Description
Open ID Connect configuration.
Usages
Configuration options
| Key | Kind | Type | Default Value | Description |
|---|---|---|---|---|
access-token-ip-check | VALUE | Boolean | true | Whether to check if current IP address matches the one access token was issued for |
audience | VALUE | String | Audience of issued tokens | |
authorization-endpoint-uri | VALUE | URI | URI of an authorization endpoint used to redirect users to for logging-in | |
base-scopes | VALUE | String | openid | Configure base scopes |
check-audience | VALUE | Boolean | true | Configure audience claim check |
client-credentials-config | VALUE | i.h.s.p.o.c.ClientCredentialsConfig | Set the configuration related to the client credentials flow | |
client-id | VALUE | String | Client ID as generated by OIDC server | |
client-secret | VALUE | String | Client secret as generated by OIDC server | |
client-timeout-millis | VALUE | Duration | 30000 | Timeout of calls using web client |
cookie-domain | VALUE | String | Domain the cookie is valid for | |
cookie-encryption-enabled | VALUE | Boolean | false | Whether to encrypt token cookie created by this microservice |
cookie-encryption-id-enabled | VALUE | Boolean | true | Whether to encrypt id token cookie created by this microservice |
cookie-encryption-name | VALUE | String | Name of the encryption configuration available through Security#encrypt(String, byte[) and Security#decrypt(String, String)] | |
cookie-encryption-password | LIST | String | Master password for encryption/decryption of cookies | |
cookie-encryption-refresh-enabled | VALUE | Boolean | true | Whether to encrypt refresh token cookie created by this microservice |
cookie-encryption-state-enabled | VALUE | Boolean | true | Whether to encrypt state cookie created by this microservice |
cookie-encryption-tenant-enabled | VALUE | Boolean | true | Whether to encrypt tenant name cookie created by this microservice |
cookie-http-only | VALUE | Boolean | true | When using cookie, if set to true, the HttpOnly attribute will be configured |
cookie-max-age-seconds | VALUE | Long | When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid | |
cookie-name | VALUE | String | JSESSIONID | Name of the cookie to use |
cookie-name-id-token | VALUE | String | JSESSIONID_2 | Name of the cookie to use for id token |
cookie-name-refresh-token | VALUE | String | JSESSIONID_3 | The name of the cookie to use for the refresh token |
cookie-name-state | VALUE | String | JSESSIONID_3 | The name of the cookie to use for the state storage |
cookie-name-tenant | VALUE | String | HELIDON_TENANT | The name of the cookie to use for the tenant name |
cookie-path | VALUE | String | / | Path the cookie is valid for |
cookie-same-site | VALUE | i.h.h.S.SameSite | LAX | When using cookie, used to set the SameSite cookie value |
cookie-secure | VALUE | Boolean | false | When using cookie, if set to true, the Secure attribute will be configured |
cookie-use | VALUE | Boolean | true | Whether to use cookie to store JWT between requests |
cors | VALUE | i.h.c.CrossOriginConfig | Assign cross-origin resource sharing settings | |
decryption-keys.resource | VALUE | i.h.c.c.Resource | A resource pointing to JWK with private keys used for JWE content key decryption | |
force-https-redirects | VALUE | Boolean | false | Force HTTPS for redirects to identity provider |
frontend-uri | VALUE | String | Full URI of this application that is visible from user browser | |
header-token | VALUE | i.h.s.u.TokenHandler | A TokenHandler to process header containing a JWT | |
header-use | VALUE | Boolean | true | Whether to expect JWT in a header field |
id-token-signature-validation | VALUE | Boolean | true | Whether id token signature check should be enabled |
identity-uri | VALUE | URI | URI of the identity server, base used to retrieve OIDC metadata | |
introspect-endpoint-uri | VALUE | URI | Endpoint to use to validate JWT | |
issuer | VALUE | String | Issuer of issued tokens | |
max-redirects | VALUE | Integer | 5 | Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt |
oidc-metadata-well-known | VALUE | Boolean | true | If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource |
oidc-metadata.resource | VALUE | i.h.c.c.Resource | Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server | |
optional-audience | VALUE | Boolean | false | Allow audience claim to be optional |
outbound-type | VALUE | i.h.s.p.o.c.OidcOutboundType | USER_JWT | Type of the OIDC outbound |
pkce-challenge-method | VALUE | i.h.s.p.o.c.PkceChallengeMethod | S256 | Proof Key Code Exchange (PKCE) challenge creation method |
pkce-enabled | VALUE | Boolean | false | Whether this provider should support PKCE |
proxy-port | VALUE | Integer | 80 | Proxy port |
query-id-token-param-name | VALUE | String | id_token | Name of a query parameter that contains the JWT id token when parameter is used |
query-param-name | VALUE | String | accessToken | Name of a query parameter that contains the JWT access token when parameter is used |
query-param-tenant-name | VALUE | String | h_tenant | Name of a query parameter that contains the tenant name when the parameter is used |
query-param-use | VALUE | Boolean | false | Whether to use a query parameter to send JWT token from application to this server |
redirect | VALUE | Boolean | false | By default, the client should redirect to the identity server for the user to log in |
redirect-attempt-param | VALUE | String | h_ra | Configure the parameter used to store the number of attempts in redirect |
redirect-uri | VALUE | String | /oidc/redirect | URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes |
scope-audience | VALUE | String | Audience of the scope required by this application | |
server-type | VALUE | String | @default | Configure one of the supported types of identity servers |
sign-jwk.resource | VALUE | i.h.c.c.Resource | A resource pointing to JWK with public keys of signing certificates used to validate JWT | |
tenants | VALUE | i.h.s.p.o.c.TenantConfig | Configurations of the tenants | |
token-endpoint-auth | VALUE | i.h.s.p.o.c.O.ClientAuthentication | CLIENT_SECRET_BASIC | Type of authentication to use when invoking the token endpoint |
token-endpoint-uri | VALUE | URI | URI of a token endpoint used to obtain a JWT based on the authentication code | |
token-signature-validation | VALUE | Boolean | true | Whether access token signature check should be enabled |
validate-jwt-with-jwk | VALUE | Boolean | true | Use JWK (a set of keys to validate signatures of JWT) to validate tokens |
webclient | VALUE | i.h.w.a.WebClient | WebClient configuration used for outbound requests to the identity server. This configuration sets the values to the OIDC WebClient default configuration |
Deprecated Options
See the manifest for all available types.