Class OidcConfig.Builder
java.lang.Object
io.helidon.security.providers.oidc.common.OidcConfig.Builder
- All Implemented Interfaces:
Builder<OidcConfig.Builder,
,OidcConfig> Supplier<OidcConfig>
- Enclosing class:
- OidcConfig
A fluent API
Builder
to build instances of OidcConfig
.-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionaddTenantConfig
(TenantConfig tenantConfig) Add specificTenantConfig
instance.Audience of issued tokens.URI of an authorization endpoint used to redirect users to for logging-in.baseScopes
(String scopes) Configure base scopes.build()
Build the instance from this builder.Client ID as generated by OIDC server.clientSecret
(String clientSecret) Client secret as generated by OIDC server.clientTimeout
(Duration duration) Timeout of calls using web client.Update this builder with values from configuration.cookieDomain
(String domain) Domain the cookie is valid for.cookieEncryptionEnabled
(boolean cookieEncryptionEnabled) Whether to encrypt token cookie created by this microservice.cookieEncryptionEnabledIdToken
(boolean cookieEncryptionEnabled) Whether to encrypt id token cookie created by this microservice.cookieEncryptionEnabledTenantName
(boolean cookieEncryptionEnabled) Whether to encrypt tenant name cookie created by this microservice.cookieEncryptionName
(String cookieEncryptionName) Name of the encryption configuration available throughSecurity.encrypt(String, byte[])
andSecurity.decrypt(String, String)
.cookieEncryptionPassword
(char[] cookieEncryptionPassword) Master password for encryption/decryption of cookies.cookieHttpOnly
(Boolean httpOnly) When using cookie, if set to true, the HttpOnly attribute will be configured.cookieMaxAgeSeconds
(long age) When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid.cookieName
(String cookieName) Name of the cookie to use.cookieNameIdToken
(String cookieName) Name of the cookie to use for id token.cookiePath
(String path) Path the cookie is valid for.cookieSameSite
(SetCookie.SameSite sameSite) When using cookie, used to set the SameSite cookie value.cookieSameSite
(String sameSite) When using cookie, used to set the SameSite cookie value.cookieSecure
(Boolean secure) When using cookie, if set to true, the Secure attribute will be configured.cookieTenantName
(String cookieName) Name of the cookie to use for tenant name.crossOriginConfig
(CrossOriginConfig crossOriginConfig) Assign cross-origin resource sharing settings.forceHttpsRedirects
(boolean forceHttpsRedirects) Force HTTPS for redirects to identity provider.frontendUri
(String uri) Full URI of this application that is visible from user browser.headerTokenHandler
(TokenHandler tokenHandler) ATokenHandler
to process header containing a JWT.identityUri
(URI uri) URI of the identity server, base used to retrieve OIDC metadata.introspectEndpointUri
(URI uri) Endpoint to use to validate JWT.Issuer of issued tokens.logoutEnabled
(Boolean logoutEnabled) Whether to enable logout support.logoutEndpointUri
(URI logoutEndpointUri) URI of a logout endpoint used to redirect users to for logging-out.Path to register web server for logout link.maxRedirects
(int maxRedirects) Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.oidcMetadata
(Resource resource) Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.oidcMetadata
(JsonObject metadata) JsonObject with the OIDC Metadata.oidcMetadataWellKnown
(boolean useWellKnown) If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource.Name of a query parameter that contains the JWT token when parameter is used.paramTenantName
(String paramName) Name of a query parameter that contains the tenant name when parameter is used.postLogoutUri
(URI uri) URI to redirect to once the logout process is done.Proxy host to use.proxyPort
(int proxyPort) Proxy port.proxyProtocol
(String protocol) Proxy protocol to use when proxy is used.Realm to return when not redirecting and an error occurs that sends back WWW-Authenticate header.redirect
(boolean redirect) By default, the client should redirect to the identity server for the user to log in.redirectAttemptParam
(String paramName) Configure the parameter used to store the number of attempts in redirect.redirectUri
(String redirectUri) URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes.relativeUris
(boolean relativeUris) Can be set totrue
to force the use of relative URIs in all requests, regardless of the presence or absence of proxies or no-proxy lists.scopeAudience
(String audience) Audience of the scope required by this application.serverType
(String type) Configure one of the supported types of identity servers.A resource pointing to JWK with public keys of signing certificates used to validate JWT.SetJwkKeys
to use for JWT validation.tokenEndpointAuthentication
(OidcConfig.ClientAuthentication tokenEndpointAuthentication) Type of authentication to use when invoking the token endpoint.tokenEndpointUri
(URI uri) URI of a token endpoint used to obtain a JWT based on the authentication code.tokenRefreshSkew
(Duration tokenRefreshSkew) Amount of time access token should be refreshed before its expiration time.Whether to use cookie to store JWT between requests.Whether to expect JWT in a header field.Whether to use a query parameter to send JWT token from application to this server.boolean
validateJwtWithJwk
(Boolean useJwk) Use JWK (a set of keys to validate signatures of JWT) to validate tokens.
-
Constructor Details
-
Builder
protected Builder()
-
-
Method Details
-
build
Description copied from interface:Builder
Build the instance from this builder.- Returns:
- instance of the built type
-
config
Update this builder with values from configuration.- Parameters:
config
- configuration located on node with OIDC configuration keys (e.g. client-id)- Returns:
- updated builder instance
-
tokenRefreshSkew
Amount of time access token should be refreshed before its expiration time. Default is 5 seconds.- Parameters:
tokenRefreshSkew
- time to refresh token before expiration- Returns:
- updated builder
-
crossOriginConfig
Assign cross-origin resource sharing settings.- Parameters:
crossOriginConfig
- cross-origin settings to apply to the redirect endpoint- Returns:
- updated builder instance
-
logoutEnabled
Whether to enable logout support. When logout is enabled, we use two cookies (User token and user ID token) and we expose an endpointlogoutUri(String)
that can be used to log the user out from Helidon session and also from OIDC session (useslogoutEndpointUri(java.net.URI)
on OIDC server). Logout support is disabled by default.- Parameters:
logoutEnabled
- whether to enable logout- Returns:
- updated builder instance
-
redirect
By default, the client should redirect to the identity server for the user to log in. This behavior can be overridden by setting redirect to false. When token is not present in the request, the client will not redirect and just return appropriate error response code.- Parameters:
redirect
- Whether to redirect to OIDC server in case the request does not contain sufficient information to authenticate the user, defaults to true- Returns:
- updated builder instance
-
frontendUri
Full URI of this application that is visible from user browser. Used to redirect request back from identity server after successful login.- Parameters:
uri
- the frontend URI, such as "http://my.server.com/myApp- Returns:
- updated builder instance
-
forceHttpsRedirects
Force HTTPS for redirects to identity provider. Defaults tofalse
.- Parameters:
forceHttpsRedirects
- flag to redirect with https- Returns:
- updated builder instance
-
relativeUris
Can be set totrue
to force the use of relative URIs in all requests, regardless of the presence or absence of proxies or no-proxy lists. By default, requests that use the Proxy will have absolute URIs. Set this flag totrue
if the host is unable to accept absolute URIs. Defaults to false.- Parameters:
relativeUris
- relative URIs flag- Returns:
- updated builder instance
-
redirectUri
URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server.Defaults to "/oidc/redirect"
- Parameters:
redirectUri
- the URI (path without protocol, host and port) used to redirect requests back to us- Returns:
- updated builder instance
-
logoutUri
Path to register web server for logout link. This should be used by application to redirect user to logout the current user from Helidon based session (when using cookies and redirection). This endpoint will logout user from Helidon session (remove Helidon cookies) and redirect user to logout screen of the OIDC server.- Parameters:
logoutUri
- URI path for logout component- Returns:
- updated builder instance
-
postLogoutUri
URI to redirect to once the logout process is done. The endpoint should not be protected by OIDC (as this would serve no purpose, just to log the user in again). This endpoint usually must be registered with the application as the allowed post-logout redirect URI. Note that the URI should not contain any query parameters. You can obtain state using the state query parameter that must be provided tologoutUri(String)
.- Parameters:
uri
- this will be used by the OIDC server to redirect user to once logout is done, can define just path, in which case the scheme, host and port will be taken from request.- Returns:
- updated builder instance
-
redirectAttemptParam
Configure the parameter used to store the number of attempts in redirect.Defaults to "h_ra"
- Parameters:
paramName
- name of the parameter used in the state parameter- Returns:
- updated builder instance
-
maxRedirects
Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.Defaults to 5
- Parameters:
maxRedirects
- maximal number of redirects from Helidon to OIDC provider- Returns:
- updated builder instance
-
proxyProtocol
Proxy protocol to use when proxy is used. Defaults to "http".- Parameters:
protocol
- protocol to use (such as https)- Returns:
- updated builder instance
-
proxyHost
Proxy host to use. When defined, triggers usage of proxy for HTTP requests. Setting to empty String has the same meaning as setting to null - disables proxy.- Parameters:
proxyHost
- host of the proxy- Returns:
- updated builder instance
- See Also:
-
proxyPort
Proxy port. Defaults to 80- Parameters:
proxyPort
- port of the proxy server to use- Returns:
- updated builder instance
-
headerTokenHandler
ATokenHandler
to process header containing a JWT. Default is "Authorization" header with a prefix "bearer ".- Parameters:
tokenHandler
- token handler to use- Returns:
- updated builder instance
-
useHeader
Whether to expect JWT in a header field.- Parameters:
useHeader
- set to true to use a header extracted withheaderTokenHandler(TokenHandler)
- Returns:
- updated builder instance
-
paramName
Name of a query parameter that contains the JWT token when parameter is used.- Parameters:
paramName
- name of the query parameter to expect- Returns:
- updated builder instance
-
paramTenantName
Name of a query parameter that contains the tenant name when parameter is used. Defaults toOidcConfig.DEFAULT_TENANT_PARAM_NAME
.- Parameters:
paramName
- name of the query parameter to expect- Returns:
- updated builder instance
-
useParam
Whether to use a query parameter to send JWT token from application to this server.- Parameters:
useParam
- whether to use a query parameter (true) or not (false)- Returns:
- updated builder instance
- See Also:
-
cookieEncryptionName
Name of the encryption configuration available throughSecurity.encrypt(String, byte[])
andSecurity.decrypt(String, String)
. If configured and encryption is enabled for any cookie, Security MUST be configured in global or currentio.helidon.common.context.Context
(this is done automatically in Helidon MP).- Parameters:
cookieEncryptionName
- name of the encryption configuration in security used to encrypt/decrypt cookies- Returns:
- updated builder
-
cookieEncryptionPassword
Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice using the cookie.- Parameters:
cookieEncryptionPassword
- encryption password- Returns:
- updated builder
-
cookieEncryptionEnabled
Whether to encrypt token cookie created by this microservice. Defaults tofalse
.- Parameters:
cookieEncryptionEnabled
- whether cookie should be encryptedtrue
, or as obtained from OIDC serverfalse
- Returns:
- updated builder instance
-
cookieEncryptionEnabledIdToken
Whether to encrypt id token cookie created by this microservice. Defaults totrue
.- Parameters:
cookieEncryptionEnabled
- whether cookie should be encryptedtrue
, or as obtained from OIDC serverfalse
- Returns:
- updated builder instance
-
cookieEncryptionEnabledTenantName
Whether to encrypt tenant name cookie created by this microservice. Defaults totrue
.- Parameters:
cookieEncryptionEnabled
- whether cookie should be encryptedtrue
, or as obtained from OIDC serverfalse
- Returns:
- updated builder instance
-
cookieSameSite
When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax"- Parameters:
sameSite
- SameSite cookie attribute value- Returns:
- updated builder instance
-
cookieSameSite
When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax".- Parameters:
sameSite
- SameSite cookie attribute- Returns:
- updated builder instance
-
cookieSecure
When using cookie, if set to true, the Secure attribute will be configured. Defaults to false.- Parameters:
secure
- whether the cookie should be secure (true) or not (false)- Returns:
- updated builder instance
-
cookieHttpOnly
When using cookie, if set to true, the HttpOnly attribute will be configured. Defaults to true.- Parameters:
httpOnly
- whether the cookie should be HttpOnly (true) or not (false)- Returns:
- updated builder instance
-
cookieMaxAgeSeconds
When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. Not used by default.- Parameters:
age
- age in seconds- Returns:
- updated builder instance
-
cookiePath
Path the cookie is valid for. Defaults to "/".- Parameters:
path
- the path to use as value of cookie "Path" attribute- Returns:
- updated builder instance
-
cookieDomain
Domain the cookie is valid for. Not used by default.- Parameters:
domain
- domain to use as value of cookie "Domain" attribute- Returns:
- updated builder instance
-
cookieName
Name of the cookie to use. Defaults to "JSESSIONID".- Parameters:
cookieName
- name of a cookie- Returns:
- updated builder instance
-
cookieNameIdToken
Name of the cookie to use for id token. Defaults to "JSESSIONID"_2. This cookie is only used when logout is enabled, as otherwise it is not needed. Content of this cookie is encrypted.- Parameters:
cookieName
- name of a cookie- Returns:
- updated builder instance
-
cookieTenantName
Name of the cookie to use for tenant name. Defaults to "HELIDON_TENANT".- Parameters:
cookieName
- name of a cookie- Returns:
- updated builder instance
-
useCookie
Whether to use cookie to store JWT between requests. Defaults to true.- Parameters:
useCookie
- whether to use cookie to store JWT (true) or not (false))- Returns:
- updated builder instance
-
addTenantConfig
Add specificTenantConfig
instance.- Parameters:
tenantConfig
- tenant configuration- Returns:
- updated builder instance
-
clientId
Client ID as generated by OIDC server.- Parameters:
clientId
- the client id of this application.- Returns:
- updated builder instance
-
clientSecret
Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.- Parameters:
clientSecret
- secret to use- Returns:
- updated builder instance
-
identityUri
URI of the identity server, base used to retrieve OIDC metadata.- Parameters:
uri
- full URI of an identity server (such as "http://tenantid.identity.oraclecloud.com")- Returns:
- updated builder instance
-
realm
Realm to return when not redirecting and an error occurs that sends back WWW-Authenticate header.- Parameters:
realm
- realm name- Returns:
- updated builder instance
-
audience
Audience of issued tokens.- Parameters:
audience
- audience to validate- Returns:
- updated builder instance
-
issuer
Issuer of issued tokens.- Parameters:
issuer
- expected issuer to validate- Returns:
- updated builder instance
-
validateJwtWithJwk
Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.- Parameters:
useJwk
- when set to true, jwk is used, when set to false, introspect endpoint is used- Returns:
- updated builder instance
-
introspectEndpointUri
Endpoint to use to validate JWT. Either use this or setsignJwk(JwkKeys)
orsignJwk(Resource)
.- Parameters:
uri
- URI of introspection endpoint- Returns:
- updated builder instance
-
signJwk
A resource pointing to JWK with public keys of signing certificates used to validate JWT.- Parameters:
resource
- Resource pointing to the JWK- Returns:
- updated builder instance
-
signJwk
SetJwkKeys
to use for JWT validation.- Parameters:
jwk
- JwkKeys instance to get public keys used to sign JWT- Returns:
- updated builder instance
-
tokenEndpointAuthentication
public OidcConfig.Builder tokenEndpointAuthentication(OidcConfig.ClientAuthentication tokenEndpointAuthentication) Type of authentication to use when invoking the token endpoint. Current supported options:- Parameters:
tokenEndpointAuthentication
- authentication type- Returns:
- updated builder
-
authorizationEndpointUri
URI of an authorization endpoint used to redirect users to for logging-in. If not defined, it is obtained fromoidcMetadata(Resource)
, if that is not defined an attempt is made to useidentityUri(URI)
/oauth2/v1/authorize.- Parameters:
uri
- URI to use for token endpoint- Returns:
- updated builder instance
-
logoutEndpointUri
URI of a logout endpoint used to redirect users to for logging-out. If not defined, it is obtained fromoidcMetadata(Resource)
, if that is not defined an attempt is made to useidentityUri(URI)
/oauth2/v1/userlogout.- Parameters:
logoutEndpointUri
- URI to use to log out- Returns:
- updated builder instance
-
tokenEndpointUri
URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained fromoidcMetadata(Resource)
, if that is not defined an attempt is made to useidentityUri(URI)
/oauth2/v1/token.- Parameters:
uri
- URI to use for token endpoint- Returns:
- updated builder instance
-
oidcMetadata
Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.- Parameters:
resource
- resource pointing to the JSON structure- Returns:
- updated builder instance
-
oidcMetadata
JsonObject with the OIDC Metadata.- Parameters:
metadata
- metadata JSON- Returns:
- updated builder instance
- See Also:
-
baseScopes
Configure base scopes. By default, this is "openid". If scope has a qualifier, it must be used here.- Parameters:
scopes
- Space separated scopes to be required by default from OIDC server- Returns:
- updated builder instance
-
oidcMetadataWellKnown
If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).- Parameters:
useWellKnown
- whether to use well known location for OIDC metadata- Returns:
- updated builder instance
-
serverType
Configure one of the supported types of identity servers. If the type does not have an explicit mapping, a warning is logged and the default implementation is used.- Parameters:
type
- Type of identity server. Currently supported isidcs
or not configured (for default).- Returns:
- updated builder instance
-
clientTimeout
Timeout of calls using web client.- Parameters:
duration
- timeout- Returns:
- updated builder
-
scopeAudience
Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.- Parameters:
audience
- audience, if provided, end with "/" to append the scope correctly- Returns:
- updated builder instance
-
useWellKnown
public boolean useWellKnown()
-