Chapter 20. All provider configuration

spi-authentication-sessions-infinispan-auth-sessions-limit

The maximum number of concurrent authentication sessions per RootAuthenticationSession.

CLI: --spi-authentication-sessions-infinispan-auth-sessions-limit
Env: KC_SPI_AUTHENTICATION_SESSIONS_INFINISPAN_AUTH_SESSIONS_LIMIT

300 (default) or any int

spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests

If concurrent logins are allowed by the brute force protection.

CLI: --spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests
Env: KC_SPI_BRUTE_FORCE_PROTECTOR_DEFAULT_BRUTE_FORCE_DETECTOR_ALLOW_CONCURRENT_REQUESTS

true, false (default)

spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri

The HTTP(S) URI of the authentication channel.

CLI: --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri
Env: KC_SPI_CIBA_AUTH_CHANNEL_CIBA_HTTP_AUTH_CHANNEL_HTTP_AUTHENTICATION_CHANNEL_URI

any string

spi-connections-http-client-default-client-key-password

The key password.

CLI: --spi-connections-http-client-default-client-key-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEY_PASSWORD

-1 (default) or any string

spi-connections-http-client-default-client-keystore

The file path of the key store from where the key material is going to be read from to set-up TLS connections.

CLI: --spi-connections-http-client-default-client-keystore
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE

any string

spi-connections-http-client-default-client-keystore-password

The key store password.

CLI: --spi-connections-http-client-default-client-keystore-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE_PASSWORD

any string

spi-connections-http-client-default-connection-pool-size

Assigns maximum total connection value.

CLI: --spi-connections-http-client-default-connection-pool-size
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_POOL_SIZE

any int

spi-connections-http-client-default-connection-ttl-millis

Sets maximum time, in milliseconds, to live for persistent connections.

CLI: --spi-connections-http-client-default-connection-ttl-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_TTL_MILLIS

-1 (default) or any long

spi-connections-http-client-default-disable-cookies

Disables state (cookie) management.

CLI: --spi-connections-http-client-default-disable-cookies
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_COOKIES

true (default), false

spi-connections-http-client-default-disable-trust-manager

Disable trust management and hostname verification.

NOTE this is a security hole, so only set this option if you cannot or do not want to verify the identity of the host you are communicating with.

CLI: --spi-connections-http-client-default-disable-trust-manager
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_TRUST_MANAGER

true, false (default)

spi-connections-http-client-default-establish-connection-timeout-millis

When trying to make an initial socket connection, what is the timeout?

CLI: --spi-connections-http-client-default-establish-connection-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_ESTABLISH_CONNECTION_TIMEOUT_MILLIS

-1 (default) or any long

spi-connections-http-client-default-max-connection-idle-time-millis

Sets the time, in milliseconds, for evicting idle connections from the pool.

CLI: --spi-connections-http-client-default-max-connection-idle-time-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_CONNECTION_IDLE_TIME_MILLIS

900000 (default) or any long

spi-connections-http-client-default-max-pooled-per-route

Assigns maximum connection per route value.

CLI: --spi-connections-http-client-default-max-pooled-per-route
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_POOLED_PER_ROUTE

64 (default) or any int

spi-connections-http-client-default-proxy-mappings

Denotes the combination of a regex based hostname pattern and a proxy-uri in the form of hostnamePattern;proxyUri.

CLI: --spi-connections-http-client-default-proxy-mappings
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_PROXY_MAPPINGS

any string

spi-connections-http-client-default-reuse-connections

If connections should be reused.

CLI: --spi-connections-http-client-default-reuse-connections
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_REUSE_CONNECTIONS

true (default), false

spi-connections-http-client-default-socket-timeout-millis

Socket inactivity timeout.

CLI: --spi-connections-http-client-default-socket-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_SOCKET_TIMEOUT_MILLIS

5000 (default) or any long

spi-connections-infinispan-quarkus-site-name

Site name for multi-site deployments

CLI: --spi-connections-infinispan-quarkus-site-name
Env: KC_SPI_CONNECTIONS_INFINISPAN_QUARKUS_SITE_NAME

any string

spi-connections-jpa-quarkus-initialize-empty

Initialize database if empty.

If set to false the database has to be manually initialized. If you want to manually initialize the database set migrationStrategy to manual which will create a file with SQL commands to initialize the database.

CLI: --spi-connections-jpa-quarkus-initialize-empty
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_INITIALIZE_EMPTY

true (default), false

spi-connections-jpa-quarkus-migration-export

Path for where to write manual database initialization/migration file.

CLI: --spi-connections-jpa-quarkus-migration-export
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_EXPORT

any string

spi-connections-jpa-quarkus-migration-strategy

Strategy to use to migrate database.

Valid values are update, manual and validate. Update will automatically migrate the database schema. Manual will export the required changes to a file with SQL commands that you can manually execute on the database. Validate will simply check if the database is up-to-date.

CLI: --spi-connections-jpa-quarkus-migration-strategy
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_STRATEGY

update (default), manual, validate

spi-cookie-default-same-site-legacy

Adds legacy cookies without SameSite parameter

CLI: --spi-cookie-default-same-site-legacy
Env: KC_SPI_COOKIE_DEFAULT_SAME_SITE_LEGACY

true (default), false

spi-dblock-jpa-lock-wait-timeout

The maximum time to wait when waiting to release a database lock.

CLI: --spi-dblock-jpa-lock-wait-timeout
Env: KC_SPI_DBLOCK_JPA_LOCK_WAIT_TIMEOUT

any int

spi-events-listener-email-exclude-events

A comma-separated list of events that should not be sent via email to the user’s account.

CLI: --spi-events-listener-email-exclude-events
Env: KC_SPI_EVENTS_LISTENER_EMAIL_EXCLUDE_EVENTS

authreqid_to_token, authreqid_to_token_error, client_delete, client_delete_error, client_info, client_info_error, client_initiated_account_linking, client_initiated_account_linking_error, client_login, client_login_error, client_register, client_register_error, client_update, client_update_error, code_to_token, code_to_token_error, custom_required_action, custom_required_action_error, delete_account, delete_account_error, execute_action_token, execute_action_token_error, execute_actions, execute_actions_error, federated_identity_link, federated_identity_link_error, grant_consent, grant_consent_error, identity_provider_first_login, identity_provider_first_login_error, identity_provider_link_account, identity_provider_link_account_error, identity_provider_login, identity_provider_login_error, identity_provider_post_login, identity_provider_post_login_error, identity_provider_response, identity_provider_response_error, identity_provider_retrieve_token, identity_provider_retrieve_token_error, impersonate, impersonate_error, introspect_token, introspect_token_error, invalid_signature, invalid_signature_error, login, login_error, logout, logout_error, oauth2_device_auth, oauth2_device_auth_error, oauth2_device_code_to_token, oauth2_device_code_to_token_error, oauth2_device_verify_user_code, oauth2_device_verify_user_code_error, oauth2_extension_grant, oauth2_extension_grant_error, permission_token, permission_token_error, pushed_authorization_request, pushed_authorization_request_error, refresh_token, refresh_token_error, register, register_error, register_node, register_node_error, remove_federated_identity, remove_federated_identity_error, remove_totp, remove_totp_error, reset_password, reset_password_error, restart_authentication, restart_authentication_error, revoke_grant, revoke_grant_error, send_identity_provider_link, send_identity_provider_link_error, send_reset_password, send_reset_password_error, send_verify_email, send_verify_email_error, token_exchange, token_exchange_error, unregister_node, unregister_node_error, update_consent, update_consent_error, update_email, update_email_error, update_password, update_password_error, update_profile, update_profile_error, update_totp, update_totp_error, user_disabled_by_permanent_lockout, user_disabled_by_permanent_lockout_error, user_disabled_by_temporary_lockout, user_disabled_by_temporary_lockout_error, user_info_request, user_info_request_error, validate_access_token, validate_access_token_error, verify_email, verify_email_error, verify_profile, verify_profile_error

spi-events-listener-email-include-events

A comma-separated list of events that should be sent via email to the user’s account.

CLI: --spi-events-listener-email-include-events
Env: KC_SPI_EVENTS_LISTENER_EMAIL_INCLUDE_EVENTS

authreqid_to_token, authreqid_to_token_error, client_delete, client_delete_error, client_info, client_info_error, client_initiated_account_linking, client_initiated_account_linking_error, client_login, client_login_error, client_register, client_register_error, client_update, client_update_error, code_to_token, code_to_token_error, custom_required_action, custom_required_action_error, delete_account, delete_account_error, execute_action_token, execute_action_token_error, execute_actions, execute_actions_error, federated_identity_link, federated_identity_link_error, grant_consent, grant_consent_error, identity_provider_first_login, identity_provider_first_login_error, identity_provider_link_account, identity_provider_link_account_error, identity_provider_login, identity_provider_login_error, identity_provider_post_login, identity_provider_post_login_error, identity_provider_response, identity_provider_response_error, identity_provider_retrieve_token, identity_provider_retrieve_token_error, impersonate, impersonate_error, introspect_token, introspect_token_error, invalid_signature, invalid_signature_error, login, login_error, logout, logout_error, oauth2_device_auth, oauth2_device_auth_error, oauth2_device_code_to_token, oauth2_device_code_to_token_error, oauth2_device_verify_user_code, oauth2_device_verify_user_code_error, oauth2_extension_grant, oauth2_extension_grant_error, permission_token, permission_token_error, pushed_authorization_request, pushed_authorization_request_error, refresh_token, refresh_token_error, register, register_error, register_node, register_node_error, remove_federated_identity, remove_federated_identity_error, remove_totp, remove_totp_error, reset_password, reset_password_error, restart_authentication, restart_authentication_error, revoke_grant, revoke_grant_error, send_identity_provider_link, send_identity_provider_link_error, send_reset_password, send_reset_password_error, send_verify_email, send_verify_email_error, token_exchange, token_exchange_error, unregister_node, unregister_node_error, update_consent, update_consent_error, update_email, update_email_error, update_password, update_password_error, update_profile, update_profile_error, update_totp, update_totp_error, user_disabled_by_permanent_lockout, user_disabled_by_permanent_lockout_error, user_disabled_by_temporary_lockout, user_disabled_by_temporary_lockout_error, user_info_request, user_info_request_error, validate_access_token, validate_access_token_error, verify_email, verify_email_error, verify_profile, verify_profile_error

spi-events-listener-jboss-logging-error-level

The log level for error messages.

CLI: --spi-events-listener-jboss-logging-error-level
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_ERROR_LEVEL

debug, error, fatal, info, trace, warn (default)

spi-events-listener-jboss-logging-quotes

The quotes to use for values, it should be one character like " or '.

Use "none" if quotes are not needed.

CLI: --spi-events-listener-jboss-logging-quotes
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_QUOTES

" (default) or any string

spi-events-listener-jboss-logging-sanitize

If true the log messages are sanitized to avoid line breaks.

If false messages are not sanitized.

CLI: --spi-events-listener-jboss-logging-sanitize
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SANITIZE

true (default), false

spi-events-listener-jboss-logging-success-level

The log level for success messages.

CLI: --spi-events-listener-jboss-logging-success-level
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SUCCESS_LEVEL

debug (default), error, fatal, info, trace, warn

spi-export-dir-dir

Directory to export to

CLI: --spi-export-dir-dir
Env: KC_SPI_EXPORT_DIR_DIR

any string

spi-export-dir-realm-name

Realm to export

CLI: --spi-export-dir-realm-name
Env: KC_SPI_EXPORT_DIR_REALM_NAME

any string

spi-export-dir-users-export-strategy

Users export strategy

CLI: --spi-export-dir-users-export-strategy
Env: KC_SPI_EXPORT_DIR_USERS_EXPORT_STRATEGY

DIFFERENT_FILES (default) or any string

spi-export-dir-users-per-file

Users per exported file

CLI: --spi-export-dir-users-per-file
Env: KC_SPI_EXPORT_DIR_USERS_PER_FILE

50 (default) or any int

spi-export-single-file-file

File to export to

CLI: --spi-export-single-file-file
Env: KC_SPI_EXPORT_SINGLE_FILE_FILE

any string

spi-export-single-file-realm-name

Realm to export

CLI: --spi-export-single-file-realm-name
Env: KC_SPI_EXPORT_SINGLE_FILE_REALM_NAME

any string

spi-import-dir-dir

Directory to import from

CLI: --spi-import-dir-dir
Env: KC_SPI_IMPORT_DIR_DIR

any string

spi-import-dir-realm-name

Realm to export

CLI: --spi-import-dir-realm-name
Env: KC_SPI_IMPORT_DIR_REALM_NAME

any string

spi-import-dir-strategy

Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING

CLI: --spi-import-dir-strategy
Env: KC_SPI_IMPORT_DIR_STRATEGY

any string

spi-import-single-file-file

File to import from

CLI: --spi-import-single-file-file
Env: KC_SPI_IMPORT_SINGLE_FILE_FILE

any string

spi-import-single-file-realm-name

Realm to export

CLI: --spi-import-single-file-realm-name
Env: KC_SPI_IMPORT_SINGLE_FILE_REALM_NAME

any string

spi-import-single-file-strategy

Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING

CLI: --spi-import-single-file-strategy
Env: KC_SPI_IMPORT_SINGLE_FILE_STRATEGY

any string

spi-public-key-storage-infinispan-max-cache-time

Maximum interval in seconds that keys are cached when they are retrieved via all keys methods.

When all keys for the entry are retrieved there is no way to detect if a key is missing (different to the case when the key is retrieved via ID for example). In that situation this option forces a refresh from time to time. Default 24 hours.

CLI: --spi-public-key-storage-infinispan-max-cache-time
Env: KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MAX_CACHE_TIME

86400 (default) or any int

spi-public-key-storage-infinispan-min-time-between-requests

Minimum interval in seconds between two requests to retrieve the new public keys.

The server will always try to download new public keys when a single key is requested and not found. However it will avoid the download if the previous refresh was done less than 10 seconds ago (by default). This behavior is used to avoid DoS attacks against the external keys endpoint.

CLI: --spi-public-key-storage-infinispan-min-time-between-requests
Env: KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MIN_TIME_BETWEEN_REQUESTS

10 (default) or any int

spi-resource-encoding-gzip-excluded-content-types

A space separated list of content-types to exclude from encoding.

CLI: --spi-resource-encoding-gzip-excluded-content-types
Env: KC_SPI_RESOURCE_ENCODING_GZIP_EXCLUDED_CONTENT_TYPES

image/png image/jpeg (default) or any string

spi-sticky-session-encoder-infinispan-should-attach-route

If the route should be attached to cookies to reflect the node that owns a particular session.

CLI: --spi-sticky-session-encoder-infinispan-should-attach-route
Env: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE

true (default), false

spi-truststore-file-file

DEPRECATED: The file path of the trust store from where the certificates are going to be read from to validate TLS connections.

CLI: --spi-truststore-file-file
Env: KC_SPI_TRUSTSTORE_FILE_FILE

any string

spi-truststore-file-hostname-verification-policy

DEPRECATED: The hostname verification policy.

CLI: --spi-truststore-file-hostname-verification-policy
Env: KC_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY

any, wildcard (default), strict

spi-truststore-file-password

DEPRECATED: The trust store password.

CLI: --spi-truststore-file-password
Env: KC_SPI_TRUSTSTORE_FILE_PASSWORD

any string

spi-truststore-file-type

DEPRECATED: Type of the truststore.

If not provided, the type would be detected based on the truststore file extension or platform default type.

CLI: --spi-truststore-file-type
Env: KC_SPI_TRUSTSTORE_FILE_TYPE

any string

spi-user-profile-declarative-user-profile-admin-read-only-attributes

Array of regular expressions to identify fields that should be treated read-only so administrators can’t change them.

CLI: --spi-user-profile-declarative-user-profile-admin-read-only-attributes
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_ADMIN_READ_ONLY_ATTRIBUTES

any MultivaluedString

spi-user-profile-declarative-user-profile-max-email-local-part-length

To set user profile max email local part length

CLI: --spi-user-profile-declarative-user-profile-max-email-local-part-length
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_MAX_EMAIL_LOCAL_PART_LENGTH

any String

spi-user-profile-declarative-user-profile-read-only-attributes

Array of regular expressions to identify fields that should be treated read-only so users can’t change them.

CLI: --spi-user-profile-declarative-user-profile-read-only-attributes
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_READ_ONLY_ATTRIBUTES

any MultivaluedString

spi-well-known-openid-configuration-include-client-scopes

If client scopes should be used to calculate the list of supported scopes.

CLI: --spi-well-known-openid-configuration-include-client-scopes
Env: KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_INCLUDE_CLIENT_SCOPES

true (default), false

spi-well-known-openid-configuration-openid-configuration-override

The file path from where the metadata should be loaded from.

You can use an absolute file path or, if the file is in the server classpath, use the classpath: prefix to load the file from the classpath.

CLI: --spi-well-known-openid-configuration-openid-configuration-override
Env: KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_OPENID_CONFIGURATION_OVERRIDE

any string