string

Audience of issued tokens.

URI

URI of an authorization endpoint used to redirect users to for logging-in.

If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined
an attempt is made to use #identityUri(URI)/oauth2/v1/authorize.

string

Configure base scopes. By default, this is DEFAULT_BASE_SCOPES. If scope has a qualifier, it must be used here.

string

Client ID as generated by OIDC server.

string

Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.

Duration

Timeout of calls using web client.

string

Domain the cookie is valid for. Not used by default.

boolean

When using cookie, if set to true, the HttpOnly attribute will be configured. Defaults to OidcCookieHandler.Builder#DEFAULT_HTTP_ONLY.

long

When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. Not used by default.

string

Name of the cookie to use. Defaults to DEFAULT_COOKIE_NAME.

string

Name of the cookie to use for tenant name. Defaults to DEFAULT_TENANT_COOKIE_NAME.

string

Path the cookie is valid for. Defaults to "/".

SameSite (LAX, STRICT, NONE)

When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax".

boolean

When using cookie, if set to true, the Secure attribute will be configured. Defaults to false.

boolean

Whether to use cookie to store JWT between requests. Defaults to DEFAULT_COOKIE_USE.

CrossOriginConfig

Assign cross-origin resource sharing settings.

boolean

Force HTTPS for redirects to identity provider. Defaults to false.

string

Full URI of this application that is visible from user browser. Used to redirect request back from identity server after successful login.

TokenHandler

A TokenHandler to process header containing a JWT. Default is "Authorization" header with a prefix "bearer ".

boolean

Whether to expect JWT in a header field.

URI

URI of the identity server, base used to retrieve OIDC metadata.

URI

Endpoint to use to validate JWT. Either use this or set #signJwk(JwkKeys) or #signJwk(Resource).

string

Issuer of issued tokens.

int

Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.

Defaults to `DEFAULT_MAX_REDIRECTS`

boolean

If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).

Resource

Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.

string

Proxy host to use. When defined, triggers usage of proxy for HTTP requests. Setting to empty String has the same meaning as setting to null - disables proxy.

int

Proxy port. Defaults to DEFAULT_PROXY_PORT

string

Proxy protocol to use when proxy is used. Defaults to DEFAULT_PROXY_PROTOCOL.

string

Name of a query parameter that contains the JWT token when parameter is used.

string

Name of a query parameter that contains the tenant name when parameter is used. Defaults to #DEFAULT_TENANT_PARAM_NAME.

boolean

Whether to use a query parameter to send JWT token from application to this server.

boolean

By default, the client should redirect to the identity server for the user to log in. This behavior can be overridden by setting redirect to false. When token is not present in the request, the client will not redirect and just return appropriate error response code.

string

Configure the parameter used to store the number of attempts in redirect.

Defaults to `DEFAULT_ATTEMPT_PARAM`

string

URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server.

Defaults to `DEFAULT_REDIRECT_URI`

boolean

Can be set to true to force the use of relative URIs in all requests, regardless of the presence or absence of proxies or no-proxy lists. By default, requests that use the Proxy will have absolute URIs. Set this flag to true if the host is unable to accept absolute URIs. Defaults to DEFAULT_RELATIVE_URIS.

string

Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.

string

Configure one of the supported types of identity servers.

If the type does not have an explicit mapping, a warning is logged and the default implementation is used.

Resource

A resource pointing to JWK with public keys of signing certificates used to validate JWT.

TenantConfig

Configurations of the tenants

ClientAuthentication (CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, NONE)

Type of authentication to use when invoking the token endpoint. Current supported options:

• io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication#CLIENT_SECRET_BASIC

• io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication#CLIENT_SECRET_POST

• io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication#NONE

URI

URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained from #oidcMetadata(Resource), if that is not defined an attempt is made to use #identityUri(URI)/oauth2/v1/token.

boolean

Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.