Kong · Schema
OpenidConnectPluginConfig
API GatewayAI GatewayAI ConnectivityAgent GatewayEvent GatewayMCP RegistryService MeshLLMKafkaKonnectOpen Source
Properties
| Name | Type | Description |
|---|---|---|
| config | object | |
| name | object | |
| protocols | array | A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins th |
| route | object | If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used. |
| service | object | If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/OpenidConnectPluginConfig",
"title": "OpenidConnectPluginConfig",
"x-speakeasy-entity": "PluginOpenidConnect",
"properties": {
"config": {
"type": "object",
"properties": {
"anonymous": {
"description": "An optional string (consumer UUID or username) value that functions as an \u201canonymous\u201d consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.",
"type": "string"
},
"audience": {
"description": "The audience passed to the authorization endpoint.",
"type": "array",
"items": {
"type": "string"
}
},
"audience_claim": {
"description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.",
"type": "array",
"items": {
"type": "string"
},
"default": [
"aud"
]
},
"audience_required": {
"description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.",
"type": "array",
"items": {
"type": "string"
}
},
"auth_methods": {
"description": "Types of credentials/grants to enable.",
"type": "array",
"items": {
"enum": [
"authorization_code",
"bearer",
"client_credentials",
"introspection",
"kong_oauth2",
"password",
"refresh_token",
"session",
"userinfo"
],
"type": "string"
},
"default": [
"authorization_code",
"bearer",
"client_credentials",
"introspection",
"kong_oauth2",
"password",
"refresh_token",
"session",
"userinfo"
]
},
"authenticated_groups_claim": {
"description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.",
"type": "array",
"items": {
"type": "string"
}
},
"authorization_cookie_domain": {
"description": "The authorization cookie Domain flag.",
"type": "string"
},
"authorization_cookie_http_only": {
"description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.",
"type": "boolean",
"default": true
},
"authorization_cookie_name": {
"description": "The authorization cookie name.",
"type": "string",
"default": "authorization"
},
"authorization_cookie_path": {
"description": "The authorization cookie Path flag.",
"type": "string",
"default": "/"
},
"authorization_cookie_same_site": {
"description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.",
"type": "string",
"default": "Default",
"enum": [
"Default",
"Lax",
"None",
"Strict"
]
},
"authorization_cookie_secure": {
"description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.",
"type": "boolean"
},
"authorization_endpoint": {
"description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.",
"type": "string"
},
"authorization_query_args_client": {
"description": "Extra query arguments passed from the client to the authorization endpoint.",
"type": "array",
"items": {
"type": "string"
}
},
"authorization_query_args_names": {
"description": "Extra query argument names passed to the authorization endpoint.",
"type": "array",
"items": {
"type": "string"
}
},
"authorization_query_args_values": {
"description": "Extra query argument values passed to the authorization endpoint.",
"type": "array",
"items": {
"type": "string"
}
},
"authorization_rolling_timeout": {
"description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.",
"type": "number",
"default": 600
},
"bearer_token_cookie_name": {
"description": "The name of the cookie in which the bearer token is passed.",
"type": "string"
},
"bearer_token_param_type": {
"description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.",
"type": "array",
"items": {
"enum": [
"body",
"cookie",
"header",
"query"
],
"type": "string"
},
"default": [
"body",
"header",
"query"
]
},
"by_username_ignore_case": {
"description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.",
"type": "boolean",
"default": false
},
"cache_introspection": {
"description": "Cache the introspection endpoint requests.",
"type": "boolean",
"default": true
},
"cache_token_exchange": {
"description": "Cache the legacy token exchange endpoint requests.",
"type": "boolean",
"default": true
},
"cache_tokens": {
"description": "Cache the token endpoint requests.",
"type": "boolean",
"default": true
},
"cache_tokens_salt": {
"description": "Salt used for generating the cache key that is used for caching the token endpoint requests.",
"type": "string"
},
"cache_ttl": {
"description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.",
"type": "number",
"default": 3600
},
"cache_ttl_max": {
"description": "The maximum cache ttl in seconds (enforced).",
"type": "number"
},
"cache_ttl_min": {
"description": "The minimum cache ttl in seconds (enforced).",
"type": "number"
},
"cache_ttl_neg": {
"description": "The negative cache ttl in seconds.",
"type": "number"
},
"cache_ttl_resurrect": {
"description": "The resurrection ttl in seconds.",
"type": "number"
},
"cache_user_info": {
"description": "Cache the user info requests.",
"type": "boolean",
"default": true
},
"claims_forbidden": {
"description": "If given, these claims are forbidden in the token payload.",
"type": "array",
"items": {
"type": "string"
}
},
"client_alg": {
"description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.",
"type": "array",
"items": {
"enum": [
"ES256",
"ES384",
"ES512",
"EdDSA",
"HS256",
"HS384",
"HS512",
"PS256",
"PS384",
"PS512",
"RS256",
"RS384",
"RS512"
],
"type": "string"
}
},
"client_arg": {
"description": "The client to use for this request (the selection is made with a request parameter with the same name).",
"type": "string",
"default": "client_id"
},
"client_auth": {
"description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).",
"type": "array",
"items": {
"enum": [
"client_secret_basic",
"client_secret_jwt",
"client_secret_post",
"none",
"private_key_jwt",
"self_signed_tls_client_auth",
"tls_client_auth"
],
"type": "string"
}
},
"client_credentials_param_type": {
"description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.",
"type": "array",
"items": {
"enum": [
"body",
"header",
"query"
],
"type": "string"
},
"default": [
"body",
"header",
"query"
]
},
"client_id": {
"description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.",
"type": "array",
"items": {
"type": "string",
"x-referenceable": true
},
"x-encrypted": true
},
"client_jwk": {
"description": "The JWK used for the private_key_jwt authentication.",
"type": "array",
"items": {
"properties": {
"alg": {
"type": "string"
},
"crv": {
"type": "string"
},
"d": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"dp": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"dq": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"e": {
"type": "string"
},
"issuer": {
"type": "string"
},
"k": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"key_ops": {
"type": "array",
"items": {
"type": "string"
}
},
"kid": {
"type": "string"
},
"kty": {
"type": "string"
},
"n": {
"type": "string"
},
"oth": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"p": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"q": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"qi": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"r": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"t": {
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"use": {
"type": "string"
},
"x": {
"type": "string"
},
"x5c": {
"type": "array",
"items": {
"type": "string"
}
},
"x5t": {
"type": "string"
},
"x5t#S256": {
"type": "string"
},
"x5u": {
"type": "string"
},
"y": {
"type": "string"
}
},
"type": "object"
}
},
"client_secret": {
"description": "The client secret.",
"type": "array",
"items": {
"type": "string",
"x-referenceable": true
},
"x-encrypted": true
},
"cluster_cache_redis": {
"type": "object",
"properties": {
"cloud_authentication": {
"description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.",
"type": "object",
"properties": {
"auth_provider": {
"description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance.",
"type": "string",
"enum": [
"aws",
"azure",
"gcp"
],
"x-referenceable": true
},
"aws_access_key_id": {
"description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"aws_assume_role_arn": {
"description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"aws_cache_name": {
"description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`.",
"type": "string",
"x-referenceable": true
},
"aws_is_serverless": {
"description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.",
"type": "boolean",
"default": true
},
"aws_region": {
"description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`.",
"type": "string",
"x-referenceable": true
},
"aws_role_session_name": {
"description": "The session name for the temporary credentials when assuming the IAM role.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"aws_secret_access_key": {
"description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"azure_client_id": {
"description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"azure_client_secret": {
"description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"azure_tenant_id": {
"description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"gcp_service_account_json": {
"description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
}
}
},
"cluster_max_redirections": {
"description": "Maximum retry attempts for redirection.",
"type": "integer",
"default": 5
},
"cluster_nodes": {
"description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.",
"type": "array",
"items": {
"properties": {
"ip": {
"description": "A string representing a host name, such as example.com.",
"type": "string",
"default": "127.0.0.1"
},
"port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 6379,
"maximum": 65535,
"minimum": 0
}
},
"type": "object"
},
"minLength": 1
},
"connect_timeout": {
"description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.",
"type": "integer",
"default": 2000,
"maximum": 2147483646,
"minimum": 0
},
"connection_is_proxied": {
"description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.",
"type": "boolean",
"default": false
},
"database": {
"description": "Database to use for the Redis connection when using the `redis` strategy",
"type": "integer",
"default": 0
},
"host": {
"description": "A string representing a host name, such as example.com.",
"type": "string",
"default": "127.0.0.1",
"x-referenceable": true
},
"keepalive_backlog": {
"description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.",
"type": "integer",
"maximum": 2147483646,
"minimum": 0
},
"keepalive_pool_size": {
"description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.",
"type": "integer",
"default": 256,
"maximum": 2147483646,
"minimum": 1
},
"password": {
"description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 6379,
"maximum": 65535,
"minimum": 0,
"x-referenceable": true
},
"read_timeout": {
"description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.",
"type": "integer",
"default": 2000,
"maximum": 2147483646,
"minimum": 0
},
"send_timeout": {
"description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.",
"type": "integer",
"default": 2000,
"maximum": 2147483646,
"minimum": 0
},
"sentinel_master": {
"description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.",
"type": "string"
},
"sentinel_nodes": {
"description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.",
"type": "array",
"items": {
"properties": {
"host": {
"description": "A string representing a host name, such as example.com.",
"type": "string",
"default": "127.0.0.1"
},
"port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 6379,
"maximum": 65535,
"minimum": 0
}
},
"type": "object"
},
"minLength": 1
},
"sentinel_password": {
"description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"sentinel_role": {
"description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.",
"type": "string",
"enum": [
"any",
"master",
"slave"
]
},
"sentinel_username": {
"description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.",
"type": "string",
"x-referenceable": true
},
"server_name": {
"description": "A string representing an SNI (server name indication) value for TLS.",
"type": "string",
"x-referenceable": true
},
"ssl": {
"description": "If set to true, uses SSL to connect to Redis.",
"type": "boolean",
"default": false
},
"ssl_verify": {
"description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.",
"type": "boolean",
"default": true
},
"username": {
"description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.",
"type": "string",
"x-referenceable": true
}
}
},
"cluster_cache_strategy": {
"description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.",
"type": "string",
"default": "off",
"enum": [
"off",
"redis"
]
},
"consumer_by": {
"description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.",
"type": "array",
"items": {
"enum": [
"custom_id",
"id",
"username"
],
"type": "string"
},
"default": [
"custom_id",
"username"
]
},
"consumer_claims": {
"description": "The claims used for consumer mapping. Each entry represents a claim path inside the token payload. The paths are evaluated in order, and the first matching claim is used.",
"type": "array",
"items": {
"description": "A path of strings representing the location of the claim in a nested object. For example, to map to `user.info.id`, set `[ \"user\", \"info\", \"id\" ]`.",
"items": {
"type": "string"
},
"type": "array"
}
},
"consumer_groups_claim": {
"description": "The claim used for consumer groups mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.",
"type": "array",
"items": {
"type": "string"
}
},
"consumer_groups_optional": {
"description": "Do not terminate the request if consumer groups mapping fails.",
"type": "boolean",
"default": false
},
"consumer_optional": {
"description": "Do not terminate the request if consumer mapping fails.",
"type": "boolean",
"default": false
},
"credential_claim": {
"description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.",
"type": "array",
"items": {
"type": "string"
},
"default": [
"sub"
]
},
"disable_session": {
"description": "Disable issuing the session cookie with the specified grants.",
"type": "array",
"items": {
"enum": [
"authorization_code",
"bearer",
"client_credentials",
"introspection",
"kong_oauth2",
"password",
"refresh_token",
"session",
"userinfo"
],
"type": "string"
}
},
"discovery_headers_names": {
"description": "Extra header names passed to the discovery endpoint.",
"type": "array",
"items": {
"type": "string"
}
},
"discovery_headers_values": {
"description": "Extra header values passed to the discovery endpoint.",
"type": "array",
"items": {
"type": "string"
}
},
"display_errors": {
"description": "Display errors on failure responses.",
"type": "boolean",
"default": false
},
"domains": {
"description": "The allowed values for the `hd` claim.",
"type": "array",
"items": {
"type": "string"
}
},
"downstream_access_token_header": {
"description": "The downstream access token header.",
"type": "string"
},
"downstream_access_token_jwk_header": {
"description": "The downstream access token JWK header.",
"type": "string"
},
"downstream_headers": {
"description": "The downstream claim to header mappings.",
"type": "array",
"items": {
"properties": {
"header": {
"description": "The name of the header.",
"type": "string"
},
"path": {
"description": "The path of the header value.",
"type": "array",
"items": {
"type": "string"
},
"minLength": 1
}
},
"required": [
"header",
"path"
],
"type": "object"
}
},
"downstream_headers_claims": {
"description": "The downstream header claims. Only top level claims are supported.",
"type": "array",
"items": {
"type": "string"
}
},
"downstream_headers_names": {
"description": "The downstream header names for the claim values.",
"type": "array",
"items": {
"type": "string"
}
},
"downstream_id_token_header": {
"description": "The downstream id token header.",
"type": "string"
},
"downstream_id_token_jwk_header": {
"description": "The downstream id token JWK header.",
"type": "string"
},
"downstream_introspection_header": {
"description": "The downstream introspection header.",
"type": "string"
},
"downstream_introspection_jwt_header": {
"description": "The downstream introspection JWT header.",
"type": "string"
},
"downstream_refresh_token_header": {
"description": "The downstream refresh token header.",
"type": "string"
},
"downstream_session_id_header": {
"description": "The downstream session id header.",
"type": "string"
},
"downstream_user_info_header": {
"description": "The downstream user info header.",
"type": "string"
},
"downstream_user_info_jwt_header": {
"description": "The downstream user info JWT header (in case the user info returns a JWT response).",
"type": "string"
},
"dpop_proof_lifetime": {
"description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwis
# --- truncated at 32 KB (94 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/kong/refs/heads/main/json-schema/kong-openidconnectpluginconfig-schema.json