Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

  • client_id

    string


    required


    Client ID.

  • client_secret

    string


    required


    Client secret. The value is encrypted with AES before saving to etcd.

  • discovery

    string


    required


    URL to the well-known discovery document of the OpenID provider, which contains a list of OP API endpoints. The plugin can directly utilize the endpoints from the discovery document. You can also configure these endpoints individually, which takes precedence over the endpoints supplied in the discovery document.

  • scope

    string


    default: openid


    OIDC scope that corresponds to information that should be returned about the authenticated user, also known as claims. This is used to authorize users with proper permission. The default value is openid, the required scope for OIDC to return a sub claim that uniquely identifies the authenticated user.

    Additional scopes can be appended and delimited by spaces, such as openid email profile.

  • required_scopes

    array[string]


    Scopes required to be present in the access token. Used in conjunction with the introspection endpoint when bearer_only is true. If any required scope is missing, the plugin rejects the request with a 403 forbidden error.

  • realm

    string


    default: apisix


    Realm in WWW-Authenticate response header accompanying a 401 unauthorized request due to invalid bearer token.

  • bearer_only

    boolean


    default: false


    If true, strictly require bearer access token in requests for authentication.

  • logout_path

    string


    default: /logout


    Path to activate the logout.

  • post_logout_redirect_uri

    string


    default: /logout


    URL to redirect users to after the logout_path receive a request to log out.

  • redirect_uri

    string


    default: `${ngx.var.request_uri}/.apisix/redirect`


    URI to redirect to after authentication with the OpenID provider.

    Note that the redirect URI should not be the same as the request URI, but a sub-path of the request URI. For example, if the uri of the route is /api/v1/*, redirect_uri can be configured as /api/v1/redirect.

    If redirect_uri is not configured, APISIX will append /.apisix/redirect to the request URI to determine the value for redirect_uri.

  • timeout

    integer


    default: 3


    vaild vaule:

    greater than 0


    Request timeout in seconds.

  • timeout

    integer


    default: 3


    vaild vaule:

    greater than 0


    Request timeout in seconds.

  • ssl_verify

    boolean


    default: false


    If true, verify the OpenID provider 's SSL certificates.

  • introspection_endpoint

    string


    URL of the token introspection endpoint for the OpenID provider used to introspect access tokens. If this is unset, the introspection endpoint presented in the well-known discovery document is used as a fallback.

  • introspection_endpoint_auth_method

    string


    default: client_secret_basic


    Authentication method for the token introspection endpoint. The value should be one of the authentication methods specified in the introspection_endpoint_auth_methods_supported authorization server metadata as seen in the well-known discovery document, such as client_secret_basic, client_secret_post, private_key_jwt, and client_secret_jwt.

  • token_endpoint_auth_method

    string


    default: client_secret_basic


    Authentication method for the token endpoint. The value should be one of the authentication methods specified in the token_endpoint_auth_methods_supported authorization server metadata as seen in the well-known discovery document, such as client_secret_basic, client_secret_post, private_key_jwt, and client_secret_jwt.

    If the configured method is not supported, fall back to the first method in the token_endpoint_auth_methods_supported array.

  • client_rsa_private_key

    string


    Client RSA private key used to sign JWT for authentication to the OP. Required when token_endpoint_auth_method is private_key_jwt.

  • client_rsa_private_key_id

    string


    Client RSA private key ID used to compute a signed JWT. Optional when token_endpoint_auth_method is private_key_jwt.

  • client_jwt_assertion_expires_in

    integer


    default: 60


    Life duration of the signed JWT for authentication to the OP, in seconds. Used when token_endpoint_auth_method is private_key_jwt or client_secret_jwt.

  • public_key

    string


    Public key used to verify JWT signature id asymmetric algorithm is used. Providing this value to perform token verification will skip token introspection in client credentials flow.

    You can pass the public key in -----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY----- format.

  • token_signing_alg_values_expected

    string


    Algorithm used for signing JWT, such as RS256.

  • set_access_token_header

    boolean


    default: true


    If true, set the access token in a request header. By default, the X-Access-Token header is used.

  • access_token_in_authorization_header

    boolean


    If true and if set_access_token_header is also true, set the access token in the Authorization header.

  • accept_none_alg

    boolean


    default: false


    Set to true if the OpenID provider does not sign its ID token, such as when the signature algorithm is set to none.

  • use_jwks

    boolean


    default: false


    If true and if public_key is not set, use the JWKS to verify JWT signature and skip token introspection in client credentials flow. The JWKS endpoint is parsed from the discovery document.

  • jwk_expires_in

    integer


    default: 86400


    Expiration time for JWK cache in seconds.

  • jwt_verification_cache_ignore

    boolean


    default: false


    If true, force re-verification for a bearer token and ignore any existing cached verification results.

  • cache_segment

    string


    Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification.

  • use_pkce

    boolean


    default: false


    If true, use the Proof Key for Code Exchange (PKCE) for Authorization Code Flow as defined in RFC 7636.

  • set_id_token_header

    boolean


    default: true


    If true and if the ID token is available, set the value in the X-ID-Token request header.

  • set_userinfo_header

    boolean


    default: true


    If true and if user info data is available, set the value in the X-Userinfo request header.

  • set_refresh_token_header

    boolean


    default: false


    If true and if the refresh token is available, set the value in the X-Refresh-Token request header.

  • session

    object


    Session configuration used when bearer_only is false and the plugin uses Authorization Code flow.

    • secret

      string


      vaild vaule:

      16 or more characters


      Key used for session encryption and HMAC operation when bearer_only is false. It is automatically generated and saved to etcd if not configured.

      When using APISIX in the standalone mode where etcd is no longer the configuration center, the secret should be configured.

    • cookie

      object


      Cookie configurations.

      • lifetime

        integer


        default: 3600


        Cookie lifetime in seconds.

  • unauth_action

    string


    default: auth


    vaild vaule:

    auth, deny, or pass


    Action for unauthenticated requests.

    When set to auth, redirect to the authentication endpoint of the OpenID provider.

    When set to pass, allow the request without authentication.

    When set to deny, return 401 unauthenticated responses rather than start the authorization code grant flow.

  • proxy_opts

    object


    Configurations for the proxy server that the OpenID provider is behind.

    • http_proxy

      string


      Proxy server address for HTTP requests, such as http://<proxy_host>:<proxy_port>.

    • https_proxy

      string


      Proxy server address for HTTPS requests, such as http://<proxy_host>:<proxy_port>.

    • http_proxy_authorization

      string


      Default Proxy-Authorization header value to be used with http_proxy. Can be overriden with custom Proxy-Authorization request header.

    • https_proxy_authorization

      string


      Default Proxy-Authorization header value to be used with https_proxy. Cannot be overriden with custom Proxy-Authorization request header since with HTTPS, the authorization is completed when connecting.

    • no_proxy

      string


      Comma separated list of hosts that should not be proxied.

  • authorization_params

    object


    Additional parameters to send in the request to the authorization endpoint.

  • renew_access_token_on_expiry

    boolean


    default: true


    If true, attempt to silently renew the access token when it expires or if a refresh token is available. If the token fails to renew, redirect user for re-authentication.

  • access_token_expires_in

    integer


    default: 3600


    Lifetime of the access token in seconds if no expires_in attribute is present in the token endpoint response.

  • refresh_session_interval

    integer


    Time interval to refresh user ID token without re-authentication. When not set, the plugin will not attempt to silently renew.

  • iat_slack

    integer


    default: 120


    Tolerance of clock skew in seconds with the iat claim in an ID token.

  • introspection_expiry_claim

    string


    default: exp


    Name of the expiry claim, which controls the TTL of the cached and introspected access token.

  • introspection_interval

    integer


    TTL of the cached and introspected access token in seconds.

    The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in introspection_expiry_claim.

    If introspection_interval is larger than 0 and less than the TTL passed by expiry claim defined in introspection_expiry_claim, use introspection_interval.

  • introspection_addon_headers

    array[string]


    Array of strings. Used to append additional header values to the introspection HTTP request. If the specified header does not exist in the original request, header value will not be appended.

  • accept_unsupported_alg

    boolean


    default: true


    If true, ignore ID token signature to accept unsupported signature algorithm.

  • access_token_expires_leeway

    integer


    Expiration leeway in seconds for access token renewal. When set to a value greater than 0, token renewal will take place the set amount of time before token expiration. This avoids errors in case the access token just expires when arriving to the resource server.

  • force_reauthorize

    boolean


    default: false


    If true, execute the authorization flow even when a token has been cached.

  • use_nonce

    boolean


    default: false


    If true, enable nonce parameter in authorization request.

  • revoke_tokens_on_logout

    boolean


    default: false


    If true, notify the authorization server a previously obtained refresh or access token is no longer needed at the revocation endpoint.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation