Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

  • client_id

    string


    required


    Client ID.

  • client_secret

    string


    Client secret. The value is encrypted with AES before saving to etcd. You can also keep secrets in a secret manager, such as HashiCorp Vault's KV secrets engine. See secrets for more details.

  • discovery

    string


    URL to the discovery document.

  • token_endpoint

    string


    Token endpoint that supports the urn:ietf:params:oauth:grant-type:uma-ticket grant type to obtain access token. If provided, override the value from the discovery document.

  • resource_registration_endpoint

    string


    A UMA-compliant resource registration endpoint. Required when lazy_load_paths is true. The plugin will first look for the resource registration endpoint from this configuration option; if not found, look for the resource registration endpoint from the discovery document.

  • grant_type

    string


    default: urn:ietf:params:oauth:grant-type:uma-ticket


    vaild vaule:

    urn:ietf:params:oauth:grant-type:uma-ticket


    Must be set to urn:ietf:params:oauth:grant-type:uma-ticket.

  • policy_enforcement_mode

    string


    default: ENFORCING


    vaild vaule:

    ENFORCING or PERMISSIVE


    The mode of policy enforcement.

    In ENFORCING mode, requests are denied when there is no policy associated with a given resource.

    In PERMISSIVE mode, requests are allowed when there is no policy associated with a given resource.

  • permissions

    array[string]


    An array of permissions representing a set of resources and scopes the client is seeking access. The format could be RESOURCE_ID#SCOPE_ID,RESOURCE_ID, or #SCOPE_ID. Used when lazy_load_paths is false. See obtaining permissions.

  • lazy_load_paths

    string


    default: false


    If true, require discovery or resource registration endpoint to dynamically resolve the request URI to resources. See lazy-load-paths.

    Note that this requires the plugin to obtain a separate access token for itself from the token endpoint. Therefore, make sure you check the Service Accounts Enabled option in Keycloak to allow for client credentials grant. Also make sure that the issued access token contains the resource_access claim with the uma_protection role for plugin to query resources through the Protection API.

  • http_method_as_scope

    boolean


    default: false


    If true, use the HTTP method of the request as the scope to check whether access should be granted.

    In the case where lazy_load_paths is set to false, the plugin adds the mapped scope to any of the static permissions configured in the permissions attribute, even when they contain one or more scopes already.

  • timeout

    integer


    default: 3000


    vaild vaule:

    greater or equal to 1000


    Timeout in milliseconds for the HTTP connection with the identity provider.

  • access_token_expires_in

    integer


    default: 300


    vaild vaule:

    greater or equal to 1


    Lifetime of the access token in seconds if no expires_in attribute is present in the token endpoint response.

  • access_token_expires_leeway

    integer


    vaild vaule:

    greater or equal to 0


    Expiration leeway in seconds for access token renewal. When set to a value greater than 0, token renewal will take place the set amount of time before token expiration. This avoids errors in case the access token just expires when arriving to the resource server.

  • refresh_token_expires_in

    integer


    default: 3600


    vaild vaule:

    greater than 0


    Expiration time of the refresh token in seconds.

  • refresh_token_expires_leeway

    integer


    vaild vaule:

    greater or equal to 0


    Expiration leeway in seconds for refresh token renewal. When set to a value greater than 0, token renewal will take place the set amount of time before token expiration. This avoids errors in case the access token just expires when arriving to the resource server.

  • ssl_verify

    boolean


    default: false


    If true, verify the OpenID provider's SSL certificates.

  • cache_ttl_seconds

    integer


    default: 86400


    vaild vaule:

    greater than 0


    TTL in seconds for the plugin to cache discovery document and access tokens.

  • keepalive

    boolean


    default: true


    If true, enable HTTP keep-alive to keep connections open after use. Set to true if you are expecting a lot of requests to Keycloak.

  • keepalive_timeout

    integer


    default: 60000


    vaild vaule:

    greater or equal to 1000


    Idle time after which the established HTTP connections will be closed.

  • keepalive_pool

    integer


    default: 5


    vaild vaule:

    greater or equal to 1


    Maximum number of connections in the connection pool.

  • access_denied_redirect_uri

    string


    URI to redirect the user to instead of returning an error message like "error_description":"not_authorized" when access is denied.

  • password_grant_token_generation_incoming_uri

    string


    The URI incoming requests hit to generate token in the password grant, for example, /api/token. If the incoming request's URI matches the configured value, the request method is POST, and Content-Type is application/x-www-form-urlencoded, a token is generated at the token_endpoint.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation