TenantConfig (security.providers.oidc.common) Configuration

Open ID Connect tenant configuration

Type: io.helidon.security.providers.oidc.common.TenantConfig

Configuration options

Table 1. Required configuration options
key	type	default value	description
`name`	string		Name of the tenant.

Table 2. Optional configuration options
key	type	default value	description
`audience`	string		Audience of issued tokens.
`authorization-endpoint-uri`	URI		URI of an authorization endpoint used to redirect users to for logging-in. If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/authorize.
`base-scopes`	string	`openid`	Configure base scopes. By default, this is DEFAULT_BASE_SCOPES. If scope has a qualifier, it must be used here.
`check-audience`	boolean	`true`	Configure audience claim check.
`client-id`	string		Client ID as generated by OIDC server.
`client-secret`	string		Client secret as generated by OIDC server. Used to authenticate this application with the server when requesting JWT based on a code.
`client-timeout-millis`	Duration	`30000`	Timeout of calls using web client.
`identity-uri`	URI		URI of the identity server, base used to retrieve OIDC metadata.
`introspect-endpoint-uri`	URI		Endpoint to use to validate JWT. Either use this or set signJwk(JwkKeys) or signJwk(Resource).
`issuer`	string		Issuer of issued tokens.
`oidc-metadata-well-known`	boolean	`true`	If set to true, metadata will be loaded from default (well known) location, unless it is explicitly defined using oidc-metadata-resource. If set to false, it would not be loaded even if oidc-metadata-resource is not defined. In such a case all URIs must be explicitly defined (e.g. token-endpoint-uri).
`oidc-metadata.resource`	Resource		Resource configuration for OIDC Metadata containing endpoints to various identity services, as well as information about the identity server.
`optional-audience`	boolean	`false`	Allow audience claim to be optional.
`scope-audience`	string		Audience of the scope required by this application. This is prefixed to the scope name when requesting scopes from the identity server. Defaults to empty string.
`server-type`	string	`@default`	Configure one of the supported types of identity servers. If the type does not have an explicit mapping, a warning is logged and the default implementation is used.
`sign-jwk.resource`	Resource		A resource pointing to JWK with public keys of signing certificates used to validate JWT.
`token-endpoint-auth`	ClientAuthentication (CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, CLIENT_CERTIFICATE, NONE)	`CLIENT_SECRET_BASIC`	Type of authentication to use when invoking the token endpoint. Current supported options: io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication.CLIENT_SECRET_BASIC io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication.CLIENT_SECRET_POST io.helidon.security.providers.oidc.common.OidcConfig.ClientAuthentication.NONE Allowed values: `CLIENT_SECRET_BASIC`: Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] using the HTTP Basic authentication scheme. This is the default client authentication. `CLIENT_SECRET_POST`: Clients that have received a client_secret value from the Authorization Server, authenticate with the Authorization Server in accordance with Section 2.3.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in the request body. `CLIENT_SECRET_JWT`: Clients that have received a client_secret value from the Authorization Server create a JWT using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key. The Client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions]. The JWT MUST contain the following REQUIRED Claim Values and MAY contain the following OPTIONAL Claim Values. Required: `iss, sub, aud, jti, exp` Optional: `iat` - `PRIVATE_KEY_JWT`: Clients that have registered a public key sign a JWT using that key. The Client authenticates in accordance with JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.JWT] and Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [OAuth.Assertions]. The JWT MUST contain the following REQUIRED Claim Values and MAY contain the following OPTIONAL Claim Values. Required: `iss, sub, aud, jti, exp` Optional: `iat` - `CLIENT_CERTIFICATE`: Authentication is done via the client certificate used with MTLS. The Returned access token is bound to this client certificate. The Client needs to have MTLS enabled for the OIDC. - `NONE`: The Client does not authenticate itself at the Token Endpoint, either because it uses only the Implicit Flow (and so does not use the Token Endpoint) or because it is a Public Client with no Client Secret or other authentication mechanism.
`token-endpoint-uri`	URI		URI of a token endpoint used to obtain a JWT based on the authentication code. If not defined, it is obtained from oidcMetadata(Resource), if that is not defined an attempt is made to use identityUri(URI)/oauth2/v1/token.
`validate-jwt-with-jwk`	boolean	`true`	Use JWK (a set of keys to validate signatures of JWT) to validate tokens. Use this method when you want to use default values for JWK or introspection endpoint URI.