - Add
Access Token Claims Dictionary<string, string> - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Channel Token Claims Dictionary<string, string> - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Claims Dictionary<string, string> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Cache
Access Token Introspection bool - Whether to cache access token introspection results.
- Cache
Channel Token Introspection bool - Whether to cache channel token introspection results.
- Channel
Token Consumer Bies List<string> - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - Channel
Token Consumer Claims List<string> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - Channel
Token Introspection Body Args string - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - Channel
Token Introspection Consumer Bies List<string> - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - Channel
Token Introspection Consumer Claims List<string> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - Channel
Token Introspection Endpoint string - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - Channel
Token Introspection Hint string - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - Channel
Token Introspection Jwt Claims List<string> - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - Channel
Token Introspection Leeway double - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - Channel
Token Introspection Scopes Claims List<string> - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - Channel
Token Introspection Scopes Requireds List<string> - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - Channel
Token Introspection Timeout double - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - Channel
Token Issuer string - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - Channel
Token Jwks Uri string - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - Channel
Token Jwks Uri Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Channel
Token Jwks Uri Client Password string - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - Channel
Token Jwks Uri Client Username string - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - Channel
Token Jwks Uri Rotate Period double - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - Channel
Token Keyset string - The name of the keyset containing signing keys.
- Channel
Token Keyset Client Certificate string - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - Channel
Token Keyset Client Password string - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - Channel
Token Keyset Client Username string - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - Channel
Token Keyset Rotate Period double - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - Channel
Token Leeway double - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - Channel
Token Optional bool - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - Channel
Token Request Header string - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - Channel
Token Scopes Claims List<string> - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - Channel
Token Scopes Requireds List<string> - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - Channel
Token Signing Algorithm string - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Channel
Token Upstream Header string - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - Channel
Token Upstream Leeway double - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - Enable
Access Token Introspection bool - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - Enable
Channel Token Introspection bool - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - Enable
Hs Signatures bool - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - Enable
Instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - Original
Access Token Upstream Header string - The HTTP header name used to store the original access token.
- Original
Channel Token Upstream Header string - The HTTP header name used to store the original channel token.
- Realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - Remove
Access Token Claims List<string> - remove claims. It should be an array, and each element is a claim key string.
- Remove
Channel Token Claims List<string> - remove claims. It should be an array, and each element is a claim key string.
- Set
Access Token Claims Dictionary<string, string> - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Channel Token Claims Dictionary<string, string> - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Claims Dictionary<string, string> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Trust
Access Token Introspection bool - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - Trust
Channel Token Introspection bool - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- Verify
Access Token Expiry bool - Quickly turn access token expiry verification off and on as needed.
- Verify
Access Token Introspection Expiry bool - Quickly turn access token introspection expiry verification off and on as needed.
- Verify
Access Token Introspection Scopes bool - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - Verify
Access Token Scopes bool - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - Verify
Access Token Signature bool - Quickly turn access token signature verification off and on as needed.
- Verify
Channel Token Expiry bool - Verify
Channel Token Introspection Expiry bool - Quickly turn on/off the channel token introspection expiry verification.
- Verify
Channel Token Introspection Scopes bool - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - Verify
Channel Token Scopes bool - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - Verify
Channel Token Signature bool - Quickly turn on/off the channel token signature verification.
- Access
Token Consumer Bies []string - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - Access
Token Consumer Claims []string - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - Access
Token Introspection Body Args string - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - Access
Token Introspection Consumer Bies []string - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- Access
Token Introspection Consumer Claims []string - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - Access
Token Introspection Endpoint string - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - Access
Token Introspection Hint string - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - Access
Token Introspection Jwt Claims []string - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - Access
Token Introspection Leeway float64 - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - Access
Token Introspection Scopes Claims []string - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - Access
Token Introspection Scopes Requireds []string - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - Access
Token Introspection Timeout float64 - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - Access
Token Issuer string - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - Access
Token Jwks Uri string - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- Access
Token Jwks Uri Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Access
Token Jwks Uri Client Password string - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - Access
Token Jwks Uri Client Username string - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - Access
Token Jwks Uri Rotate Period float64 - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - Access
Token Keyset string - The name of the keyset containing signing keys.
- Access
Token Keyset Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - Access
Token Keyset Client Password string - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - Access
Token Keyset Client Username string - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - Access
Token Keyset Rotate Period float64 - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - Access
Token Leeway float64 - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - Access
Token Optional bool - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - Access
Token Request Header string - This parameter tells the name of the header where to look for the access token.
- Access
Token Scopes Claims []string - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - Access
Token Scopes Requireds []string - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - Access
Token Signing Algorithm string - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Access
Token Upstream Header string - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - Access
Token Upstream Leeway float64 - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - Add
Access Token Claims map[string]string - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Channel Token Claims map[string]string - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Add
Claims map[string]string - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Cache
Access Token Introspection bool - Whether to cache access token introspection results.
- Cache
Channel Token Introspection bool - Whether to cache channel token introspection results.
- Channel
Token Consumer Bies []string - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - Channel
Token Consumer Claims []string - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - Channel
Token Introspection Body Args string - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - Channel
Token Introspection Consumer Bies []string - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - Channel
Token Introspection Consumer Claims []string - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - Channel
Token Introspection Endpoint string - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - Channel
Token Introspection Hint string - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - Channel
Token Introspection Jwt Claims []string - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - Channel
Token Introspection Leeway float64 - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - Channel
Token Introspection Scopes Claims []string - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - Channel
Token Introspection Scopes Requireds []string - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - Channel
Token Introspection Timeout float64 - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - Channel
Token Issuer string - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - Channel
Token Jwks Uri string - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - Channel
Token Jwks Uri Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - Channel
Token Jwks Uri Client Password string - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - Channel
Token Jwks Uri Client Username string - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - Channel
Token Jwks Uri Rotate Period float64 - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - Channel
Token Keyset string - The name of the keyset containing signing keys.
- Channel
Token Keyset Client Certificate string - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - Channel
Token Keyset Client Password string - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - Channel
Token Keyset Client Username string - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - Channel
Token Keyset Rotate Period float64 - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - Channel
Token Leeway float64 - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - Channel
Token Optional bool - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - Channel
Token Request Header string - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - Channel
Token Scopes Claims []string - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - Channel
Token Scopes Requireds []string - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - Channel
Token Signing Algorithm string - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - Channel
Token Upstream Header string - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - Channel
Token Upstream Leeway float64 - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - Enable
Access Token Introspection bool - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - Enable
Channel Token Introspection bool - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - Enable
Hs Signatures bool - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - Enable
Instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - Original
Access Token Upstream Header string - The HTTP header name used to store the original access token.
- Original
Channel Token Upstream Header string - The HTTP header name used to store the original channel token.
- Realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - Remove
Access Token Claims []string - remove claims. It should be an array, and each element is a claim key string.
- Remove
Channel Token Claims []string - remove claims. It should be an array, and each element is a claim key string.
- Set
Access Token Claims map[string]string - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Channel Token Claims map[string]string - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Set
Claims map[string]string - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- Trust
Access Token Introspection bool - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - Trust
Channel Token Introspection bool - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- Verify
Access Token Expiry bool - Quickly turn access token expiry verification off and on as needed.
- Verify
Access Token Introspection Expiry bool - Quickly turn access token introspection expiry verification off and on as needed.
- Verify
Access Token Introspection Scopes bool - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - Verify
Access Token Scopes bool - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - Verify
Access Token Signature bool - Quickly turn access token signature verification off and on as needed.
- Verify
Channel Token Expiry bool - Verify
Channel Token Introspection Expiry bool - Quickly turn on/off the channel token introspection expiry verification.
- Verify
Channel Token Introspection Scopes bool - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - Verify
Channel Token Scopes bool - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - Verify
Channel Token Signature bool - Quickly turn on/off the channel token signature verification.
- access
Token Consumer Bies List<String> - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access
Token Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - String
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token Introspection Body Args String - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token Introspection Consumer Bies List<String> - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access
Token Introspection Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token Introspection Endpoint String - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token Introspection Hint String - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access
Token Introspection Jwt Claims List<String> - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token Introspection Leeway Double - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access
Token Introspection Scopes Claims List<String> - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access
Token Introspection Scopes Requireds List<String> - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token Introspection Timeout Double - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token Issuer String - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access
Token Jwks Uri String - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token Jwks Uri Client Certificate String - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token Jwks Uri Client Password String - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token Jwks Uri Client Username String - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token Jwks Uri Rotate Period Double - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access
Token Keyset String - The name of the keyset containing signing keys.
- access
Token Keyset Client Certificate String - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token Keyset Client Password String - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token Keyset Client Username String - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token Keyset Rotate Period Double - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access
Token Leeway Double - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access
Token Optional Boolean - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access
Token Request Header String - This parameter tells the name of the header where to look for the access token.
- access
Token Scopes Claims List<String> - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access
Token Scopes Requireds List<String> - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token Signing Algorithm String - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token Upstream Header String - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access
Token Upstream Leeway Double - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add
Access Token Claims Map<String,String> - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Token Claims Map<String,String> - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims Map<String,String> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access Token Introspection Boolean - Whether to cache access token introspection results.
- cache
Channel Token Introspection Boolean - Whether to cache channel token introspection results.
- channel
Token Consumer Bies List<String> - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel
Token Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - String
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token Introspection Body Args String - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token Introspection Consumer Bies List<String> - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel
Token Introspection Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token Introspection Endpoint String - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token Introspection Hint String - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token Introspection Jwt Claims List<String> - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token Introspection Leeway Double - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel
Token Introspection Scopes Claims List<String> - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel
Token Introspection Scopes Requireds List<String> - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token Introspection Timeout Double - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token Issuer String - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel
Token Jwks Uri String - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token Jwks Uri Client Certificate String - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token Jwks Uri Client Password String - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token Jwks Uri Client Username String - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token Jwks Uri Rotate Period Double - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel
Token Keyset String - The name of the keyset containing signing keys.
- channel
Token Keyset Client Certificate String - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token Keyset Client Password String - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token Keyset Client Username String - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token Keyset Rotate Period Double - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel
Token Leeway Double - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel
Token Optional Boolean - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel
Token Request Header String - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token Scopes Claims List<String> - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel
Token Scopes Requireds List<String> - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token Signing Algorithm String - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token Upstream Header String - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token Upstream Leeway Double - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable
Access Token Introspection Boolean - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable
Channel Token Introspection Boolean - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable
Hs Signatures Boolean - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable
Instrumentation Boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original
Access Token Upstream Header String - The HTTP header name used to store the original access token.
- original
Channel Token Upstream Header String - The HTTP header name used to store the original channel token.
- realm String
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access Token Claims List<String> - remove claims. It should be an array, and each element is a claim key string.
- remove
Channel Token Claims List<String> - remove claims. It should be an array, and each element is a claim key string.
- set
Access Token Claims Map<String,String> - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Token Claims Map<String,String> - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims Map<String,String> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access Token Introspection Boolean - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust
Channel Token Introspection Boolean - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify
Access Token Expiry Boolean - Quickly turn access token expiry verification off and on as needed.
- verify
Access Token Introspection Expiry Boolean - Quickly turn access token introspection expiry verification off and on as needed.
- verify
Access Token Introspection Scopes Boolean - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify
Access Token Scopes Boolean - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify
Access Token Signature Boolean - Quickly turn access token signature verification off and on as needed.
- verify
Channel Token Expiry Boolean - verify
Channel Token Introspection Expiry Boolean - Quickly turn on/off the channel token introspection expiry verification.
- verify
Channel Token Introspection Scopes Boolean - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify
Channel Token Scopes Boolean - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify
Channel Token Signature Boolean - Quickly turn on/off the channel token signature verification.
- access
Token Consumer Bies string[] - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access
Token Consumer Claims string[] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - string
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token Introspection Body Args string - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token Introspection Consumer Bies string[] - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access
Token Introspection Consumer Claims string[] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token Introspection Endpoint string - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token Introspection Hint string - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access
Token Introspection Jwt Claims string[] - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token Introspection Leeway number - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access
Token Introspection Scopes Claims string[] - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access
Token Introspection Scopes Requireds string[] - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token Introspection Timeout number - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token Issuer string - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access
Token Jwks Uri string - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token Jwks Uri Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token Jwks Uri Client Password string - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token Jwks Uri Client Username string - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token Jwks Uri Rotate Period number - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access
Token Keyset string - The name of the keyset containing signing keys.
- access
Token Keyset Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token Keyset Client Password string - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token Keyset Client Username string - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token Keyset Rotate Period number - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access
Token Leeway number - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access
Token Optional boolean - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access
Token Request Header string - This parameter tells the name of the header where to look for the access token.
- access
Token Scopes Claims string[] - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access
Token Scopes Requireds string[] - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token Signing Algorithm string - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token Upstream Header string - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access
Token Upstream Leeway number - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add
Access Token Claims {[key: string]: string} - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Token Claims {[key: string]: string} - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims {[key: string]: string} - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access Token Introspection boolean - Whether to cache access token introspection results.
- cache
Channel Token Introspection boolean - Whether to cache channel token introspection results.
- channel
Token Consumer Bies string[] - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel
Token Consumer Claims string[] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - string
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token Introspection Body Args string - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token Introspection Consumer Bies string[] - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel
Token Introspection Consumer Claims string[] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token Introspection Endpoint string - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token Introspection Hint string - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token Introspection Jwt Claims string[] - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token Introspection Leeway number - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel
Token Introspection Scopes Claims string[] - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel
Token Introspection Scopes Requireds string[] - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token Introspection Timeout number - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token Issuer string - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel
Token Jwks Uri string - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token Jwks Uri Client Certificate string - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token Jwks Uri Client Password string - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token Jwks Uri Client Username string - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token Jwks Uri Rotate Period number - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel
Token Keyset string - The name of the keyset containing signing keys.
- channel
Token Keyset Client Certificate string - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token Keyset Client Password string - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token Keyset Client Username string - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token Keyset Rotate Period number - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel
Token Leeway number - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel
Token Optional boolean - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel
Token Request Header string - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token Scopes Claims string[] - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel
Token Scopes Requireds string[] - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token Signing Algorithm string - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token Upstream Header string - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token Upstream Leeway number - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable
Access Token Introspection boolean - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable
Channel Token Introspection boolean - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable
Hs Signatures boolean - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable
Instrumentation boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original
Access Token Upstream Header string - The HTTP header name used to store the original access token.
- original
Channel Token Upstream Header string - The HTTP header name used to store the original channel token.
- realm string
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access Token Claims string[] - remove claims. It should be an array, and each element is a claim key string.
- remove
Channel Token Claims string[] - remove claims. It should be an array, and each element is a claim key string.
- set
Access Token Claims {[key: string]: string} - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Token Claims {[key: string]: string} - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims {[key: string]: string} - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access Token Introspection boolean - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust
Channel Token Introspection boolean - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify
Access Token Expiry boolean - Quickly turn access token expiry verification off and on as needed.
- verify
Access Token Introspection Expiry boolean - Quickly turn access token introspection expiry verification off and on as needed.
- verify
Access Token Introspection Scopes boolean - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify
Access Token Scopes boolean - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify
Access Token Signature boolean - Quickly turn access token signature verification off and on as needed.
- verify
Channel Token Expiry boolean - verify
Channel Token Introspection Expiry boolean - Quickly turn on/off the channel token introspection expiry verification.
- verify
Channel Token Introspection Scopes boolean - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify
Channel Token Scopes boolean - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify
Channel Token Signature boolean - Quickly turn on/off the channel token signature verification.
- access_
token_ consumer_ bies Sequence[str] - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access_
token_ consumer_ claims Sequence[str] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - str
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access_
token_ introspection_ body_ args str - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access_
token_ introspection_ consumer_ bies Sequence[str] - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access_
token_ introspection_ consumer_ claims Sequence[str] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access_
token_ introspection_ endpoint str - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access_
token_ introspection_ hint str - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access_
token_ introspection_ jwt_ claims Sequence[str] - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access_
token_ introspection_ leeway float - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access_
token_ introspection_ scopes_ claims Sequence[str] - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access_
token_ introspection_ scopes_ requireds Sequence[str] - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access_
token_ introspection_ timeout float - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access_
token_ issuer str - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access_
token_ jwks_ uri str - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access_
token_ jwks_ uri_ client_ certificate str - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access_
token_ jwks_ uri_ client_ password str - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access_
token_ jwks_ uri_ client_ username str - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access_
token_ jwks_ uri_ rotate_ period float - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access_
token_ keyset str - The name of the keyset containing signing keys.
- access_
token_ keyset_ client_ certificate str - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access_
token_ keyset_ client_ password str - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access_
token_ keyset_ client_ username str - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access_
token_ keyset_ rotate_ period float - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access_
token_ leeway float - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access_
token_ optional bool - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access_
token_ request_ header str - This parameter tells the name of the header where to look for the access token.
- access_
token_ scopes_ claims Sequence[str] - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access_
token_ scopes_ requireds Sequence[str] - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access_
token_ signing_ algorithm str - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access_
token_ upstream_ header str - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access_
token_ upstream_ leeway float - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add_
access_ token_ claims Mapping[str, str] - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add_
channel_ token_ claims Mapping[str, str] - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add_
claims Mapping[str, str] - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache_
access_ token_ introspection bool - Whether to cache access token introspection results.
- cache_
channel_ token_ introspection bool - Whether to cache channel token introspection results.
- channel_
token_ consumer_ bies Sequence[str] - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel_
token_ consumer_ claims Sequence[str] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - str
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel_
token_ introspection_ body_ args str - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel_
token_ introspection_ consumer_ bies Sequence[str] - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel_
token_ introspection_ consumer_ claims Sequence[str] - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel_
token_ introspection_ endpoint str - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel_
token_ introspection_ hint str - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel_
token_ introspection_ jwt_ claims Sequence[str] - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel_
token_ introspection_ leeway float - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel_
token_ introspection_ scopes_ claims Sequence[str] - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel_
token_ introspection_ scopes_ requireds Sequence[str] - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel_
token_ introspection_ timeout float - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel_
token_ issuer str - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel_
token_ jwks_ uri str - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel_
token_ jwks_ uri_ client_ certificate str - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel_
token_ jwks_ uri_ client_ password str - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel_
token_ jwks_ uri_ client_ username str - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel_
token_ jwks_ uri_ rotate_ period float - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel_
token_ keyset str - The name of the keyset containing signing keys.
- channel_
token_ keyset_ client_ certificate str - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel_
token_ keyset_ client_ password str - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel_
token_ keyset_ client_ username str - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel_
token_ keyset_ rotate_ period float - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel_
token_ leeway float - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel_
token_ optional bool - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel_
token_ request_ header str - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel_
token_ scopes_ claims Sequence[str] - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel_
token_ scopes_ requireds Sequence[str] - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel_
token_ signing_ algorithm str - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel_
token_ upstream_ header str - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel_
token_ upstream_ leeway float - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable_
access_ token_ introspection bool - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable_
channel_ token_ introspection bool - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable_
hs_ signatures bool - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable_
instrumentation bool - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original_
access_ token_ upstream_ header str - The HTTP header name used to store the original access token.
- original_
channel_ token_ upstream_ header str - The HTTP header name used to store the original channel token.
- realm str
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove_
access_ token_ claims Sequence[str] - remove claims. It should be an array, and each element is a claim key string.
- remove_
channel_ token_ claims Sequence[str] - remove claims. It should be an array, and each element is a claim key string.
- set_
access_ token_ claims Mapping[str, str] - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set_
channel_ token_ claims Mapping[str, str] - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set_
claims Mapping[str, str] - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust_
access_ token_ introspection bool - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust_
channel_ token_ introspection bool - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify_
access_ token_ expiry bool - Quickly turn access token expiry verification off and on as needed.
- verify_
access_ token_ introspection_ expiry bool - Quickly turn access token introspection expiry verification off and on as needed.
- verify_
access_ token_ introspection_ scopes bool - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify_
access_ token_ scopes bool - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify_
access_ token_ signature bool - Quickly turn access token signature verification off and on as needed.
- verify_
channel_ token_ expiry bool - verify_
channel_ token_ introspection_ expiry bool - Quickly turn on/off the channel token introspection expiry verification.
- verify_
channel_ token_ introspection_ scopes bool - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify_
channel_ token_ scopes bool - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify_
channel_ token_ signature bool - Quickly turn on/off the channel token signature verification.
- access
Token Consumer Bies List<String> - When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are
id,username, andcustom_id. - access
Token Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example,
suborusername) in an access token to Kong consumer entity. - String
- If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the
Authorizationheader's value with this configuration parameter. - access
Token Introspection Body Args String - This parameter allows you to pass URL encoded request body arguments. For example:
resource=ora=1&b=&c. - access
Token Introspection Consumer Bies List<String> - When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.
- access
Token Introspection Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in access token introspection results to the Kong consumer entity. - access
Token Introspection Endpoint String - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. - access
Token Introspection Hint String - If you need to give
hintparameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sendshint=access_token. - access
Token Introspection Jwt Claims List<String> - If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (
JSON). If the key cannot be found, the plugin responds with401 Unauthorized. Also if the key is found but cannot be decoded as JWT, it also responds with401 Unauthorized. - access
Token Introspection Leeway Number - Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspectionexpiryverification altogether withconfig.verify_access_token_introspection_expiry. - access
Token Introspection Scopes Claims List<String> - Specify the claim/property in access token introspection results (
JSON) to be verified against values ofconfig.access_token_introspection_scopes_required. This supports nested claims. For example, with Keycloak you could use[ "realm_access", "roles" ], hich can be given asrealm_access,roles(form post). If the claim is not found in access token introspection results, and you have specifiedconfig.access_token_introspection_scopes_required, the plugin responds with403 Forbidden. - access
Token Introspection Scopes Requireds List<String> - Specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.access_token_introspection_scopes_claim. - access
Token Introspection Timeout Number - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton access token introspection. - access
Token Issuer String - The
issclaim of a signed or re-signed access token is set to this value. Originalissclaim of the incoming token (possibly introspected) is stored inoriginal_issclaim of the newly signed access token. - access
Token Jwks Uri String - Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.
- access
Token Jwks Uri Client Certificate String - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - access
Token Jwks Uri Client Password String - The client password that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_username - access
Token Jwks Uri Client Username String - The client username that will be used to authenticate Kong if
access_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withaccess_token_jwks_uri_client_password - access
Token Jwks Uri Rotate Period Number - Specify the period (in seconds) to auto-rotate the jwks for
access_token_jwks_uri. The default value 0 means no auto-rotation. - access
Token Keyset String - The name of the keyset containing signing keys.
- access
Token Keyset Client Certificate String - The client certificate that will be used to authenticate Kong if
access_token_keysetis an https uri that requires mTLS Auth. - access
Token Keyset Client Password String - The client password that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_username - access
Token Keyset Client Username String - The client username that will be used to authenticate Kong if
access_token_keysetis a uri that requires Basic Auth. Should be configured together withaccess_token_keyset_client_password - access
Token Keyset Rotate Period Number - Specify the period (in seconds) to auto-rotate the jwks for
access_token_keyset. The default value 0 means no auto-rotation. - access
Token Leeway Number - Adjusts clock skew between the token issuer and Kong. The value is added to the token's
expclaim before checking token expiry against Kong servers' current time in seconds. You can disable access tokenexpiryverification altogether withconfig.verify_access_token_expiry. - access
Token Optional Boolean - If an access token is not provided or no
config.access_token_request_headeris specified, the plugin cannot verify the access token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect - access
Token Request Header String - This parameter tells the name of the header where to look for the access token.
- access
Token Scopes Claims List<String> - Specify the claim in an access token to verify against values of
config.access_token_scopes_required. - access
Token Scopes Requireds List<String> - Specify the required values (or scopes) that are checked by a claim specified by
config.access_token_scopes_claim. - access
Token Signing Algorithm String - When this plugin sets the upstream header as specified with
config.access_token_upstream_header, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. Theconfig.access_token_issuerspecifies whichkeysetis used to sign the new token issued by Kong using the specified signing algorithm. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - access
Token Upstream Header String - Removes the
config.access_token_request_headerfrom the request after reading its value. Withconfig.access_token_upstream_header, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as usenullor""(empty string), the plugin does not even try to sign or re-sign the token. - access
Token Upstream Leeway Number - If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's
expclaim. - add
Access Token Claims Map<String> - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Channel Token Claims Map<String> - Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- add
Claims Map<String> - Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- cache
Access Token Introspection Boolean - Whether to cache access token introspection results.
- cache
Channel Token Introspection Boolean - Whether to cache channel token introspection results.
- channel
Token Consumer Bies List<String> - When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values:
id,username, andcustom_id. - channel
Token Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an
id, ausername, and acustom_id. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with403 Forbidden. - String
- When using
opaquechannel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns401 Unauthorizedwhen using opaque channel tokens. - channel
Token Introspection Body Args String - If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example:
resource=ora=1&b=&c. - channel
Token Introspection Consumer Bies List<String> - When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are
id,usernameandcustom_id. - channel
Token Introspection Consumer Claims List<String> - When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as
suborusername) in channel token introspection results to Kong consumer entity - channel
Token Introspection Endpoint String - When you use
opaqueaccess tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns401 Unauthorizedinstead. - channel
Token Introspection Hint String - If you need to give
hintparameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, ahintisn't sent with channel token introspection. - channel
Token Introspection Jwt Claims List<String> - If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (
JSON), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong. - channel
Token Introspection Leeway Number - You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (
JSON)expclaim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspectionexpiryverification altogether withconfig.verify_channel_token_introspection_expiry. - channel
Token Introspection Scopes Claims List<String> - Use this parameter to specify the claim/property in channel token introspection results (
JSON) to be verified against values ofconfig.channel_token_introspection_scopes_required. This supports nested claims. - channel
Token Introspection Scopes Requireds List<String> - Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by
config.channel_token_introspection_scopes_claim. - channel
Token Introspection Timeout Number - Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the
config.access_token_introspection_timeouton channel token introspection. - channel
Token Issuer String - The
issclaim of the re-signed channel token is set to this value, which iskongby default. The originalissclaim of the incoming token (possibly introspected) is stored in theoriginal_issclaim of the newly signed channel token. - channel
Token Jwks Uri String - If you want to use
config.verify_channel_token_signature, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with401 Unauthorized. - channel
Token Jwks Uri Client Certificate String - The client certificate that will be used to authenticate Kong if
access_token_jwks_uriis an https uri that requires mTLS Auth. - channel
Token Jwks Uri Client Password String - The client password that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_username - channel
Token Jwks Uri Client Username String - The client username that will be used to authenticate Kong if
channel_token_jwks_uriis a uri that requires Basic Auth. Should be configured together withchannel_token_jwks_uri_client_password - channel
Token Jwks Uri Rotate Period Number - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_jwks_uri. The default value 0 means no auto-rotation. - channel
Token Keyset String - The name of the keyset containing signing keys.
- channel
Token Keyset Client Certificate String - The client certificate that will be used to authenticate Kong if
channel_token_keysetis an https uri that requires mTLS Auth. - channel
Token Keyset Client Password String - The client password that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_username - channel
Token Keyset Client Username String - The client username that will be used to authenticate Kong if
channel_token_keysetis a uri that requires Basic Auth. Should be configured together withchannel_token_keyset_client_password - channel
Token Keyset Rotate Period Number - Specify the period (in seconds) to auto-rotate the jwks for
channel_token_keyset. The default value 0 means no auto-rotation. - channel
Token Leeway Number - Adjusts clock skew between the token issuer and Kong. The value will be added to token's
expclaim before checking token expiry against Kong servers current time in seconds. You can disable channel tokenexpiryverification altogether withconfig.verify_channel_token_expiry. - channel
Token Optional Boolean - If a channel token is not provided or no
config.channel_token_request_headeris specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with401 Unauthorized(client didn't send a token) or500 Unexpected(a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect - channel
Token Request Header String - This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to
nullor""(empty string). - channel
Token Scopes Claims List<String> - Specify the claim in a channel token to verify against values of
config.channel_token_scopes_required. This supports nested claims. - channel
Token Scopes Requireds List<String> - Specify the required values (or scopes) that are checked by a claim specified by
config.channel_token_scopes_claim. - channel
Token Signing Algorithm String - When this plugin sets the upstream header as specified with
config.channel_token_upstream_header, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token. must be one of ["ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512"] - channel
Token Upstream Header String - This plugin removes the
config.channel_token_request_headerfrom the request after reading its value. - channel
Token Upstream Leeway Number - If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's
expclaim. - enable
Access Token Introspection Boolean - If you don't want to support opaque access tokens, change this configuration parameter to
falseto disable introspection. - enable
Channel Token Introspection Boolean - If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to
false. - enable
Hs Signatures Boolean - Tokens signed with HMAC algorithms such as
HS256,HS384, orHS512are not accepted by default. If you need to accept such tokens for verification, enable this setting. - enable
Instrumentation Boolean - Writes log entries with some added information using
ngx.CRIT(CRITICAL) level. - original
Access Token Upstream Header String - The HTTP header name used to store the original access token.
- original
Channel Token Upstream Header String - The HTTP header name used to store the original channel token.
- realm String
- When authentication or authorization fails, or there is an unexpected error, the plugin sends an
WWW-Authenticateheader with therealmattribute value. - remove
Access Token Claims List<String> - remove claims. It should be an array, and each element is a claim key string.
- remove
Channel Token Claims List<String> - remove claims. It should be an array, and each element is a claim key string.
- set
Access Token Claims Map<String> - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Channel Token Claims Map<String> - Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- set
Claims Map<String> - Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.
- trust
Access Token Introspection Boolean - Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to
true, the expiry or scopes are not checked on a payload. - trust
Channel Token Introspection Boolean - Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channeltokenintrospectionjwtclaim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.
- verify
Access Token Expiry Boolean - Quickly turn access token expiry verification off and on as needed.
- verify
Access Token Introspection Expiry Boolean - Quickly turn access token introspection expiry verification off and on as needed.
- verify
Access Token Introspection Scopes Boolean - Quickly turn off and on the access token introspection scopes verification, specified with
config.access_token_introspection_scopes_required. - verify
Access Token Scopes Boolean - Quickly turn off and on the access token required scopes verification, specified with
config.access_token_scopes_required. - verify
Access Token Signature Boolean - Quickly turn access token signature verification off and on as needed.
- verify
Channel Token Expiry Boolean - verify
Channel Token Introspection Expiry Boolean - Quickly turn on/off the channel token introspection expiry verification.
- verify
Channel Token Introspection Scopes Boolean - Quickly turn on/off the channel token introspection scopes verification specified with
config.channel_token_introspection_scopes_required. - verify
Channel Token Scopes Boolean - Quickly turn on/off the channel token required scopes verification specified with
config.channel_token_scopes_required. - verify
Channel Token Signature Boolean - Quickly turn on/off the channel token signature verification.
Gateway, Gateway
Gateway, Gateway
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
Gateway, Gateway
- Accesses List<string>
- Accesses []string
- accesses List<String>
- accesses string[]
- accesses Sequence[str]
- accesses List<String>
Gateway, Gateway
Gateway, Gateway
- Id string
- Id string
- id String
- id string
- id str
- id String
Gateway, Gateway
- Id string
- Id string
- id String
- id string
- id str
- id String
Import
$ pulumi import konnect:index/gatewayPluginJwtSigner:GatewayPluginJwtSigner my_konnect_gateway_plugin_jwt_signer '{"control_plane_id": "9524ec7d-36d9-465d-a8c5-83a3c9390458", "id": "3473c251-5b6c-4f45-b1ff-7ede735a366d"}'
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- konnect kong/terraform-provider-konnect
- License
- Notes
- This Pulumi package is based on the
konnectTerraform Provider.