public final class OidcConfig
extends java.lang.Object
Some of the configuration options below use "resource" type. The following configuration
can be used for a resource (example for oidc-metadata key):
oidc-metadata-path: "path/on/filesystem"
oidc-metadata-resource-path: "class-path/resource"
oidc-metadata-url: "URI on the net"
oidc-metadata-content-plain: "Value of the resource in plain text"
oidc-metadata-content: "Value in base64 encoded bytes"
Configuration options required (under security.providers[].${name}):
| key | description |
|---|---|
| client-id | Client ID as generated by OIDC server |
| client-secret | Client secret as generated by OIDC server |
| identity-uri | URI of the identity server, base used to retrieve OIDC metadata |
| frontend-uri | Fully URI of the frontend for redirects back from OIDC server (e.g. http://myserver/myApp) |
| key | default value | description |
|---|---|---|
| proxy-protocol | http | Proxy protocol to use when proxy is used. |
| proxy-host | null | Proxy host to use. When defined, triggers usage of proxy for HTTP requests. |
| proxy-port | 80 | Port of the proxy server to use |
| redirect-uri | /oidc/redirect | URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server. |
| scope-audience | empty string | Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. |
| cookie-use | true | Whether to use cookie to store JWT. If used, redirects happen only in case the user is not authenticated or has insufficient scopes |
| cookie-name | JSESSIONID | Name of the cookie |
| cookie-domain | null | Domain the cookie is valid for. Not used by default |
| cookie-path | / | Path the cookie is valid for. |
| cookie-max-age-seconds | null | When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. |
| cookie-http-only | true | When using cookie, if set to true, the HttpOnly attribute will be configured . |
| cookie-secure | false | When using cookie, if set to true, the Secure attribute will be configured . |
| cookie-same-site | Strict | When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax" |
| query-param-use | false | Whether to expect JWT in a query parameter |
| query-param-name | accessToken | Name of a query parameter that contains the JWT token when parameter is used. |
| header-use | false | Whether to expect JWT in a header field. |
| header-token | "Authorization" header with prefix "bearer " | A TokenHandler configuration to
process header containing a JWT |
| oidc-metadata-well-known | true | If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri). |
| oidc-metadata | identity-uri/.well-known/openid-configuration | Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server |
| token-endpoint-uri | token_endpoint in OIDC metadata, or identity-url/oauth2/v1/token if not available | URI of a token endpoint used to obtain a JWT based on the authentication code. |
| authorization-endpoint-uri | "authorization_endpoint" in OIDC metadata, or identity-uri/oauth2/v1/authorize if not available | URI of an authorization endpoint used to redirect users to for logging-in. |
| validate-with-jwk | true | When true - validate against jwk defined by "sign-jwk", when false validate JWT through OIDC Server endpoint "validation-endpoint-uri" |
| sign-jwk | "jwks-uri" in OIDC metadata, or identity-uri/admin/v1/SigningCert/jwk if not available, only needed when jwt validation is done by us | A resource pointing to JWK with public keys of signing certificates used to validate JWT |
| introspect-endpoint-uri | "introspection_endpoint" in OIDC metadata, or identity-uri/oauth2/v1/introspect | When validate-with-jwk is set to "false", this is the endpoint used |
| base-scopes | Configure scopes to be requested by default. If the scope has a qualifier, it must be included here | |
| redirect | true | Whether to redirect to identity server when authentication failed. |
| realm | Helidon | Realm returned in HTTP response if redirect is not enabled or possible. |
| Modifier and Type | Class | Description |
|---|---|---|
static class |
OidcConfig.Builder |
A fluent API
Builder to build instances of OidcConfig. |
| Modifier and Type | Field | Description |
|---|---|---|
static java.lang.String |
PARAM_HEADER_NAME |
Default name of the header we expect JWT in.
|
| Modifier and Type | Method | Description |
|---|---|---|
javax.ws.rs.client.Client |
appClient() |
Client with configured proxy and security of this OIDC client.
|
java.lang.String |
audience() |
Expected token audience.
|
java.lang.String |
authorizationEndpointUri() |
Authorization endpoint.
|
java.lang.String |
baseScopes() |
Base scopes to require from OIDC server.
|
static OidcConfig.Builder |
builder() |
Create a builder to programmatically construct OIDC configuration.
|
java.lang.String |
clientId() |
Client id of this client.
|
java.lang.String |
cookieName() |
Cookie name.
|
java.lang.String |
cookieOptions() |
Additional options of the cookie to use.
|
java.lang.String |
cookieValuePrefix() |
Prefix of a cookie header formed by name and "=".
|
static OidcConfig |
create(Config config) |
Create a new instance from
Config. |
static OidcConfig |
from(Config config) |
Deprecated.
|
javax.ws.rs.client.Client |
generalClient() |
Client with configured proxy with no security.
|
TokenHandler |
headerHandler() |
TokenHandler to extract header information from request. |
java.net.URI |
identityUri() |
Identity server URI.
|
javax.ws.rs.client.WebTarget |
introspectEndpoint() |
Token introspection endpoint.
|
java.lang.String |
issuer() |
Token issuer.
|
java.lang.String |
paramName() |
Query parameter name.
|
java.lang.String |
realm() |
Realm to use for WWW-Authenticate response (if needed).
|
java.lang.String |
redirectUri() |
Redirection URI.
|
java.lang.String |
redirectUriWithHost() |
Redirect URI with host information.
|
java.lang.String |
scopeAudience() |
Audience URI of custom scopes.
|
boolean |
shouldRedirect() |
Whether to redirect to identity server if user is not authenticated.
|
JwkKeys |
signJwk() |
JWK used for signature validation.
|
javax.ws.rs.client.WebTarget |
tokenEndpoint() |
Token endpoint of the OIDC server.
|
boolean |
useCookie() |
Whether to use cooke to get the information from request.
|
boolean |
useHeader() |
Whether to use HTTP header to get the information from request.
|
boolean |
useParam() |
Whether to use query parameter to get the information from request.
|
boolean |
validateJwtWithJwk() |
Whether to validate JWT with JWK information (e.g.
|
public static final java.lang.String PARAM_HEADER_NAME
public static OidcConfig.Builder builder()
public static OidcConfig create(Config config)
Config.
The config instance has to be on the node containing keys used by this class (e.g. client-id).config - configuration used to obtain OIDC integration values@Deprecated public static OidcConfig from(Config config)
Config.as(Class).config - config instance to load frompublic JwkKeys signJwk()
OidcConfig.Builder.signJwk(JwkKeys)public java.lang.String redirectUri()
OidcConfig.Builder.redirectUri(String)public javax.ws.rs.client.WebTarget tokenEndpoint()
OidcConfig.Builder.tokenEndpointUri(URI)public boolean useParam()
OidcConfig.Builder.useParam(Boolean)public java.lang.String paramName()
OidcConfig.Builder.paramName(String)public boolean useCookie()
OidcConfig.Builder.useCookie(Boolean)public java.lang.String cookieName()
OidcConfig.Builder.cookieName(String)public java.lang.String cookieOptions()
OidcConfig.Builder.cookieHttpOnly(Boolean),
OidcConfig.Builder.cookieDomain(String)public boolean useHeader()
OidcConfig.Builder.useHeader(Boolean)public TokenHandler headerHandler()
TokenHandler to extract header information from request.OidcConfig.Builder.headerTokenHandler(TokenHandler)public java.lang.String cookieValuePrefix()
OidcConfig.Builder.cookieName(String)public java.lang.String scopeAudience()
OidcConfig.Builder.scopeAudience(String)public java.lang.String authorizationEndpointUri()
OidcConfig.Builder.authorizationEndpointUri(URI)public java.lang.String clientId()
OidcConfig.Builder.clientId(String)public java.lang.String redirectUriWithHost()
OidcConfig.Builder.redirectUri(String)public java.lang.String baseScopes()
OidcConfig.Builder.baseScopes(String)public boolean validateJwtWithJwk()
OidcConfig.Builder.validateJwtWithJwk(Boolean)public javax.ws.rs.client.WebTarget introspectEndpoint()
OidcConfig.Builder.introspectEndpointUri(URI)public java.lang.String issuer()
OidcConfig.Builder.issuer(String)public java.lang.String audience()
OidcConfig.Builder.audience(String)public java.net.URI identityUri()
OidcConfig.Builder.identityUri(URI)public javax.ws.rs.client.Client generalClient()
public javax.ws.rs.client.Client appClient()
public boolean shouldRedirect()
public java.lang.String realm()
Copyright © 2018, Oracle and/or its affiliates. All Rights Reserved. Use is subject to license terms.