latest--oidc_websso-plugin-schema

Type	object
Schema URL	https://catalog.lintel.tools/schemas/schemastore/dwp-exchange-gateway/_shared/latest--oidc_websso-plugin-schema.json
Parent schema	dwp-exchange-gateway

identity_provider string required

The identity provider the plugin will interact with to carry our the OpenId Connect auth code flow

Values: "dth-sandbox" "dth-test" "dth-live" "dth-staging" "dth-stub" "azure-ad" "dth2-sandbox" "dth2-sandbox-sra" "dth2-dev" "dth2-test" "dth2-staging" "dth2-live" "dth2-sra" "dth2-dev-domino" "dth2-dev-onelogin" "dth2-test-onelogin" "idt-dev-ol-sradam" "idt-test-ol-sradam" "idt-stage-ol-sradam" "nhs-dev-simple" "nhs-dev" "nhs-int" "nhs-live" "keycloak-local" "keycloak-local-rp-logout" "ame-payments-dev" "ame-payments-test" "ame-payments-prestag" "ame-payments-perf" "syf-cognito-dev" "syf-cognito-test" "dam-dev"

use_internet boolean

Determines whether the JWKS endpoints for your IDP will be internet facing

Default: false

additional_scopes string[]

Additional scopes to request from the authorization endpoint

audience_required string[]

The audience required to be present in the access token (or introspection results) for successful authorization.

authorization_cookie_name string

Specifies authorisation cookie name. This is necessary when same instance of Kong is used to protect multiple upstream services with different client ids.

authorization_cookie_lifetime integer

Specifies authorisation cookie lifetime (in seconds).

Default: 600

client_id string

Reference to the client id env var in the gateway, refer to gateway module for details

minLength=2pattern=^(\{vault://env/|[^{]).*$

redirect_uri string

The redirect URI passed to the authorization and token endpoints

format=uripattern=^(http|https)://[^ "]+$

uplift object

Uplift configuration to allow moving from a lower confidence_level to a higher one

2 nested properties

enabled boolean required

Whether to enable uplift

Default: true

redirect_uri string

Gateway URI to redirect the user to for uplift. If omitted then redirect will default to the route’s host, path and any query args will be maintained

format=uripattern=^(http|https)://[^ "]+$

leeway integer

Defines leeway time (in seconds) when validating: time authentication occurred (auth_time), expiration time after which the token must not be accepted (exp), time at which the JWT was issued (iat) and not before claim which specifies time before which token must not be accepted (nbf).

Default: 0

max=2

logout boolean

If true, this route will not forward to the upstream application. Instead, it will end the user's session and redirect to the IDP's logout URI. The IDP's logout URI will then redirect to the application's logout confirmation page, which should have a different path than the logout path, for example, /logout and /signed-out.

Default: false

logout_redirect_uri string

Where to redirect the client on logout

format=uripattern=^(http|https)://[^ "]+$

post_logout_redirect_uri string

Where to redirect the client on logout (for RP Initiated Logout)

format=uripattern=^(http|https)://[^ "]+$

logout_revoke boolean

If true, the plugin will attempt to revoke the token before redirecting to the IDP's logout URI

Default: false

logout_uri_suffix string

The request URI suffix that activates the logout process

logout_methods enum[]

The request methods that can activate the logout process

logout_query_arg string

The query argument that activates the logout process

stub_hostname string

The hostname used for dth-stub

format=uripattern=^(http|https)://[^ "]+$

unauthorized_redirect_uri string

Where to redirect the client on unauthorized requests

format=uripattern=^(http|https)://[^ "]+$

forbidden_redirect_uri string

Where to redirect the client on forbidden requests

format=uripattern=^(http|https)://[^ "]+$

unexpected_redirect_uri string

Where to redirect the client when unexpected errors happen with the requests

format=uripattern=^(http|https)://[^ "]+$

groups_required string[]

The groups required to be present in the access token (or introspection results) for successful authorization.

preserve_query_args boolean

Whether to preserve query arguments even when doing authorization code flow

Default: false

verify_parameters boolean

Verify plugin configuration against discovery

Default: true

session object

5 nested properties

redis object required

11 nested properties

prefix string

host string

port integer

ssl boolean

ssl_verify boolean

connect_timeout integer

read_timeout integer

send_timeout integer

auth_enabled boolean

Default: true

username string

password string

cookie_name string

The session cookie name

Default: "exchange-gateway-session"

minLength=2

cookie_idletime number

The session cookie idle time in seconds

cookie_renew number

The number of seconds prior to the session_cookie_lifetime that the session cookie will be renewed

cookie_lifetime number

The session cookie lifetime in seconds. Defaults is 1800 seconds (30 minutes)

Default: 1800

client_secret array

Reference to the client secret env var in the gateway, refer to gateway module for details

pattern=^\{vault://env/[\w|-]+/?[\w|-]+\}$

confidence_level enum

Extra query argument values passed to the authorization endpoint

Values: "zero" "medium"

http_proxy string

The URL of the HTTP proxy to use for outgoing requests

Examples: "https://proxy.example.com:3128"

format=uripattern=^(http|https)://[^ "]+$

https_proxy string

The URL of the HTTPS proxy to use for outgoing requests

Examples: "https://proxy.example.com:3128"

format=uripattern=^(http|https)://[^ "]+$

forward_query_args string[]

Extra query arguments passed from the client to the authorization endpoint.

ui_locales string

ui_locales URL query-parameter value(s) to pass to the logout endpoint

Examples: "fr FR; en GB"

latest--oidc_websso-plugin-schema

Properties

All of