Type: io.helidon.security.providers.oidc.common.BaseBuilder

Configuration options

Table 1. Optional configuration options
key type default value description

audience

string

 

Audience of issued tokens.

authorization-endpoint-uri

URI

 

URI of an authorization endpoint used to redirect users to for logging-in.

If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/authorize.

base-scopes

string

openid

Configure base scopes. By default, this is DEFAULT_BASE_SCOPES. If scope has a qualifier, it must be used here.

check-audience

boolean

true

Configure audience claim check.

client-id

string

 

Client ID as generated by OIDC server.

client-secret

string

 

Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.

client-timeout-millis

Duration

30000

Timeout of calls using web client.

identity-uri

URI

 

URI of the identity server, base used to retrieve OIDC metadata.

introspect-endpoint-uri

URI

 

Endpoint to use to validate JWT. Either use this or set signJwk(JwkKeys) or signJwk(Resource).

issuer

string

 

Issuer of issued tokens.

oidc-metadata-well-known

boolean

true

If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).

oidc-metadata.resource

Resource

 

Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.

optional-audience

boolean

false

Allow audience claim to be optional.

scope-audience

string

 

Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.

server-type

string

@default

Configure one of the supported types of identity servers.

If the type does not have an explicit mapping, a warning is logged and the default implementation is used.

sign-jwk.resource

Resource

 

A resource pointing to JWK with public keys of signing certificates used to validate JWT.

token-endpoint-auth

ClientAuthentication (CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, CLIENT_CERTIFICATE, NONE)

CLIENT_SECRET_BASIC

Type of authentication to use when invoking the token endpoint. Current supported options:

  • io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication.CLIENT_SECRET_BASIC

  • io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication.CLIENT_SECRET_POST

  • io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication.NONE

Allowed values:

  • CLIENT_SECRET_BASIC: Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] using the HTTP Basic authentication scheme. This is the default client authentication.

  • CLIENT_SECRET_POST: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in the request body.

  • CLIENT_SECRET_JWT: Clients that have received a client_secret value from the Authorization Server create a JWT using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key. The Client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions].

The JWT MUST contain the following REQUIRED Claim Values and MAY contain the following OPTIONAL Claim Values.

Required: iss, sub, aud, jti, exp

Optional: iat - PRIVATE_KEY_JWT: Clients that have registered a public key sign a JWT using that key. The Client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions].

The JWT MUST contain the following REQUIRED Claim Values and MAY contain the following OPTIONAL Claim Values.

Required: iss, sub, aud, jti, exp

Optional: iat - CLIENT_CERTIFICATE: Authentication is done via the client certificate used with MTLS. The Returned access token is bound to this client certificate. The Client needs to have MTLS enabled for the OIDC. - NONE: The Client does not authenticate itself at the Token Endpoint, either because it uses only the Implicit Flow (and so does not use the Token Endpoint) or because it is a Public Client with no Client Secret or other authentication mechanism.

token-endpoint-uri

URI

 

URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/token.

validate-jwt-with-jwk

boolean

true

Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.