Chapter 7. elytron-oidc-client subsystem attributes


The elytron-oidc-client subsystem provides attributes to configure its behavior.

Table 7.1. elytron-oidc-client subsystem attributes
AttributeDescription

provider

Configuration for an OpenID Connect provider.

secure-deployment

A deployment secured by an OpenID Connect provider.

realm

Configuration for a Red Hat Single Sign-On realm. This is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using the provider is recommended instead.

Use the three elytron-oidc-client attributes for the following purposes:

  • provider: For configuring the OpenID Connect provider. For more information, see provider attributes.
  • secure-deployment: For configuring the deployment secured by an OpenID Connect. For more information, see secure-deployment attributes
  • realm: For configuring Red Hat Single Sign-On. For more information, see realm attributes. The use of realm is not recommended. It is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using the provider attribute is recommended instead.
Table 7.2. provider attributes
AttributeDefault valueDescription

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

 

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

 

The base URL of the Red Hat Single Sign-On realm authorization server. If you use this attribute, you must also define the realm attribute.

You can alternatively use the provider-url attribute to provide both base URL and the realm in a single attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests. When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

client-id

 

The client-id of JBoss EAP registered with the OpenID provider.

client-key-password

 

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

 

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

 

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by the OpenID provider.

connection-pool-size

 

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

 

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L.-1L indicates that the value is undefined, which is the default.

connection-ttl-millis

 

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

 

If CORS is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optinal. If not set, this header is not returned in CORS responses.

cors-max-age

 

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

disable-trust-manager

 

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-cors

false

Enable Red Hat Single Sign-On Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional. This is specific to Red Hat Single Sign-On.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

principal-attribute

 

Specify which claim value from the ID token to use as the principal for the identity

provider-url

 

Specify the OpenID provider URL.

proxy-url

 

Specify the URL for the HTTP proxy if you use one.

realm-public-key

 

Specify the public key of the realm.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat Single Sign-On. This attribute is useful only when your application is clustered.

register-node-period

 

Specify how often to re-register the node.

socket-timeout-millis

 

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

  • all - all communication happens over HTTPS.
  • external - Only the communication with external clients happens over HTTPs.
  • none - HTTPs is not used.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

token-store

 

Specify cookie or session storage for auth-session data.

truststore

 

Specify the truststore used for client HTTPS requests.

truststore-password

 

Specify the truststore password.

verify-token-audience

false

If set to true, then during bearer-only authentication,verify if token contains this client name (resource) as an audience.

Table 7.3. secure-deployment attributes
AttributeDefault valueDescription

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

 

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

 

The base URL of the Red Hat Single Sign-On realm authorization server You can alternatively use the provider-url attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests. When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

bearer-only

false

Set this to true to secure the application with Bearer Token authentication. When Bearer Token authentication is enabled, users are not redirected to the OpenID provider to log in; instead, the elytron-oidc-client subsystem attempts to verify the user’s bearer token. The default value for bearer-only is false.

client-id

 

The client-id of JBoss EAP registered with the OpenID provider.

client-key-password

 

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

 

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

 

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by OpenID provider.

connection-pool-size

 

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

 

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

 

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

 

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if `enable-

credential

 

Specify the credential to use to communicate with the OpenID provider.

disable-trust-manager

 

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-cors

false

Enable Red Hat Single Sign-On Cross-Origin Resource Sharing (CORS) support.

enable-basic-auth

false

Enable Basic Authentication to specify the credentials to be used to obtain a bearer token.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.This is specific to Red Hat Single Sign-On.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

min-time-between-jwks-requests

 

If adapter recognizes a token signed by an unknown public key, JBoss EAP tries to download new public key from the elytron-oidc-client server. However, JBoss EAP deosn’t try to download new public key if it has already tried it in less than the value, in seconds, that you set for this attribute. The value can be between -1L and 2147483647L.

principal-attribute

 

Specify which claim value from the ID token to use as the principal for the identity

provider

 

Specify the OpenID provider.

provider-url

 

Specify the OpenID provider URL.

proxy-url

 

Specify the URL for the HTTP proxy if you use one.

public-client

false

If set to true, no client credentials are sent when communicating with the OpenID provider. This is optional.

realm

 

The realm with which to connect in Red Hat Single Sign-On.

realm-public-key

 

Specify the public key of the realm.

redirect-rewrite-rule

 

Specify the rewrite rule to apply to the redirect URI.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat Single Sign-On. This attribute is useful only when your application is clustered.

register-node-period

 

Specify how often to re-register the node.

resource

 

Specify the name of the application you are securing with OIDC. Alternatively, you can specify the client-id.

socket-timeout-millis

 

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

  • all - all communication happens over HTTPS.
  • external - Only the communication with external clients happens over HTTPs.
  • none - HTTPs is not used.

token-minimum-time-to-live

 

The adapter refreshes the token if the current token is expired or is to expire within the amount of time you set in seconds.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

token-store

 

Specify cookie or session storage for auth-session data.

truststore

 

Specify the truststore used for adapter client HTTPS requests.

truststore-password

 

Specify the truststore password.

turn-off-change-session-id-on-login

false

The session id is changed by default on a successful login. Set the value to true to turn this off.

use-resource-role-mappings

false

Use resource-level permissions obtained from token.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

Table 7.4. realm attributes
AttributeDefault valueDescription

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

 

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

 

The base URL of the Red Hat Single Sign-On realm authorization server You can alternatively use the provider-url attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests. When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

client-key-password

 

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

 

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

 

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by Red Hat Single Sign-On.

connection-pool-size

 

Specify the connection pool size to be used when communicating with Red Hat Single Sign-On.

connection-timeout-millis

 

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

 

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

 

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

disable-trust-manager

 

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS._

enable-cors

false

Enable {RHProductShortName} Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

principal-attribute

 

Specify which claim value from the ID token to use as the principal for the identity

provider-url

 

Specify the OpenID provider URL.

proxy-url

 

Specify the URL for the HTTP proxy if you use one.

realm-public-key

 

Specify the public key of the realm.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat Single Sign-On. This attribute is useful only when your application is clustered.

register-node-period

 

Specify how often to re-register the node.

socket-timeout-millis

 

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

  • all - all communication happens over HTTPS.
  • external - Only the communication with external clients happens over HTTPs.
  • none - HTTPs is not used.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

token-store

 

Specify cookie or session storage for auth-session data.

truststore

 

Specify the truststore used for client HTTPS requests.

truststore-password

 

Specify the truststore password.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.