Class OidcConfig

  • public final class OidcConfig
    extends Object
    Configuration of OIDC usable from all resources that utilize OIDC specification, such as security provider, web server extension and IDCS connectivity.

    Some of the configuration options below use "resource" type. The following configuration can be used for a resource (example for oidc-metadata key): oidc-metadata-path: "path/on/filesystem" oidc-metadata-resource-path: "class-path/resource" oidc-metadata-url: "URI on the net" oidc-metadata-content-plain: "Value of the resource in plain text" oidc-metadata-content: "Value in base64 encoded bytes"

    Configuration options required (under security.providers[].${name}):

    Mandatory configuration parameters
    key description
    client-id Client ID as generated by OIDC server
    client-secret Client secret as generated by OIDC server
    identity-uri URI of the identity server, base used to retrieve OIDC metadata
    frontend-uri Fully URI of the frontend for redirects back from OIDC server (e.g. http://myserver/myApp)
    Optional configuration parameters
    key default value description
    proxy-protocol http Proxy protocol to use when proxy is used.
    proxy-host null Proxy host to use. When defined, triggers usage of proxy for HTTP requests.
    proxy-port 80 Port of the proxy server to use
    redirect-uri /oidc/redirect URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server.
    scope-audience empty string Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server.
    cookie-use true Whether to use cookie to store JWT. If used, redirects happen only in case the user is not authenticated or has insufficient scopes
    cookie-name JSESSIONID Name of the cookie
    cookie-domain null Domain the cookie is valid for. Not used by default
    cookie-path / Path the cookie is valid for.
    cookie-max-age-seconds null When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid.
    cookie-http-only true When using cookie, if set to true, the HttpOnly attribute will be configured.
    cookie-secure false When using cookie, if set to true, the Secure attribute will be configured.
    cookie-same-site Lax When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax". Setting this to "Strict" will result in infinite redirects when calling OIDC on a different host.
    query-param-use false Whether to expect JWT in a query parameter
    query-param-name accessToken Name of a query parameter that contains the JWT token when parameter is used.
    header-use false Whether to expect JWT in a header field.
    header-token "Authorization" header with prefix "bearer " A TokenHandler configuration to process header containing a JWT
    oidc-metadata-well-known true If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).
    oidc-metadata identity-uri/.well-known/openid-configuration Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server
    token-endpoint-uri token_endpoint in OIDC metadata, or identity-url/oauth2/v1/token if not available URI of a token endpoint used to obtain a JWT based on the authentication code.
    authorization-endpoint-uri "authorization_endpoint" in OIDC metadata, or identity-uri/oauth2/v1/authorize if not available URI of an authorization endpoint used to redirect users to for logging-in.
    validate-with-jwk true When true - validate against jwk defined by "sign-jwk", when false validate JWT through OIDC Server endpoint "validation-endpoint-uri"
    sign-jwk "jwks-uri" in OIDC metadata, or identity-uri/admin/v1/SigningCert/jwk if not available, only needed when jwt validation is done by us A resource pointing to JWK with public keys of signing certificates used to validate JWT
    introspect-endpoint-uri "introspection_endpoint" in OIDC metadata, or identity-uri/oauth2/v1/introspect When validate-with-jwk is set to "false", this is the endpoint used
    base-scopes "openid" Configure scopes to be requested by default. If the scope has a qualifier, it must be included here
    redirect true Whether to redirect to identity server when authentication failed.
    realm helidon Realm returned in HTTP response if redirect is not enabled or possible.
    redirect-attempt-param "h_ra" Query parameter holding the number of times we redirected to an identity server. Customizable to prevent conflicts with application parameters
    max-redirects 5 Maximal number of times we can redirect to an identity server. When the number is reached, no further redirects happen and the request finishes with an error (status 401)