Class OidcConfig.Builder
- java.lang.Object
-
- io.helidon.security.providers.oidc.common.OidcConfig.Builder
-
- All Implemented Interfaces:
Builder<OidcConfig>
,Supplier<OidcConfig>
- Enclosing class:
- OidcConfig
public static class OidcConfig.Builder extends Object implements Builder<OidcConfig>
A fluent APIBuilder
to build instances ofOidcConfig
.
-
-
Constructor Summary
Constructors Constructor Description Builder()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description OidcConfig.Builder
audience(String audience)
Audience of issued tokens.OidcConfig.Builder
authorizationEndpointUri(URI uri)
URI of an authorization endpoint used to redirect users to for logging-in.OidcConfig.Builder
baseScopes(String scopes)
Configure base scopes.OidcConfig
build()
Build the instance from this builder.OidcConfig.Builder
clientId(String clientId)
Client ID as generated by OIDC server.OidcConfig.Builder
clientSecret(String clientSecret)
Client secret as generated by OIDC server.OidcConfig.Builder
config(Config config)
Update this builder with values from configuration.OidcConfig.Builder
cookieDomain(String domain)
Domain the cookie is valid for.OidcConfig.Builder
cookieHttpOnly(Boolean httpOnly)
When using cookie, if set to true, the HttpOnly attribute will be configured.OidcConfig.Builder
cookieMaxAgeSeconds(long age)
When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid.OidcConfig.Builder
cookieName(String cookieName)
Name of the cookie to use.OidcConfig.Builder
cookiePath(String path)
Path the cookie is valid for.OidcConfig.Builder
cookieSameSite(String sameSite)
When using cookie, used to set the SameSite cookie value.OidcConfig.Builder
cookieSecure(Boolean secure)
When using cookie, if set to true, the Secure attribute will be configured.OidcConfig.Builder
frontendUri(String uri)
Full URI of this application that is visible from user browser.OidcConfig.Builder
headerTokenHandler(TokenHandler tokenHandler)
ATokenHandler
to process header containing a JWT.OidcConfig.Builder
identityUri(URI uri)
URI of the identity server, base used to retrieve OIDC metadata.OidcConfig.Builder
introspectEndpointUri(URI uri)
Endpoint to use to validate JWT.OidcConfig.Builder
issuer(String issuer)
Issuer of issued tokens.OidcConfig.Builder
maxRedirects(int maxRedirects)
Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.OidcConfig.Builder
oidcMetadata(Resource resource)
Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.OidcConfig.Builder
oidcMetadata(JsonObject metadata)
JsonObject with the OIDC Metadata.OidcConfig.Builder
oidcMetadataWellKnown(Boolean useWellKnown)
If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource.OidcConfig.Builder
paramName(String paramName)
Name of a query parameter that contains the JWT token when parameter is used.OidcConfig.Builder
proxyHost(String proxyHost)
Proxy host to use.OidcConfig.Builder
proxyPort(int proxyPort)
Proxy port.OidcConfig.Builder
proxyProtocol(String protocol)
Proxy protocol to use when proxy is used.OidcConfig.Builder
realm(String realm)
Realm to return when not redirecting and an error occurs that sends back WWW-Authenticate header.OidcConfig.Builder
redirect(boolean redirect)
By default the client should redirect to the identity server for the user to log in.OidcConfig.Builder
redirectAttemptParam(String paramName)
Configure the parameter used to store the number of attempts in redirect.OidcConfig.Builder
redirectUri(String redirectUri)
URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes.OidcConfig.Builder
scopeAudience(String audience)
Audience of the scope required by this application.OidcConfig.Builder
signJwk(Resource resource)
A resource pointing to JWK with public keys of signing certificates used to validate JWT.OidcConfig.Builder
signJwk(JwkKeys jwk)
SetJwkKeys
to use for JWT validation.OidcConfig.Builder
tokenEndpointUri(URI uri)
URI of a token endpoint used to obtain a JWT based on the authentication code.OidcConfig.Builder
useCookie(Boolean useCookie)
Whether to use cookie to store JWT between requests.OidcConfig.Builder
useHeader(Boolean useHeader)
Whether to expect JWT in a header field.OidcConfig.Builder
useParam(Boolean useParam)
Whether to use a query parameter to send JWT token from application to this server.OidcConfig.Builder
validateJwtWithJwk(Boolean useJwk)
Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
-
-
-
Method Detail
-
build
public OidcConfig build()
Description copied from interface:Builder
Build the instance from this builder.- Specified by:
build
in interfaceBuilder<OidcConfig>
- Returns:
- instance of the built type
-
config
public OidcConfig.Builder config(Config config)
Update this builder with values from configuration.- Parameters:
config
- configuration located on node with OIDC configuration keys (e.g. client-id)- Returns:
- updated builder instance
-
redirect
public OidcConfig.Builder redirect(boolean redirect)
By default the client should redirect to the identity server for the user to log in. This behavior can be overridden by setting redirect to false. When token is not present in the request, the client will not redirect and just return appropriate error response code.- Parameters:
redirect
- Whether to redirect to OIDC server in case the request does not contain sufficient information to authenticate the user, defaults to true- Returns:
- updated builder instance
-
realm
public OidcConfig.Builder realm(String realm)
Realm to return when not redirecting and an error occurs that sends back WWW-Authenticate header.- Parameters:
realm
- realm name- Returns:
- updated builder instance
-
audience
public OidcConfig.Builder audience(String audience)
Audience of issued tokens.- Parameters:
audience
- audience to validate- Returns:
- updated builder instance
-
issuer
public OidcConfig.Builder issuer(String issuer)
Issuer of issued tokens.- Parameters:
issuer
- expected issuer to validate- Returns:
- updated builder instance
-
validateJwtWithJwk
public OidcConfig.Builder validateJwtWithJwk(Boolean useJwk)
Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.- Parameters:
useJwk
- when set to true, jwk is used, when set to false, introspect endpoint is used- Returns:
- updated builder instance
-
introspectEndpointUri
public OidcConfig.Builder introspectEndpointUri(URI uri)
Endpoint to use to validate JWT. Either use this or setsignJwk(JwkKeys)
orsignJwk(Resource)
.- Parameters:
uri
- URI of introspection endpoint- Returns:
- updated builder instance
-
baseScopes
public OidcConfig.Builder baseScopes(String scopes)
Configure base scopes. By default this is "openid". If scope has a qualifier, it must be used here.- Parameters:
scopes
- Space separated scopes to be required by default from OIDC server- Returns:
- updated builder instance
-
oidcMetadataWellKnown
public OidcConfig.Builder oidcMetadataWellKnown(Boolean useWellKnown)
If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).- Parameters:
useWellKnown
- whether to use well known location for OIDC metadata- Returns:
- updated builder instance
-
signJwk
public OidcConfig.Builder signJwk(Resource resource)
A resource pointing to JWK with public keys of signing certificates used to validate JWT.- Parameters:
resource
- Resource pointing to the JWK- Returns:
- updated builder instance
-
signJwk
public OidcConfig.Builder signJwk(JwkKeys jwk)
SetJwkKeys
to use for JWT validation.- Parameters:
jwk
- JwkKeys instance to get public keys used to sign JWT- Returns:
- udpated builder instance
-
oidcMetadata
public OidcConfig.Builder oidcMetadata(Resource resource)
Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.- Parameters:
resource
- resource pointing to the JSON structure- Returns:
- udpated builder instance
-
oidcMetadata
public OidcConfig.Builder oidcMetadata(JsonObject metadata)
JsonObject with the OIDC Metadata.- Parameters:
metadata
- metadata JSON- Returns:
- updated builder instance
- See Also:
oidcMetadata(Resource)
-
headerTokenHandler
public OidcConfig.Builder headerTokenHandler(TokenHandler tokenHandler)
ATokenHandler
to process header containing a JWT. Default is "Authorization" header with a prefix "bearer ".- Parameters:
tokenHandler
- token handler to use- Returns:
- updated builder instance
-
useHeader
public OidcConfig.Builder useHeader(Boolean useHeader)
Whether to expect JWT in a header field.- Parameters:
useHeader
- set to true to use a header extracted withheaderTokenHandler(TokenHandler)
- Returns:
- updated builder instance
-
scopeAudience
public OidcConfig.Builder scopeAudience(String audience)
Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.- Parameters:
audience
- audience, if provided, end with "/" to append the scope correctly- Returns:
- updated builder instance
-
cookieSameSite
public OidcConfig.Builder cookieSameSite(String sameSite)
When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax"- Parameters:
sameSite
- SameSite cookie attribute value- Returns:
- updated builder instance
-
cookieSecure
public OidcConfig.Builder cookieSecure(Boolean secure)
When using cookie, if set to true, the Secure attribute will be configured. Defaults to false.- Parameters:
secure
- whether the cookie should be secure (true) or not (false)- Returns:
- updated builder instance
-
cookieHttpOnly
public OidcConfig.Builder cookieHttpOnly(Boolean httpOnly)
When using cookie, if set to true, the HttpOnly attribute will be configured. Defaults to true.- Parameters:
httpOnly
- whether the cookie should be HttpOnly (true) or not (false)- Returns:
- updated builder instance
-
cookieMaxAgeSeconds
public OidcConfig.Builder cookieMaxAgeSeconds(long age)
When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. Not used by default.- Parameters:
age
- age in seconds- Returns:
- updated builder instance
-
cookiePath
public OidcConfig.Builder cookiePath(String path)
Path the cookie is valid for. Defaults to "/".- Parameters:
path
- the path to use as value of cookie "Path" attribute- Returns:
- updated builder instance
-
cookieDomain
public OidcConfig.Builder cookieDomain(String domain)
Domain the cookie is valid for. Not used by default.- Parameters:
domain
- domain to use as value of cookie "Domain" attribute- Returns:
- updated builder instance
-
frontendUri
public OidcConfig.Builder frontendUri(String uri)
Full URI of this application that is visible from user browser. Used to redirect request back from identity server after successful login.- Parameters:
uri
- the frontend URI, such as "http://my.server.com/myApp- Returns:
- updated builder instance
-
tokenEndpointUri
public OidcConfig.Builder tokenEndpointUri(URI uri)
URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained fromoidcMetadata(Resource)
, if that is not defined an attempt is made to useidentityUri(URI)
/oauth2/v1/token.- Parameters:
uri
- URI to use for token endpoint- Returns:
- updated builder instance
-
authorizationEndpointUri
public OidcConfig.Builder authorizationEndpointUri(URI uri)
URI of an authorization endpoint used to redirect users to for logging-in. If not defined, it is obtained fromoidcMetadata(Resource)
, if that is not defined an attempt is made to useidentityUri(URI)
/oauth2/v1/authorize.- Parameters:
uri
- URI to use for token endpoint- Returns:
- updated builder instance
-
cookieName
public OidcConfig.Builder cookieName(String cookieName)
Name of the cookie to use. Defaults to "JSESSIONID".- Parameters:
cookieName
- name of a cookie- Returns:
- updated builder instance
-
useCookie
public OidcConfig.Builder useCookie(Boolean useCookie)
Whether to use cookie to store JWT between requests. Defaults to true.- Parameters:
useCookie
- whether to use cookie to store JWT (true) or not (false))- Returns:
- updated builder instance
-
paramName
public OidcConfig.Builder paramName(String paramName)
Name of a query parameter that contains the JWT token when parameter is used.- Parameters:
paramName
- name of the query parameter to expect- Returns:
- updated builder instance
-
useParam
public OidcConfig.Builder useParam(Boolean useParam)
Whether to use a query parameter to send JWT token from application to this server.- Parameters:
useParam
- whether to use a query parameter (true) or not (false)- Returns:
- updated builder instance
- See Also:
paramName(String)
-
identityUri
public OidcConfig.Builder identityUri(URI uri)
URI of the identity server, base used to retrieve OIDC metadata.- Parameters:
uri
- full URI of an identity server (such as "http://tenantid.identity.oraclecloud.com")- Returns:
- updated builder instance
-
proxyProtocol
public OidcConfig.Builder proxyProtocol(String protocol)
Proxy protocol to use when proxy is used. Defaults to "http".- Parameters:
protocol
- protocol to use (such as https)- Returns:
- updated builder instance
-
proxyHost
public OidcConfig.Builder proxyHost(String proxyHost)
Proxy host to use. When defined, triggers usage of proxy for HTTP requests. Setting to empty String has the same meaning as setting to null - disables proxy.- Parameters:
proxyHost
- host of the proxy- Returns:
- updated builder instance
- See Also:
proxyProtocol(String)
,proxyPort(int)
-
proxyPort
public OidcConfig.Builder proxyPort(int proxyPort)
Proxy port. Defaults to 80- Parameters:
proxyPort
- port of the proxy server to use- Returns:
- updated builder instance
-
clientId
public OidcConfig.Builder clientId(String clientId)
Client ID as generated by OIDC server.- Parameters:
clientId
- the client id of this application.- Returns:
- updated builder instance
-
clientSecret
public OidcConfig.Builder clientSecret(String clientSecret)
Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.- Parameters:
clientSecret
- secret to use- Returns:
- updated builder instance
-
redirectUri
public OidcConfig.Builder redirectUri(String redirectUri)
URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server.Defaults to "/oidc/redirect"
- Parameters:
redirectUri
- the URI (path without protocol, host and port) used to redirect requests back to us- Returns:
- updated builder instance
-
redirectAttemptParam
public OidcConfig.Builder redirectAttemptParam(String paramName)
Configure the parameter used to store the number of attempts in redirect.Defaults to "h_ra"
- Parameters:
paramName
- name of the parameter used in the state parameter- Returns:
- updated builder instance
-
maxRedirects
public OidcConfig.Builder maxRedirects(int maxRedirects)
Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.Defaults to 5
- Parameters:
maxRedirects
- maximal number of redirects from Helidon to OIDC provider- Returns:
- updated builder instance
-
-