Package io.helidon.security.providers.oidc.common

Class OidcConfig.Builder

    • Constructor Detail

      • Builder

        public Builder()

    • Method Detail

      • build

        public OidcConfig build()
        Description copied from interface: Builder
        Build the instance from this builder.
        Specified by:
        build in interface Builder<OidcConfig>
        Returns:
        instance of the built type

      • config

        public OidcConfig.Builder config​(Config config)
        Update this builder with values from configuration.
        Parameters:
        config - configuration located on node with OIDC configuration keys (e.g. client-id)
        Returns:
        updated builder instance

      • redirect

        public OidcConfig.Builder redirect​(boolean redirect)
        By default the client should redirect to the identity server for the user to log in. This behavior can be overridden by setting redirect to false. When token is not present in the request, the client will not redirect and just return appropriate error response code.
        Parameters:
        redirect - Whether to redirect to OIDC server in case the request does not contain sufficient information to authenticate the user, defaults to true
        Returns:
        updated builder instance

      • realm

        public OidcConfig.Builder realm​(String realm)
        Realm to return when not redirecting and an error occurs that sends back WWW-Authenticate header.
        Parameters:
        realm - realm name
        Returns:
        updated builder instance

      • audience

        public OidcConfig.Builder audience​(String audience)
        Audience of issued tokens.
        Parameters:
        audience - audience to validate
        Returns:
        updated builder instance

      • issuer

        public OidcConfig.Builder issuer​(String issuer)
        Issuer of issued tokens.
        Parameters:
        issuer - expected issuer to validate
        Returns:
        updated builder instance

      • validateJwtWithJwk

        public OidcConfig.Builder validateJwtWithJwk​(Boolean useJwk)
        Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.
        Parameters:
        useJwk - when set to true, jwk is used, when set to false, introspect endpoint is used
        Returns:
        updated builder instance

      • baseScopes

        public OidcConfig.Builder baseScopes​(String scopes)
        Configure base scopes. By default this is "openid". If scope has a qualifier, it must be used here.
        Parameters:
        scopes - Space separated scopes to be required by default from OIDC server
        Returns:
        updated builder instance

      • oidcMetadataWellKnown

        public OidcConfig.Builder oidcMetadataWellKnown​(Boolean useWellKnown)
        If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).
        Parameters:
        useWellKnown - whether to use well known location for OIDC metadata
        Returns:
        updated builder instance

      • signJwk

        public OidcConfig.Builder signJwk​(Resource resource)
        A resource pointing to JWK with public keys of signing certificates used to validate JWT.
        Parameters:
        resource - Resource pointing to the JWK
        Returns:
        updated builder instance

      • signJwk

        public OidcConfig.Builder signJwk​(JwkKeys jwk)
        Set JwkKeys to use for JWT validation.
        Parameters:
        jwk - JwkKeys instance to get public keys used to sign JWT
        Returns:
        udpated builder instance

      • oidcMetadata

        public OidcConfig.Builder oidcMetadata​(Resource resource)
        Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.
        Parameters:
        resource - resource pointing to the JSON structure
        Returns:
        udpated builder instance

      • headerTokenHandler

        public OidcConfig.Builder headerTokenHandler​(TokenHandler tokenHandler)
        A TokenHandler to process header containing a JWT. Default is "Authorization" header with a prefix "bearer ".
        Parameters:
        tokenHandler - token handler to use
        Returns:
        updated builder instance

      • scopeAudience

        public OidcConfig.Builder scopeAudience​(String audience)
        Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.
        Parameters:
        audience - audience, if provided, end with "/" to append the scope correctly
        Returns:
        updated builder instance

      • cookieSameSite

        public OidcConfig.Builder cookieSameSite​(String sameSite)
        When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax"
        Parameters:
        sameSite - SameSite cookie attribute value
        Returns:
        updated builder instance

      • cookieSecure

        public OidcConfig.Builder cookieSecure​(Boolean secure)
        When using cookie, if set to true, the Secure attribute will be configured. Defaults to false.
        Parameters:
        secure - whether the cookie should be secure (true) or not (false)
        Returns:
        updated builder instance

      • cookieHttpOnly

        public OidcConfig.Builder cookieHttpOnly​(Boolean httpOnly)
        When using cookie, if set to true, the HttpOnly attribute will be configured. Defaults to true.
        Parameters:
        httpOnly - whether the cookie should be HttpOnly (true) or not (false)
        Returns:
        updated builder instance

      • cookieMaxAgeSeconds

        public OidcConfig.Builder cookieMaxAgeSeconds​(long age)
        When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. Not used by default.
        Parameters:
        age - age in seconds
        Returns:
        updated builder instance

      • cookiePath

        public OidcConfig.Builder cookiePath​(String path)
        Path the cookie is valid for. Defaults to "/".
        Parameters:
        path - the path to use as value of cookie "Path" attribute
        Returns:
        updated builder instance

      • cookieDomain

        public OidcConfig.Builder cookieDomain​(String domain)
        Domain the cookie is valid for. Not used by default.
        Parameters:
        domain - domain to use as value of cookie "Domain" attribute
        Returns:
        updated builder instance

      • frontendUri

        public OidcConfig.Builder frontendUri​(String uri)
        Full URI of this application that is visible from user browser. Used to redirect request back from identity server after successful login.
        Parameters:
        uri - the frontend URI, such as "http://my.server.com/myApp
        Returns:
        updated builder instance

      • tokenEndpointUri

        public OidcConfig.Builder tokenEndpointUri​(URI uri)
        URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/token.
        Parameters:
        uri - URI to use for token endpoint
        Returns:
        updated builder instance

      • authorizationEndpointUri

        public OidcConfig.Builder authorizationEndpointUri​(URI uri)
        URI of an authorization endpoint used to redirect users to for logging-in. If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/authorize.
        Parameters:
        uri - URI to use for token endpoint
        Returns:
        updated builder instance

      • cookieName

        public OidcConfig.Builder cookieName​(String cookieName)
        Name of the cookie to use. Defaults to "JSESSIONID".
        Parameters:
        cookieName - name of a cookie
        Returns:
        updated builder instance

      • useCookie

        public OidcConfig.Builder useCookie​(Boolean useCookie)
        Whether to use cookie to store JWT between requests. Defaults to true.
        Parameters:
        useCookie - whether to use cookie to store JWT (true) or not (false))
        Returns:
        updated builder instance

      • paramName

        public OidcConfig.Builder paramName​(String paramName)
        Name of a query parameter that contains the JWT token when parameter is used.
        Parameters:
        paramName - name of the query parameter to expect
        Returns:
        updated builder instance

      • useParam

        public OidcConfig.Builder useParam​(Boolean useParam)
        Whether to use a query parameter to send JWT token from application to this server.
        Parameters:
        useParam - whether to use a query parameter (true) or not (false)
        Returns:
        updated builder instance
        See Also:
        paramName(String)

      • identityUri

        public OidcConfig.Builder identityUri​(URI uri)
        URI of the identity server, base used to retrieve OIDC metadata.
        Parameters:
        uri - full URI of an identity server (such as "http://tenantid.identity.oraclecloud.com")
        Returns:
        updated builder instance

      • proxyProtocol

        public OidcConfig.Builder proxyProtocol​(String protocol)
        Proxy protocol to use when proxy is used. Defaults to "http".
        Parameters:
        protocol - protocol to use (such as https)
        Returns:
        updated builder instance

      • proxyHost

        public OidcConfig.Builder proxyHost​(String proxyHost)
        Proxy host to use. When defined, triggers usage of proxy for HTTP requests. Setting to empty String has the same meaning as setting to null - disables proxy.
        Parameters:
        proxyHost - host of the proxy
        Returns:
        updated builder instance
        See Also:
        proxyProtocol(String), proxyPort(int)

      • proxyPort

        public OidcConfig.Builder proxyPort​(int proxyPort)
        Proxy port. Defaults to 80
        Parameters:
        proxyPort - port of the proxy server to use
        Returns:
        updated builder instance

      • clientId

        public OidcConfig.Builder clientId​(String clientId)
        Client ID as generated by OIDC server.
        Parameters:
        clientId - the client id of this application.
        Returns:
        updated builder instance

      • clientSecret

        public OidcConfig.Builder clientSecret​(String clientSecret)
        Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.
        Parameters:
        clientSecret - secret to use
        Returns:
        updated builder instance

      • redirectUri

        public OidcConfig.Builder redirectUri​(String redirectUri)
        URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server.

        Defaults to "/oidc/redirect"

        Parameters:
        redirectUri - the URI (path without protocol, host and port) used to redirect requests back to us
        Returns:
        updated builder instance

      • redirectAttemptParam

        public OidcConfig.Builder redirectAttemptParam​(String paramName)
        Configure the parameter used to store the number of attempts in redirect.

        Defaults to "h_ra"

        Parameters:
        paramName - name of the parameter used in the state parameter
        Returns:
        updated builder instance

      • maxRedirects

        public OidcConfig.Builder maxRedirects​(int maxRedirects)
        Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.

        Defaults to 5

        Parameters:
        maxRedirects - maximal number of redirects from Helidon to OIDC provider
        Returns:
        updated builder instance