OidcProvider (security.providers.oidc) Configuration

boolean

Whether to check if current IP address matches the one access token was issued for. This check helps with cookie replay attack prevention.

string

Audience of issued tokens.

URI

URI of an authorization endpoint used to redirect users to for logging-in.

If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/authorize.

string

Configure base scopes. By default, this is DEFAULT_BASE_SCOPES. If scope has a qualifier, it must be used here.

boolean

Configure audience claim check.

ClientCredentialsConfig

Set the configuration related to the client credentials flow.

string

Client ID as generated by OIDC server.

string

Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.

Duration

Timeout of calls using web client.

string

Domain the cookie is valid for. Not used by default.

boolean

Whether to encrypt token cookie created by this microservice. Defaults to false.

boolean

Whether to encrypt id token cookie created by this microservice. Defaults to true.

string

Name of the encryption configuration available through Security.encrypt(String, byte[]) and Security.decrypt(String, String). If configured and encryption is enabled for any cookie, Security MUST be configured in global or current io.helidon.common.context.Context (this is done automatically in Helidon MP).

char[]

Master password for encryption/decryption of cookies. This must be configured to the same value on each microservice using the cookie.

boolean

Whether to encrypt refresh token cookie created by this microservice. Defaults to true.

boolean

Whether to encrypt state cookie created by this microservice. Defaults to true.

boolean

Whether to encrypt tenant name cookie created by this microservice. Defaults to true.

boolean

When using cookie, if set to true, the HttpOnly attribute will be configured. Defaults to OidcCookieHandler.Builder.DEFAULT_HTTP_ONLY.

long

When using cookie, used to set MaxAge attribute of the cookie, defining how long the cookie is valid. Not used by default.

string

Name of the cookie to use. Defaults to DEFAULT_COOKIE_NAME.

string

Name of the cookie to use for id token. Defaults to DEFAULT_COOKIE_NAME_2.

This cookie is only used when logout is enabled, as otherwise it is not needed. Content of this cookie is encrypted.

string

The name of the cookie to use for the refresh token. Defaults to DEFAULT_REFRESH_COOKIE_NAME.

string

The name of the cookie to use for the state storage. Defaults to DEFAULT_STATE_COOKIE_NAME.

string

The name of the cookie to use for the tenant name. Defaults to DEFAULT_TENANT_COOKIE_NAME.

string

Path the cookie is valid for. Defaults to "/".

SameSite (LAX, STRICT, NONE)

When using cookie, used to set the SameSite cookie value. Can be "Strict" or "Lax".

boolean

When using cookie, if set to true, the Secure attribute will be configured. Defaults to false.

boolean

Whether to use cookie to store JWT between requests. Defaults to DEFAULT_COOKIE_USE.

CrossOriginConfig

Assign cross-origin resource sharing settings.

boolean

Force HTTPS for redirects to identity provider. Defaults to false.

string

Full URI of this application that is visible from user browser. Used to redirect request back from identity server after successful login.

TokenHandler

A TokenHandler to process header containing a JWT. Default is "Authorization" header with a prefix "bearer ".

boolean

Whether to expect JWT in a header field.

boolean

Whether id token signature check should be enabled. Signature check is enabled by default, and it is highly recommended to not change that. Change this setting only when you really know what you are doing, otherwise it could case security issues.

URI

URI of the identity server, base used to retrieve OIDC metadata.

URI

Endpoint to use to validate JWT. Either use this or set signJwk(JwkKeys) or signJwk(Resource).

string

Issuer of issued tokens.

int

Configure maximal number of redirects when redirecting to an OIDC provider within a single authentication attempt.

Defaults to DEFAULT_MAX_REDIRECTS

boolean

If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).

Resource

Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.

boolean

Whether authentication is required. By default, request will fail if the authentication cannot be verified. If set to true, request will process and this provider will abstain.

boolean

Allow audience claim to be optional.

OutboundTarget[]

Add a new target configuration.

PkceChallengeMethod (PLAIN, S256)

Proof Key Code Exchange (PKCE) challenge creation method. Default value is PkceChallengeMethod.S256.

Allowed values:

boolean

Whether this provider should support PKCE. Default value is false.

boolean

Whether to propagate identity.

string

Deprecated Proxy host to use. When defined, triggers usage of proxy for HTTP requests. Setting to empty String has the same meaning as setting to null - disables proxy.

int

Proxy port. Defaults to DEFAULT_PROXY_PORT

string

Deprecated Proxy protocol to use when proxy is used. Defaults to DEFAULT_PROXY_PROTOCOL.

string

Name of a query parameter that contains the JWT id token when parameter is used.

string

Name of a query parameter that contains the JWT access token when parameter is used.

string

Name of a query parameter that contains the tenant name when the parameter is used. Defaults to DEFAULT_TENANT_PARAM_NAME.

boolean

Whether to use a query parameter to send JWT token from application to this server.

boolean

By default, the client should redirect to the identity server for the user to log in. This behavior can be overridden by setting redirect to false. When token is not present in the request, the client will not redirect and just return appropriate error response code.

string

Configure the parameter used to store the number of attempts in redirect.

Defaults to DEFAULT_ATTEMPT_PARAM

string

URI to register web server component on, used by the OIDC server to redirect authorization requests to after a user logs in or approves scopes. Note that usually the redirect URI configured here must be the same one as configured on OIDC server.

Defaults to DEFAULT_REDIRECT_URI

boolean

Deprecated Can be set to true to force the use of relative URIs in all requests, regardless of the presence or absence of proxies or no-proxy lists. By default, requests that use the Proxy will have absolute URIs. Set this flag to true if the host is unable to accept absolute URIs. Defaults to DEFAULT_RELATIVE_URIS.

string

Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.

string

Configure one of the supported types of identity servers.

If the type does not have an explicit mapping, a warning is logged and the default implementation is used.

Resource

A resource pointing to JWK with public keys of signing certificates used to validate JWT.

TenantConfig

Configurations of the tenants

ClientAuthentication (CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, CLIENT_CERTIFICATE, NONE)

Type of authentication to use when invoking the token endpoint. Current supported options:

Allowed values:

The JWT MUST contain the following REQUIRED Claim Values and MAY contain the following OPTIONAL Claim Values.

Required: iss, sub, aud, jti, exp

Optional: iat - PRIVATE_KEY_JWT: Clients that have registered a public key sign a JWT using that key. The Client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions].

The JWT MUST contain the following REQUIRED Claim Values and MAY contain the following OPTIONAL Claim Values.

Required: iss, sub, aud, jti, exp

Optional: iat - CLIENT_CERTIFICATE: Authentication is done via the client certificate used with MTLS. The Returned access token is bound to this client certificate. The Client needs to have MTLS enabled for the OIDC. - NONE: The Client does not authenticate itself at the Token Endpoint, either because it uses only the Implicit Flow (and so does not use the Token Endpoint) or because it is a Public Client with no Client Secret or other authentication mechanism.

URI

URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/token.

boolean

Whether access token signature check should be enabled. Signature check is enabled by default, and it is highly recommended to not change that. Change this setting only when you really know what you are doing, otherwise it could case security issues.

boolean

Claim groups from JWT will be used to automatically add groups to current subject (may be used with jakarta.annotation.security.RolesAllowed annotation).

boolean

Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.

WebClient

WebClient configuration used for outbound requests to the identity server. This configuration sets the values to the OIDC WebClient default configuration.