Skip to main content

Parameters

See plugin common configurations for configuration options available to all plugins.

  • client_id

    string

    required

    Client ID.

  • client_secret

    string

    Client secret. The value is encrypted with AES before saving to etcd. You can also keep secrets in a secret manager, such as HashiCorp Vault's KV secrets engine. See secrets for more details.

  • discovery

    string

    URL to the discovery document.

  • token_endpoint

    string

    Token endpoint that supports the urn:ietf:params:oauth:grant-type:uma-ticket grant type to obtain access token. If provided, override the value from the discovery document.

  • resource_registration_endpoint

    string

    A UMA-compliant resource registration endpoint. Required when lazy_load_paths is true. The plugin will first look for the resource registration endpoint from this configuration option; if not found, look for the resource registration endpoint from the discovery document.

  • grant_type

    string

    default: urn:ietf:params:oauth:grant-type:uma-ticket

    vaild vaule:

    urn:ietf:params:oauth:grant-type:uma-ticket

    Must be set to urn:ietf:params:oauth:grant-type:uma-ticket.

  • policy_enforcement_mode

    string

    default: ENFORCING

    vaild vaule:

    ENFORCING or PERMISSIVE

    The mode of policy enforcement.

    In ENFORCING mode, requests are denied when there is no policy associated with a given resource.

    In PERMISSIVE mode, requests are allowed when there is no policy associated with a given resource.

  • permissions

    array[string]

    An array of permissions representing a set of resources and scopes the client is seeking access. The format could be RESOURCE_ID#SCOPE_ID,RESOURCE_ID, or #SCOPE_ID. Used when lazy_load_paths is false. See obtaining permissions.

  • lazy_load_paths

    string

    default: false

    If true, require discovery or resource registration endpoint to dynamically resolve the request URI to resources. See lazy-load-paths.

    Note that this requires the plugin to obtain a separate access token for itself from the token endpoint. Therefore, make sure you check the Service Accounts Enabled option in Keycloak to allow for client credentials grant. Also make sure that the issued access token contains the resource_access claim with the uma_protection role for plugin to query resources through the Protection API.

  • http_method_as_scope

    boolean

    default: false

    If true, use the HTTP method of the request as the scope to check whether access should be granted.

    In the case where lazy_load_paths is set to false, the plugin adds the mapped scope to any of the static permissions configured in the permissions attribute, even when they contain one or more scopes already.

  • timeout

    integer

    default: 3000

    vaild vaule:

    greater or equal to 1000

    Timeout in milliseconds for the HTTP connection with the identity provider.

  • access_token_expires_in

    integer

    default: 300

    vaild vaule:

    greater or equal to 1

    Lifetime of the access token in seconds if no expires_in attribute is present in the token endpoint response.

  • access_token_expires_leeway

    integer

    vaild vaule:

    greater or equal to 0

    Expiration leeway in seconds for access token renewal. When set to a value greater than 0, token renewal will take place the set amount of time before token expiration. This avoids errors in case the access token just expires when arriving to the resource server.

  • refresh_token_expires_in

    integer

    default: 3600

    vaild vaule:

    greater than 0

    Expiration time of the refresh token in seconds.

  • refresh_token_expires_leeway

    integer

    vaild vaule:

    greater or equal to 0

    Expiration leeway in seconds for refresh token renewal. When set to a value greater than 0, token renewal will take place the set amount of time before token expiration. This avoids errors in case the access token just expires when arriving to the resource server.

  • ssl_verify

    boolean

    default: false

    If true, verify the OpenID provider's SSL certificates.

  • cache_ttl_seconds

    integer

    default: 86400

    vaild vaule:

    greater than 0

    TTL in seconds for the plugin to cache discovery document and access tokens.

  • keepalive

    boolean

    default: true

    If true, enable HTTP keep-alive to keep connections open after use. Set to true if you are expecting a lot of requests to Keycloak.

  • keepalive_timeout

    integer

    default: 60000

    vaild vaule:

    greater or equal to 1000

    Idle time after which the established HTTP connections will be closed.

  • keepalive_pool

    integer

    default: 5

    vaild vaule:

    greater or equal to 1

    Maximum number of connections in the connection pool.

  • access_denied_redirect_uri

    string

    URI to redirect the user to instead of returning an error message like "error_description":"not_authorized" when access is denied.

  • password_grant_token_generation_incoming_uri

    string

    The URI incoming requests hit to generate token in the password grant, for example, /api/token. If the incoming request's URI matches the configured value, the request method is POST, and Content-Type is application/x-www-form-urlencoded, a token is generated at the token_endpoint.

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud
API7 Enterprise
API Portal
Roadmap

Open Source

Apache APISIX
K8s Ingress Controller
wasm-nginx-module
Contributor Graph

Resources

Blog
Documentation
NGINX + Lua
APISIX vs Kong
APISIX vs NGINX

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2025. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation