Client ID.

Client secret. The value is encrypted with AES before saving to etcd.

URL to the well-known discovery document of the OpenID provider, which contains a list of OP API endpoints. The plugin can directly utilize the endpoints from the discovery document. You can also configure these endpoints individually, which takes precedence over the endpoints supplied in the discovery document.

OIDC scope that corresponds to information that should be returned about the authenticated user, also known as claims. This is used to authorize users with proper permission. The default value is openid, the required scope for OIDC to return a sub claim that uniquely identifies the authenticated user.

Additional scopes can be appended and delimited by spaces, such as openid email profile.

Scopes required to be present in the access token. Used in conjunction with the introspection endpoint when bearer_only is true. If any required scope is missing, the plugin rejects the request with a 403 forbidden error.

Realm in WWW-Authenticate response header accompanying a 401 unauthorized request due to invalid bearer token.

If true, strictly require bearer access token in requests for authentication.

Path to activate the logout.

URL to redirect users to after the logout_path receive a request to log out.

URI to redirect to after authentication with the OpenID provider.

Note that the redirect URI should not be the same as the request URI, but a sub-path of the request URI. For example, if the uri of the route is /api/v1/*, redirect_uri can be configured as /api/v1/redirect.

If redirect_uri is not configured, APISIX will append /.apisix/redirect to the request URI to determine the value for redirect_uri.

Request timeout in seconds.

Request timeout in seconds.

If true, verify the OpenID provider 's SSL certificates.

URL of the token introspection endpoint for the OpenID provider used to introspect access tokens. If this is unset, the introspection endpoint presented in the well-known discovery document is used as a fallback.

Authentication method for the token introspection endpoint. The value should be one of the authentication methods specified in the introspection_endpoint_auth_methods_supported authorization server metadata as seen in the well-known discovery document, such as client_secret_basic, client_secret_post, private_key_jwt, and client_secret_jwt.

Authentication method for the token endpoint. The value should be one of the authentication methods specified in the token_endpoint_auth_methods_supported authorization server metadata as seen in the well-known discovery document, such as client_secret_basic, client_secret_post, private_key_jwt, and client_secret_jwt.

If the configured method is not supported, fall back to the first method in the token_endpoint_auth_methods_supported array.

Client RSA private key used to sign JWT for authentication to the OP. Required when token_endpoint_auth_method is private_key_jwt.

Client RSA private key ID used to compute a signed JWT. Optional when token_endpoint_auth_method is private_key_jwt.

Life duration of the signed JWT for authentication to the OP, in seconds. Used when token_endpoint_auth_method is private_key_jwt or client_secret_jwt.

Public key used to verify JWT signature id asymmetric algorithm is used. Providing this value to perform token verification will skip token introspection in client credentials flow.

You can pass the public key in -----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY----- format.

Algorithm used for signing JWT, such as RS256.

Set to true if the OpenID provider does not sign its ID token, such as when the signature algorithm is set to none.

If true and if public_key is not set, use the JWKS to verify JWT signature and skip token introspection in client credentials flow. The JWKS endpoint is parsed from the discovery document.

Expiration time for JWK cache in seconds.

If true, force re-verification for a bearer token and ignore any existing cached verification results.

Optional name of a cache segment, used to separate and differentiate caches used by token introspection or JWT verification.

If true, use the Proof Key for Code Exchange (PKCE) for Authorization Code Flow as defined in RFC 7636.

If true and if the ID token is available, set the value in the X-ID-Token request header.

If true and if user info data is available, set the value in the X-Userinfo request header.

If true and if the refresh token is available, set the value in the X-Refresh-Token request header.

Action for unauthenticated requests.

When set to auth, redirect to the authentication endpoint of the OpenID provider.

When set to pass, allow the request without authentication.

When set to deny, return 401 unauthenticated responses rather than start the authorization code grant flow.

Additional parameters to send in the request to the authorization endpoint.

If true, attempt to silently renew the access token when it expires or if a refresh token is available. If the token fails to renew, redirect user for re-authentication.

Lifetime of the access token in seconds if no expires_in attribute is present in the token endpoint response.

Time interval to refresh user ID token without re-authentication. When not set, the plugin will not attempt to silently renew.

Tolerance of clock skew in seconds with the iat claim in an ID token.

Name of the expiry claim, which controls the TTL of the cached and introspected access token.

TTL of the cached and introspected access token in seconds.

The default value is 0, which means this option is not used and the plugin defaults to use the TTL passed by expiry claim defined in introspection_expiry_claim.

If introspection_interval is larger than 0 and less than the TTL passed by expiry claim defined in introspection_expiry_claim, use introspection_interval.

If true, ignore ID token signature to accept unsupported signature algorithm.

Expiration leeway in seconds for access token renewal. When set to a value greater than 0, token renewal will take place the set amount of time before token expiration. This avoids errors in case the access token just expires when arriving to the resource server.

If true, execute the authorization flow even when a token has been cached.

If true, enable nonce parameter in authorization request.

If true, notify the authorization server a previously obtained refresh or access token is no longer needed at the revocation endpoint.