OIDCAuthContent
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
client_id |
Yes |
String |
Client ID in an identity provider (IdP). |
|
client_secret |
Yes |
String |
Client secret in the IdP. This field will be anonymized when the query API is called to view plug-in details. |
|
discovery |
Yes |
String |
Discovery address of a service opened by the IdP. |
|
redirect_api_id |
Yes |
String |
ID of the redirect API. This API is bound to the plug-in and serves as the entry for IdP redirection. Set the API's URL as the redirection address of the IdP client, for example, the Valid redirect URIs parameter in the client of Keycloak. The paths of other service APIs bound to the plug-in cannot be the same as the path of this redirect API. Otherwise, the API cannot be called. The redirect API is part of the plug-in functions and cannot be deleted within the plug-in lifecycle. |
|
scope |
No |
String |
Authentication user information that should be returned in the authorization code process. The default value is openid email profile. You can add other scopes and separate them with spaces, for example, openid email profile phone. |
|
logout_api_id |
No |
String |
ID of the logout API. This API is bound to the plug-in and serves as the logout path. Users log out when calling the API. The paths of other service APIs bound to the plug-in cannot be the same as the path of this logout API. Otherwise, the API cannot be called. The logout API is part of the plug-in functions and cannot be deleted within the plug-in lifecycle. |
|
access_token_expires_in |
No |
Integer |
Expiration time of an access token, in seconds. If the token response from the IdP does not include expiration time, this parameter is used. The default value is 3,600 seconds. |
|
jwt_cache_enabled |
No |
Boolean |
Whether to cache the token authentication result in APIG. This option is enabled by default. |
|
jwks_enabled |
No |
Boolean |
Whether to use jwks_uri in the discovery service address to obtain the public key for token verification. If the IdP provides related JWK configuration, set this parameter to true. Otherwise, configure public_key to verify the token. The default value is true. |
|
public_key |
No |
String |
Public key of the asymmetric algorithm used by the token. It is in PEM format. The plug-in uses public_key or the JWK of the IdP to verify the token. That is, at least one of public_key and jwks_enable must be configured. Otherwise, the token cannot be verified. If both are configured, the plug-in uses public_key for verification. |
|
redirect_after_logout_uri |
No |
String |
The address to be redirected to when a user calls the logout API of the plug-in. |
|
slient_renew_access_token_enabled |
No |
Boolean |
Whether APIG silently updates the access token when it expires. Silent update is used by default. |
|
set_access_token_header_enabled |
No |
Boolean |
Whether to transparently transmit the access token to the service backend as the Authorization request header. Transparent transmission is used by default. |
|
set_userinfo_header_enabled |
No |
Boolean |
Whether to set the user information to the X-Userinfo request header and transparently transmit it to the service backend in the authorization code process. Transparent transmission is used by default. |
|
auth_header_name |
No |
String |
Name of the request header of the access token. Default: Authorization. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
client_id |
Yes |
String |
Client ID in an identity provider (IdP). |
|
discovery |
Yes |
String |
Discovery address of a service opened by the IdP. |
|
redirect_api_id |
Yes |
String |
ID of the redirect API. This API is bound to the plug-in and serves as the entry for IdP redirection. Set the API's URL as the redirection address of the IdP client, for example, the Valid redirect URIs parameter in the client of Keycloak. The paths of other service APIs bound to the plug-in cannot be the same as the path of this redirect API. Otherwise, the API cannot be called. The redirect API is part of the plug-in functions and cannot be deleted within the plug-in lifecycle. |
|
scope |
No |
String |
Authentication user information that should be returned in the authorization code process. The default value is openid email profile. You can add other scopes and separate them with spaces, for example, openid email profile phone. |
|
logout_api_id |
No |
String |
ID of the logout API. This API is bound to the plug-in and serves as the logout path. Users log out when calling the API. The paths of other service APIs bound to the plug-in cannot be the same as the path of this logout API. Otherwise, the API cannot be called. The logout API is part of the plug-in functions and cannot be deleted within the plug-in lifecycle. |
|
access_token_expires_in |
No |
Integer |
Expiration time of an access token, in seconds. If the token response from the IdP does not include expiration time, this parameter is used. The default value is 3,600 seconds. |
|
jwt_cache_enabled |
No |
Boolean |
Whether to cache the token authentication result in APIG. This option is enabled by default. |
|
jwks_enabled |
No |
Boolean |
Whether to use jwks_uri in the discovery service address to obtain the public key for token verification. If the IdP provides related JWK configuration, set this parameter to true. Otherwise, configure public_key to verify the token. The default value is true. |
|
public_key |
No |
String |
Public key of the asymmetric algorithm used by the token. It is in PEM format. The plug-in uses public_key or the JWK of the IdP to verify the token. That is, at least one of public_key and jwks_enable must be configured. Otherwise, the token cannot be verified. If both are configured, the plug-in uses public_key for verification. |
|
redirect_after_logout_uri |
No |
String |
The address to be redirected to when a user calls the logout API of the plug-in. |
|
slient_renew_access_token_enabled |
No |
Boolean |
Whether APIG silently updates the access token when it expires. Silent update is used by default. |
|
set_access_token_header_enabled |
No |
Boolean |
Whether to transparently transmit the access token to the service backend as the Authorization request header. Transparent transmission is used by default. |
|
set_userinfo_header_enabled |
No |
Boolean |
Whether to set the user information to the X-Userinfo request header and transparently transmit it to the service backend in the authorization code process. Transparent transmission is used by default. |
|
auth_header_name |
No |
String |
Name of the request header of the access token. Default: Authorization. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
