Chapter 6. OpenID Connect (OIDC) configuration properties
As a Quarkus developer, you configure the Quarkus OpenID Connect (OIDC) extension by setting the following properties in the src/main/resources/application.properties
file.
6.1. OIDC configuration
Configuration property fixed at build time - All other configuration properties are overridable at runtime
Configuration property | Type | Default |
If the OIDC extension is enabled.
Environment variable: | boolean |
|
Grant type which will be used to acquire a token to test the OIDC 'service' applications
Environment variable: | client: 'client_credentials' grant password: 'password' grant code: 'authorization_code' grant implicit: 'implicit' grant | |
Grant options
Environment variable: | Map<String,Map<String,String>> | |
The WebClient timeout. Use this property to configure how long an HTTP client used by Dev UI handlers will wait for a response when requesting tokens from OpenId Connect Provider and sending them to the service endpoint. This timeout is also used by the OIDC dev service admin client.
Environment variable: |
| |
Enable the registration of the Default TokenIntrospection and UserInfo Cache implementation bean. Note: This only enables the default implementation. It requires configuration to be activated. See
Environment variable: | boolean |
|
The base URL of the OpenID Connect (OIDC) server, for example,
Environment variable: | string | |
Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually.
Environment variable: | boolean |
|
The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if
Environment variable: | string | |
The relative path or absolute URL of the OIDC token revocation endpoint.
Environment variable: | string | |
The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if
Environment variable: | string | |
The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider’s dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client.
Environment variable: | string | |
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to
Environment variable: | ||
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from
Environment variable: | int |
|
The number of seconds after which the current OIDC connection request times out.
Environment variable: |
| |
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
Environment variable: | boolean |
|
The maximum size of the connection pool used by the WebClient.
Environment variable: | int | |
The client secret used by the
Environment variable: | string | |
The client secret value. This value is ignored if
Environment variable: | string | |
The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered
Environment variable: | string | |
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
Environment variable: | string | |
The CredentialsProvider client secret key
Environment variable: | string | |
The authentication method. If the
Environment variable: |
basic:
post:
post-jwt: query: client id and secret are submitted as HTTP query parameters. This option is only supported by the OIDC extension. | |
JWT token source: OIDC provider client or an existing JWT bearer token.
Environment variable: |
|
|
If provided, indicates that JWT is signed using a secret key.
Environment variable: | string | |
The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered
Environment variable: | string | |
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
Environment variable: | string | |
The CredentialsProvider client secret key
Environment variable: | string | |
String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the
Environment variable: | string | |
If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the
Environment variable: | string | |
If provided, indicates that JWT is signed using a private key from a keystore.
Environment variable: | string | |
A parameter to specify the password of the keystore file.
Environment variable: | string | |
The private key id or alias.
Environment variable: | string | |
The private key password.
Environment variable: | string | |
The JWT audience (
Environment variable: | string | |
The key identifier of the signing key added as a JWT
Environment variable: | string | |
The issuer of the signing key added as a JWT
Environment variable: | string | |
Subject of the signing key added as a JWT
Environment variable: | string | |
Additional claims.
Environment variable: | Map<String,String> | |
The signature algorithm used for the
Environment variable: | string | |
The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time.
Environment variable: | int |
|
If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.
Environment variable: | boolean |
|
The host name or IP address of the Proxy.
Environment variable: | string | |
The port number of the Proxy. The default value is
Environment variable: | int |
|
The username, if the Proxy needs authentication.
Environment variable: | string | |
The password, if the Proxy needs authentication.
Environment variable: | string | |
Certificate validation and hostname verification, which can be one of the following
Environment variable: | required: Certificates are validated and hostname verification is enabled. This is the default value. certificate-validation: Certificates are validated but hostname verification is disabled. none: All certificates are trusted and hostname verification is disabled. | |
An optional keystore that holds the certificate information instead of specifying separate files.
Environment variable: | path | |
The type of the keystore file. If not given, the type is automatically detected based on the file name.
Environment variable: | string | |
The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type.
Environment variable: | string | |
The password of the keystore file. If not given, the default value,
Environment variable: | string | |
The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined.
Environment variable: | string | |
The password of the key, if it is different from the
Environment variable: | string | |
The truststore that holds the certificate information of the certificates to trust.
Environment variable: | path | |
The password of the truststore file.
Environment variable: | string | |
The alias of the truststore certificate.
Environment variable: | string | |
The type of the truststore file. If not given, the type is automatically detected based on the file name.
Environment variable: | string | |
The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type.
Environment variable: | string | |
A unique tenant identifier. It can be set by
Environment variable: | string | |
If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a
Environment variable: | boolean |
|
The application type, which can be one of the following
Environment variable: |
web-app: A
service: A
hybrid: A combined | service |
The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for
Environment variable: | string | |
The relative path or absolute URL of the OIDC UserInfo endpoint. You must set this property for
Environment variable: | string | |
Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.
Environment variable: | string | |
Relative path or absolute URL of the OIDC JSON Web Key Set (JWKS) endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property is ignored if the discovery is enabled.
Environment variable: | string | |
Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the
Environment variable: | string | |
The paths which must be secured by this tenant. Tenant with the most specific path wins. Please see the Configure tenant paths section of the OIDC multitenancy guide for explanation of allowed path patterns.
Environment variable: | list of string | |
The public key for the local JWT token verification. OIDC server connection is not created when this property is set.
Environment variable: | string | |
Name
Environment variable: | string | |
Secret
Environment variable: | string | |
Include OpenId Connect Client ID configured with
Environment variable: | boolean |
|
A list of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments. Each segment represents a JSON object name only; for example: "realm/groups". Use double quotes with the namespace-qualified claim names. This property can be used if a token has no
Environment variable: | list of string | |
The separator for splitting strings that contain multiple group values. It is only used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space is used by default because the standard
Environment variable: | string | |
Source of the principal roles.
Environment variable: |
idtoken: ID Token - the default value for the
accesstoken: Access Token - the default value for the userinfo: User Info | |
The expected issuer
Environment variable: | string | |
The expected audience
Environment variable: | list of string | |
Require that the token includes a
Environment variable: | boolean |
|
A map of required claims and their expected values. For example,
Environment variable: | Map<String,String> | |
Expected token type
Environment variable: | string | |
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
Environment variable: | int | |
Token age. It allows for the number of seconds to be specified that must not elapse since the
Environment variable: | ||
Require that the token includes a
Environment variable: | boolean |
|
Name of the claim which contains a principal name. By default, the
Environment variable: | string | |
Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the
Environment variable: | boolean |
|
The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time, a refresh is going to happen.
Environment variable: | ||
The forced JWK set refresh interval in minutes.
Environment variable: |
| |
Custom HTTP header that contains a bearer token. This option is valid only when the application is of type
Environment variable: | string | |
HTTP Authorization header scheme.
Environment variable: | string |
|
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
Environment variable: |
| |
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the
Environment variable: | string | |
Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to
Environment variable: | boolean |
|
Require that JWT tokens are only introspected remotely.
Environment variable: | boolean |
|
Allow the remote introspection of the opaque tokens. Set this property to
Environment variable: | boolean |
|
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using
Environment variable: | string | |
Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.
Environment variable: | boolean |
|
The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.
Environment variable: | string | |
Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.
Environment variable: | string | |
Name of the post logout URI parameter which is added as a query parameter to the logout redirect URI.
Environment variable: | string |
|
Additional properties which is added as the query parameters to the logout redirect URI.
Environment variable: | Map<String,String> | |
The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
Environment variable: | string | |
Maximum number of logout tokens that can be cached before they are matched against ID tokens stored in session cookies.
Environment variable: | int |
|
Number of minutes a logout token can be cached for.
Environment variable: |
| |
Token cache timer interval. If this property is set, a timer checks and removes the stale entries periodically.
Environment variable: | ||
Logout token claim whose value is used as a key for caching the tokens. Only
Environment variable: | string |
|
The relative path of the Front-Channel Logout endpoint at the application.
Environment variable: | string | |
Common name of the leaf certificate. It must be set if the
Environment variable: | string | |
Truststore file which keeps thumbprints of the trusted certificates.
Environment variable: | path | |
A parameter to specify the password of the truststore file if it is configured with
Environment variable: | string | |
A parameter to specify the alias of the truststore certificate.
Environment variable: | string | |
An optional parameter to specify type of the truststore file. If not given, the type is automatically detected based on the file name.
Environment variable: | string | |
Authorization code flow response mode.
Environment variable: |
query: Authorization response parameters are encoded in the query string added to the form-post: Authorization response parameters are encoded as HTML form values that are auto-submitted in the browser and transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type | query |
The relative path for calculating a
Environment variable: | string | |
If this property is set to
Environment variable: | boolean |
|
Remove the query parameters such as
Environment variable: | boolean |
|
Relative path to the public endpoint which processes the error response from the OIDC authorization endpoint. If the user authentication has failed, the OIDC provider returns an
Environment variable: | string | |
Relative path to the public endpoint which an authenticated user is redirected to when the session has expired. When the OIDC session has expired and the session can not be refreshed, a user is redirected to the OIDC provider to re-authenticate. The user experience may not be ideal in this case as it may not be obvious to the authenticated user why an authentication challenge is returned. Set this property if you would like the user whose session has expired be redirected to a public application specific page instead, which can inform that the session has expired and advise the user to re-authenticated by following a link to the secured initial entry page.
Environment variable: | string | |
Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles.
Authorization code flow access token is meant to be propagated to downstream services and is not verified by default unless
Authorization code flow access token verification is also enabled if this token is injected as JsonWebToken. Set this property to Bearer access token is always verified.
Environment variable: | boolean |
|
Force
Environment variable: | boolean |
|
List of scopes
Environment variable: | list of string | |
The separator which is used when more than one scope is configured. A single space is used by default.
Environment variable: | string | |
Require that ID token includes a
Environment variable: | boolean |
|
Add the
Environment variable: | boolean |
|
Additional properties added as query parameters to the authentication redirect URI.
Environment variable: | Map<String,String> | |
Request URL query parameters which, if present, are added to the authentication redirect URI.
Environment variable: | list of string | |
If enabled the state, session, and post logout cookies have their
Environment variable: | boolean |
|
Cookie name suffix. For example, a session cookie name for the default OIDC tenant is
Environment variable: | string | |
Cookie path parameter value which, if set, is used to set a path parameter for the session, state and post logout cookies. The
Environment variable: | string |
|
Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value is used to set a path parameter for the session, state and post logout cookies. If the header is missing, the
Environment variable: | string | |
Cookie domain parameter value which, if set, is used for the session, state and post logout cookies.
Environment variable: | string | |
SameSite attribute for the session cookie.
Environment variable: |
|
|
If a state cookie is present, a
Environment variable: | boolean |
|
Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present. When either multiple authentications are disabled or the redirect URL matches the original request URL, the stale state cookie might remain in the browser cache from the earlier failed redirect to an OpenId Connect provider and be visible during the current request. For example, if Single-page application (SPA) uses XHR to handle redirects to the provider which does not support CORS for its authorization endpoint, the browser blocks it and the state cookie created by Quarkus remains in the browser cache. Quarkus reports an authentication failure when it detects such an old state cookie but find no matching state query parameter.
Reporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the browser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects. For example, enabling
However, setting this property to
Environment variable: | boolean |
|
If this property is set to
This property is enabled automatically if
It is also enabled automatically if
Environment variable: | boolean |
|
Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the
Environment variable: |
| |
State cookie age in minutes. State cookie is created every time a new authorization code flow redirect starts and removed when this flow is completed. State cookie name is unique by default, see
Environment variable: |
| |
If this property is set to
If this property is set to
Environment variable: | boolean |
|
Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken is generated in such cases.
Environment variable: | boolean |
|
Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.
Environment variable: |
| |
Requires that a Proof Key for Code Exchange (PKCE) is used.
Environment variable: | boolean |
|
Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.
If this secret is not set, the client secret configured with either The secret is auto-generated if it remains uninitialized after checking all of these properties. Error is reported if the secret length is less than 16 characters.
Environment variable: | string | |
Additional parameters, in addition to the required
Environment variable: | Map<String,String> | |
Custom HTTP headers which must be sent to complete the authorization code grant request.
Environment variable: | Map<String,String> | |
Default TokenStateManager strategy.
Environment variable: | keep-all-tokens: Keep ID, access and refresh tokens. id-token: Keep ID token only id-refresh-tokens: Keep ID and refresh tokens only | keep-all-tokens |
Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size
Environment variable: | boolean |
|
Mandates that the Default TokenStateManager encrypt the session cookie that stores the tokens.
Environment variable: | boolean |
|
The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when
If this secret is not set, the client secret configured with either The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.
Environment variable: | string | |
Session cookie key encryption algorithm
Environment variable: | a256-gcmkw: Content encryption key will be generated and encrypted using the A256GCMKW algorithm and the configured encryption secret. The generated content encryption key will be used to encrypt the session cookie content. dir: The configured key encryption secret will be used as the content encryption key to encrypt the session cookie content. Using the direct encryption avoids a content encryption key generation step and will make the encrypted session cookie sequence slightly shorter. Avoid using the direct encryption if the encryption secret is less than 32 characters long. | a256-gcmkw |
Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see
Environment variable: | boolean |
|
Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used, see
Environment variable: | boolean |
|
Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.
Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the
Environment variable: | boolean | |
If JWK verification keys should be fetched at the moment a connection to the OIDC provider is initialized. Disabling this property delays the key acquisition until the moment the current token has to be verified. Typically it can only be necessary if the token or other telated request properties provide an additional context which is required to resolve the keys correctly.
Environment variable: | boolean |
|
Maximum number of JWK keys that can be cached. This property is ignored if the
Environment variable: | int |
|
Number of minutes a JWK key can be cached for. This property is ignored if the
Environment variable: |
| |
Cache timer interval. If this property is set, a timer checks and removes the stale entries periodically. This property is ignored if the
Environment variable: | ||
In case there is no key identifier ('kid') or certificate thumbprints ('x5t', 'x5t#S256') specified in the JOSE header and no key could be determined, check all available keys matching the token algorithm ('alg') header value.
Environment variable: | boolean |
|
Well known OpenId Connect provider identifier
Environment variable: |
| |
Maximum number of cache entries. Set it to a positive value if the cache has to be enabled.
Environment variable: | int |
|
Maximum amount of time a given cache entry is valid for.
Environment variable: |
| |
Clean up timer interval. If this property is set then a timer will check and remove the stale entries periodically.
Environment variable: | ||
If OIDC tenants should be resolved using the bearer access token’s issuer (
Environment variable: | boolean |
|
Type | Default | |
The base URL of the OpenID Connect (OIDC) server, for example,
Environment variable: | string | |
Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually.
Environment variable: | boolean |
|
The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if
Environment variable: | string | |
The relative path or absolute URL of the OIDC token revocation endpoint.
Environment variable: | string | |
The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if
Environment variable: | string | |
The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider’s dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client.
Environment variable: | string | |
The duration to attempt the initial connection to an OIDC server. For example, setting the duration to
Environment variable: | ||
The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from
Environment variable: | int |
|
The number of seconds after which the current OIDC connection request times out.
Environment variable: |
| |
Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server.
Environment variable: | boolean |
|
The maximum size of the connection pool used by the WebClient.
Environment variable: | int | |
The client secret used by the
Environment variable: | string | |
The client secret value. This value is ignored if
Environment variable: | string | |
The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered
Environment variable: | string | |
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
Environment variable: | string | |
The CredentialsProvider client secret key
Environment variable: | string | |
The authentication method. If the
Environment variable: |
basic:
post:
post-jwt: query: client id and secret are submitted as HTTP query parameters. This option is only supported by the OIDC extension. | |
JWT token source: OIDC provider client or an existing JWT bearer token.
Environment variable: |
|
|
If provided, indicates that JWT is signed using a secret key.
Environment variable: | string | |
The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered
Environment variable: | string | |
The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager
Environment variable: | string | |
The CredentialsProvider client secret key
Environment variable: | string | |
String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the
Environment variable: | string | |
If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the
Environment variable: | string | |
If provided, indicates that JWT is signed using a private key from a keystore.
Environment variable: | string | |
A parameter to specify the password of the keystore file.
Environment variable: | string | |
The private key id or alias.
Environment variable: | string | |
The private key password.
Environment variable: | string | |
The JWT audience (
Environment variable: | string | |
The key identifier of the signing key added as a JWT
Environment variable: | string | |
The issuer of the signing key added as a JWT
Environment variable: | string | |
Subject of the signing key added as a JWT
Environment variable: | string | |
Additional claims.
Environment variable: | Map<String,String> | |
The signature algorithm used for the
Environment variable: | string | |
The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time.
Environment variable: | int |
|
If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.
Environment variable: | boolean |
|
The host name or IP address of the Proxy.
Environment variable: | string | |
The port number of the Proxy. The default value is
Environment variable: | int |
|
The username, if the Proxy needs authentication.
Environment variable: | string | |
The password, if the Proxy needs authentication.
Environment variable: | string | |
Certificate validation and hostname verification, which can be one of the following
Environment variable: | required: Certificates are validated and hostname verification is enabled. This is the default value. certificate-validation: Certificates are validated but hostname verification is disabled. none: All certificates are trusted and hostname verification is disabled. | |
An optional keystore that holds the certificate information instead of specifying separate files.
Environment variable: | path | |
The type of the keystore file. If not given, the type is automatically detected based on the file name.
Environment variable: | string | |
The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type.
Environment variable: | string | |
The password of the keystore file. If not given, the default value,
Environment variable: | string | |
The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined.
Environment variable: | string | |
The password of the key, if it is different from the
Environment variable: | string | |
The truststore that holds the certificate information of the certificates to trust.
Environment variable: | path | |
The password of the truststore file.
Environment variable: | string | |
The alias of the truststore certificate.
Environment variable: | string | |
The type of the truststore file. If not given, the type is automatically detected based on the file name.
Environment variable: | string | |
The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type.
Environment variable: | string | |
A unique tenant identifier. It can be set by
Environment variable: | string | |
If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a
Environment variable: | boolean |
|
The application type, which can be one of the following
Environment variable: |
web-app: A
service: A
hybrid: A combined | service |
The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for
Environment variable: | string | |
The relative path or absolute URL of the OIDC UserInfo endpoint. You must set this property for
Environment variable: | string | |
Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.
Environment variable: | string | |
Relative path or absolute URL of the OIDC JSON Web Key Set (JWKS) endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property is ignored if the discovery is enabled.
Environment variable: | string | |
Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the
Environment variable: | string | |
The paths which must be secured by this tenant. Tenant with the most specific path wins. Please see the Configure tenant paths section of the OIDC multitenancy guide for explanation of allowed path patterns.
Environment variable: | list of string | |
The public key for the local JWT token verification. OIDC server connection is not created when this property is set.
Environment variable: | string | |
Name
Environment variable: | string | |
Secret
Environment variable: | string | |
Include OpenId Connect Client ID configured with
Environment variable: | boolean |
|
A list of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments. Each segment represents a JSON object name only; for example: "realm/groups". Use double quotes with the namespace-qualified claim names. This property can be used if a token has no
Environment variable: | list of string | |
The separator for splitting strings that contain multiple group values. It is only used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space is used by default because the standard
Environment variable: | string | |
Source of the principal roles.
Environment variable: |
idtoken: ID Token - the default value for the
accesstoken: Access Token - the default value for the userinfo: User Info | |
The expected issuer
Environment variable: | string | |
The expected audience
Environment variable: | list of string | |
Require that the token includes a
Environment variable: | boolean |
|
A map of required claims and their expected values. For example,
Environment variable: | Map<String,String> | |
Expected token type
Environment variable: | string | |
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
Environment variable: | int | |
Token age. It allows for the number of seconds to be specified that must not elapse since the
Environment variable: | ||
Require that the token includes a
Environment variable: | boolean |
|
Name of the claim which contains a principal name. By default, the
Environment variable: | string | |
Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the
Environment variable: | boolean |
|
The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time, a refresh is going to happen.
Environment variable: | ||
The forced JWK set refresh interval in minutes.
Environment variable: |
| |
Custom HTTP header that contains a bearer token. This option is valid only when the application is of type
Environment variable: | string | |
HTTP Authorization header scheme.
Environment variable: | string |
|
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
Environment variable: |
| |
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the
Environment variable: | string | |
Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to
Environment variable: | boolean |
|
Require that JWT tokens are only introspected remotely.
Environment variable: | boolean |
|
Allow the remote introspection of the opaque tokens. Set this property to
Environment variable: | boolean |
|
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using
Environment variable: | string | |
Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.
Environment variable: | boolean |
|
The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.
Environment variable: | string | |
Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.
Environment variable: | string | |
Name of the post logout URI parameter which is added as a query parameter to the logout redirect URI.
Environment variable: | string |
|
Additional properties which is added as the query parameters to the logout redirect URI.
Environment variable: | Map<String,String> | |
The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.
Environment variable: | string | |
Maximum number of logout tokens that can be cached before they are matched against ID tokens stored in session cookies.
Environment variable: | int |
|
Number of minutes a logout token can be cached for.
Environment variable: |
| |
Token cache timer interval. If this property is set, a timer checks and removes the stale entries periodically.
Environment variable: | ||
Logout token claim whose value is used as a key for caching the tokens. Only
Environment variable: | string |
|
The relative path of the Front-Channel Logout endpoint at the application.
Environment variable: | string | |
Common name of the leaf certificate. It must be set if the
Environment variable: | string | |
Truststore file which keeps thumbprints of the trusted certificates.
Environment variable: | path | |
A parameter to specify the password of the truststore file if it is configured with
Environment variable: | string | |
A parameter to specify the alias of the truststore certificate.
Environment variable: | string | |
An optional parameter to specify type of the truststore file. If not given, the type is automatically detected based on the file name.
Environment variable: | string | |
Authorization code flow response mode.
Environment variable: |
query: Authorization response parameters are encoded in the query string added to the form-post: Authorization response parameters are encoded as HTML form values that are auto-submitted in the browser and transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type | query |
The relative path for calculating a
Environment variable: | string | |
If this property is set to
Environment variable: | boolean |
|
Remove the query parameters such as
Environment variable: | boolean |
|
Relative path to the public endpoint which processes the error response from the OIDC authorization endpoint. If the user authentication has failed, the OIDC provider returns an
Environment variable: | string | |
Relative path to the public endpoint which an authenticated user is redirected to when the session has expired. When the OIDC session has expired and the session can not be refreshed, a user is redirected to the OIDC provider to re-authenticate. The user experience may not be ideal in this case as it may not be obvious to the authenticated user why an authentication challenge is returned. Set this property if you would like the user whose session has expired be redirected to a public application specific page instead, which can inform that the session has expired and advise the user to re-authenticated by following a link to the secured initial entry page.
Environment variable: | string | |
Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles.
Authorization code flow access token is meant to be propagated to downstream services and is not verified by default unless
Authorization code flow access token verification is also enabled if this token is injected as JsonWebToken. Set this property to Bearer access token is always verified.
Environment variable: | boolean |
|
Force
Environment variable: | boolean |
|
List of scopes
Environment variable: | list of string | |
The separator which is used when more than one scope is configured. A single space is used by default.
Environment variable: | string | |
Require that ID token includes a
Environment variable: | boolean |
|
Add the
Environment variable: | boolean |
|
Additional properties added as query parameters to the authentication redirect URI.
Environment variable: | Map<String,String> | |
Request URL query parameters which, if present, are added to the authentication redirect URI.
Environment variable: | list of string | |
If enabled the state, session, and post logout cookies have their
Environment variable: | boolean |
|
Cookie name suffix. For example, a session cookie name for the default OIDC tenant is
Environment variable: | string | |
Cookie path parameter value which, if set, is used to set a path parameter for the session, state and post logout cookies. The
Environment variable: | string |
|
Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value is used to set a path parameter for the session, state and post logout cookies. If the header is missing, the
Environment variable: | string | |
Cookie domain parameter value which, if set, is used for the session, state and post logout cookies.
Environment variable: | string | |
SameSite attribute for the session cookie.
Environment variable: |
|
|
If a state cookie is present, a
Environment variable: | boolean |
|
Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present. When either multiple authentications are disabled or the redirect URL matches the original request URL, the stale state cookie might remain in the browser cache from the earlier failed redirect to an OpenId Connect provider and be visible during the current request. For example, if Single-page application (SPA) uses XHR to handle redirects to the provider which does not support CORS for its authorization endpoint, the browser blocks it and the state cookie created by Quarkus remains in the browser cache. Quarkus reports an authentication failure when it detects such an old state cookie but find no matching state query parameter.
Reporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the browser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects. For example, enabling
However, setting this property to
Environment variable: | boolean |
|
If this property is set to
This property is enabled automatically if
It is also enabled automatically if
Environment variable: | boolean |
|
Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the
Environment variable: |
| |
State cookie age in minutes. State cookie is created every time a new authorization code flow redirect starts and removed when this flow is completed. State cookie name is unique by default, see
Environment variable: |
| |
If this property is set to
If this property is set to
Environment variable: | boolean |
|
Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken is generated in such cases.
Environment variable: | boolean |
|
Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.
Environment variable: |
| |
Requires that a Proof Key for Code Exchange (PKCE) is used.
Environment variable: | boolean |
|
Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.
If this secret is not set, the client secret configured with either The secret is auto-generated if it remains uninitialized after checking all of these properties. Error is reported if the secret length is less than 16 characters.
Environment variable: | string | |
Additional parameters, in addition to the required
Environment variable: | Map<String,String> | |
Custom HTTP headers which must be sent to complete the authorization code grant request.
Environment variable: | Map<String,String> | |
Default TokenStateManager strategy.
Environment variable: | keep-all-tokens: Keep ID, access and refresh tokens. id-token: Keep ID token only id-refresh-tokens: Keep ID and refresh tokens only | keep-all-tokens |
Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size
Environment variable: | boolean |
|
Mandates that the Default TokenStateManager encrypt the session cookie that stores the tokens.
Environment variable: | boolean |
|
The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when
If this secret is not set, the client secret configured with either The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.
Environment variable: | string | |
Session cookie key encryption algorithm
Environment variable: | a256-gcmkw: Content encryption key will be generated and encrypted using the A256GCMKW algorithm and the configured encryption secret. The generated content encryption key will be used to encrypt the session cookie content. dir: The configured key encryption secret will be used as the content encryption key to encrypt the session cookie content. Using the direct encryption avoids a content encryption key generation step and will make the encrypted session cookie sequence slightly shorter. Avoid using the direct encryption if the encryption secret is less than 32 characters long. | a256-gcmkw |
Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see
Environment variable: | boolean |
|
Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used, see
Environment variable: | boolean |
|
Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.
Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the
Environment variable: | boolean | |
If JWK verification keys should be fetched at the moment a connection to the OIDC provider is initialized. Disabling this property delays the key acquisition until the moment the current token has to be verified. Typically it can only be necessary if the token or other telated request properties provide an additional context which is required to resolve the keys correctly.
Environment variable: | boolean |
|
Maximum number of JWK keys that can be cached. This property is ignored if the
Environment variable: | int |
|
Number of minutes a JWK key can be cached for. This property is ignored if the
Environment variable: |
| |
Cache timer interval. If this property is set, a timer checks and removes the stale entries periodically. This property is ignored if the
Environment variable: | ||
In case there is no key identifier ('kid') or certificate thumbprints ('x5t', 'x5t#S256') specified in the JOSE header and no key could be determined, check all available keys matching the token algorithm ('alg') header value.
Environment variable: | boolean |
|
Well known OpenId Connect provider identifier
Environment variable: |
|
To write duration values, use the standard java.time.Duration
format. See the Duration#parse() Java API documentation for more information.
You can also use a simplified format, starting with a number:
- If the value is only a number, it represents time in seconds.
-
If the value is a number followed by
ms
, it represents time in milliseconds.
In other cases, the simplified format is translated to the java.time.Duration
format for parsing:
-
If the value is a number followed by
h
,m
, ors
, it is prefixed withPT
. -
If the value is a number followed by
d
, it is prefixed withP
.
6.2. Keycloak Dev Services configuration
Configuration property fixed at build time - All other configuration properties are overridable at runtime
Configuration property | Type | Default |
Type | Default | |
Flag to enable (default) or disable Dev Services. When enabled, Dev Services for Keycloak automatically configures and starts Keycloak in Dev or Test mode, and when Docker is running.
Environment variable: | boolean |
|
The container image name for Dev Services providers. Defaults to a Quarkus-based Keycloak image. For a WildFly-based distribution, use an image like
Environment variable: | string |
|
Indicates if a Keycloak-X image is used. By default, the image is identified by
Environment variable: | boolean | |
Determines if the Keycloak container is shared. When shared, Quarkus uses label-based service discovery to find and reuse a running Keycloak container, so a second one is not started. Otherwise, if a matching container is not is found, a new container is started. The service discovery uses the
Environment variable: | boolean |
|
The value of the
Environment variable: | string |
|
A comma-separated list of class or file system paths to Keycloak realm files. This list is used to initialize Keycloak. The first value in this list is used to initialize default tenant connection properties.
Environment variable: | list of string | |
Aliases to additional class or file system resources that are used to initialize Keycloak. Each map entry represents a mapping between an alias and a class or file system resource path.
Environment variable: | Map<String,String> | |
Additional class or file system resources that are used to initialize Keycloak. Each map entry represents a mapping between a class or file system resource path alias and the Keycloak container location.
Environment variable: | Map<String,String> | |
The
Environment variable: | string | |
Show Keycloak log messages with a "Keycloak:" prefix.
Environment variable: | boolean |
|
Keycloak start command. Use this property to experiment with Keycloak start options, see
Environment variable: | string | |
The name of the Keycloak realm. This property is used to create the realm if the realm file pointed to by the
Environment variable: | string | |
Specifies whether to create the Keycloak realm when no realm file is found at the
Environment variable: | boolean |
|
A map of Keycloak usernames to passwords. If empty, default users
Environment variable: | Map<String,String> | |
A map of roles for Keycloak users. If empty, default roles are assigned:
Environment variable: | Map<String,List<String>> | |
The specific port for the dev service to listen on. If not specified, a random port is selected.
Environment variable: | int | |
Environment variables to be passed to the container.
Environment variable: | Map<String,String> | |
Memory limit for Keycloak container If not specified, 750MiB is the default memory limit.
Environment variable: |
|
A size configuration option recognizes strings in this format (shown as a regular expression): [0-9]+[KkMmGgTtPpEeZzYy]?
.
If no suffix is given, assume bytes.
6.3. References
- OIDC Bearer token authentication
- Protect a service application by using OpenID Connect (OIDC) Bearer token authentication
- OpenID Connect
- OpenID Connect and OAuth2 Client and Filters Reference Guide
- Choosing between OpenID Connect, SmallRye JWT, and OAuth2 authentication mechanisms
- Combining authentication mechanisms
- Quarkus Security