public final class OidcConfig extends Object
Some of the configuration options below use "resource" type. The following configuration
can be used for a resource (example for oidc-metadata key):
oidc-metadata-path: "path/on/filesystem"
oidc-metadata-resource-path: "class-path/resource"
oidc-metadata-url: "URI on the net"
oidc-metadata-content-plain: "Value of the resource in plain text"
oidc-metadata-content: "Value in base64 encoded bytes"
Configuration options required (under security.providers[].${name}):
| key | description |
|---|---|
| client-id | Client ID as generated by OIDC server |
| client-secret | Client secret as generated by OIDC server |
| identity-uri | URI of the identity server, base used to retrieve OIDC metadata |
| frontend-uri | Fully URI of the frontend for redirects back from OIDC server (e.g. http://myserver/myApp) |
| key | default value | description |
|---|---|---|
| proxy-protocol | http | Proxy protocol to use when proxy is used. |
| proxy-host | null | Proxy host to use. When defined, triggers usage of proxy for HTTP requests. |
| proxy-port | 80 | Port of the proxy server to use |
| redirect-uri | /oidc/redirect | URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server. |
| scope-audience | empty string | Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. |
| cookie-use | true | Whether to use cookie to store JWT. If used, redirects happen only in case the user is not authenticated or has insufficient scopes |
| cookie-name | JSESSIONID | Name of the cookie |
| cookie-domain | null | Domain the cookie is valid for. Not used by default |
| cookie-path | / | Path the cookie is valid for. |
| cookie-max-age-seconds | null | When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. |
| cookie-http-only | true | When using cookie, if set to true, the HttpOnly attribute will be configured. |
| cookie-secure | false | When using cookie, if set to true, the Secure attribute will be configured. |
| cookie-same-site | Strict | When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax" |
| query-param-use | false | Whether to expect JWT in a query parameter |
| query-param-name | accessToken | Name of a query parameter that contains the JWT token when parameter is used. |
| header-use | false | Whether to expect JWT in a header field. |
| header-token | "Authorization" header with prefix "bearer " | A TokenHandler configuration to process header containing a JWT |
| oidc-metadata-well-known | true | If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri). |
| oidc-metadata | identity-uri/.well-known/openid-configuration | Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server |
| token-endpoint-uri | token_endpoint in OIDC metadata, or identity-url/oauth2/v1/token if not available | URI of a token endpoint used to obtain a JWT based on the authentication code. |
| authorization-endpoint-uri | "authorization_endpoint" in OIDC metadata, or identity-uri/oauth2/v1/authorize if not available | URI of an authorization endpoint used to redirect users to for logging-in. |
| validate-with-jwk | true | When true - validate against jwk defined by "sign-jwk", when false validate JWT through OIDC Server endpoint "validation-endpoint-uri" |
| sign-jwk | "jwks-uri" in OIDC metadata, or identity-uri/admin/v1/SigningCert/jwk if not available, only needed when jwt validation is done by us | A resource pointing to JWK with public keys of signing certificates used to validate JWT |
| introspect-endpoint-uri | "introspection_endpoint" in OIDC metadata, or identity-uri/oauth2/v1/introspect | When validate-with-jwk is set to "false", this is the endpoint used |
| base-scopes | Configure scopes to be requested by default. If the scope has a qualifier, it must be included here | |
| redirect | true | Whether to redirect to identity server when authentication failed. |
| realm | helidon | Realm returned in HTTP response if redirect is not enabled or possible. |
| Modifier and Type | Class and Description |
|---|---|
static class |
OidcConfig.Builder
A fluent API
Builder to build instances of OidcConfig. |
| Modifier and Type | Field and Description |
|---|---|
static String |
PARAM_HEADER_NAME
Default name of the header we expect JWT in.
|
| Modifier and Type | Method and Description |
|---|---|
Client |
appClient()
Client with configured proxy and security of this OIDC client.
|
String |
audience()
Expected token audience.
|
String |
authorizationEndpointUri()
Authorization endpoint.
|
String |
baseScopes()
Base scopes to require from OIDC server.
|
static OidcConfig.Builder |
builder()
Create a builder to programmatically construct OIDC configuration.
|
String |
clientId()
Client id of this client.
|
String |
cookieName()
Cookie name.
|
String |
cookieOptions()
Additional options of the cookie to use.
|
String |
cookieValuePrefix()
Prefix of a cookie header formed by name and "=".
|
static OidcConfig |
create(Config config)
Create a new instance from
Config. |
Client |
generalClient()
Client with configured proxy with no security.
|
TokenHandler |
headerHandler()
TokenHandler to extract header information from request. |
URI |
identityUri()
Identity server URI.
|
WebTarget |
introspectEndpoint()
Token introspection endpoint.
|
String |
issuer()
Token issuer.
|
String |
paramName()
Query parameter name.
|
String |
realm()
Realm to use for WWW-Authenticate response (if needed).
|
String |
redirectUri()
Redirection URI.
|
String |
redirectUriWithHost()
Redirect URI with host information.
|
String |
scopeAudience()
Audience URI of custom scopes.
|
boolean |
shouldRedirect()
Whether to redirect to identity server if user is not authenticated.
|
JwkKeys |
signJwk()
JWK used for signature validation.
|
WebTarget |
tokenEndpoint()
Token endpoint of the OIDC server.
|
boolean |
useCookie()
Whether to use cooke to get the information from request.
|
boolean |
useHeader()
Whether to use HTTP header to get the information from request.
|
boolean |
useParam()
Whether to use query parameter to get the information from request.
|
boolean |
validateJwtWithJwk()
Whether to validate JWT with JWK information (e.g.
|
public static final String PARAM_HEADER_NAME
public static OidcConfig.Builder builder()
public static OidcConfig create(Config config)
Config.
The config instance has to be on the node containing keys used by this class (e.g. client-id).config - configuration used to obtain OIDC integration valuespublic JwkKeys signJwk()
OidcConfig.Builder.signJwk(JwkKeys)public String redirectUri()
OidcConfig.Builder.redirectUri(String)public WebTarget tokenEndpoint()
OidcConfig.Builder.tokenEndpointUri(URI)public boolean useParam()
OidcConfig.Builder.useParam(Boolean)public String paramName()
OidcConfig.Builder.paramName(String)public boolean useCookie()
OidcConfig.Builder.useCookie(Boolean)public String cookieName()
OidcConfig.Builder.cookieName(String)public String cookieOptions()
OidcConfig.Builder.cookieHttpOnly(Boolean),
OidcConfig.Builder.cookieDomain(String)public boolean useHeader()
OidcConfig.Builder.useHeader(Boolean)public TokenHandler headerHandler()
TokenHandler to extract header information from request.OidcConfig.Builder.headerTokenHandler(TokenHandler)public String cookieValuePrefix()
OidcConfig.Builder.cookieName(String)public String scopeAudience()
OidcConfig.Builder.scopeAudience(String)public String authorizationEndpointUri()
OidcConfig.Builder.authorizationEndpointUri(URI)public String clientId()
OidcConfig.Builder.clientId(String)public String redirectUriWithHost()
OidcConfig.Builder.redirectUri(String)public String baseScopes()
OidcConfig.Builder.baseScopes(String)public boolean validateJwtWithJwk()
OidcConfig.Builder.validateJwtWithJwk(Boolean)public WebTarget introspectEndpoint()
OidcConfig.Builder.introspectEndpointUri(URI)public String issuer()
OidcConfig.Builder.issuer(String)public String audience()
OidcConfig.Builder.audience(String)public URI identityUri()
OidcConfig.Builder.identityUri(URI)public Client generalClient()
public Client appClient()
public boolean shouldRedirect()
public String realm()
Copyright © 2018, Oracle and/or its affiliates. All Rights Reserved. Use is subject to license terms.