Chapter 7. elytron-oidc-client subsystem attributes
The elytron-oidc-client
subsystem provides attributes to configure its behavior.
Attribute | Description |
---|---|
provider | Configuration for an OpenID Connect provider. |
secure-deployment | A deployment secured by an OpenID Connect provider. |
realm |
Configuration for a Red Hat Single Sign-On realm. This is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using the |
Use the three elytron-oidc-client
attributes for the following purposes:
-
provider
: For configuring the OpenID Connect provider. For more information, seeprovider
attributes. -
secure-deployment
: For configuring the deployment secured by an OpenID Connect. For more information, seesecure-deployment
attributes -
realm
: For configuring Red Hat Single Sign-On. For more information, seerealm
attributes. The use ofrealm
is not recommended. It is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using theprovider
attribute is recommended instead.
Attribute | Default value | Description |
---|---|---|
allow-any-hostname |
|
If you set the value to |
always-refresh-token |
|
If set to |
auth-server-url |
|
The base URL of the Red Hat Single Sign-On realm authorization server. If you use this attribute, you must also define the
You can alternatively use the |
autodetect-bearer-only |
|
Set whether to automatically detect bearer-only requests. When a bearer-only request is received and |
client-id |
| The client-id of JBoss EAP registered with the OpenID provider. |
client-key-password |
|
If you specify |
client-keystore |
| If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute. |
client-keystore-password |
|
If you specify the |
confidential-port |
| Specify the confidential port (SSL/TLS) used by the OpenID provider. |
connection-pool-size |
| Specify the connection pool size to be used when communicating with the OpenID provider. |
connection-timeout-millis |
|
Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is |
connection-ttl-millis |
|
Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is |
cors-allowed-headers |
|
If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the |
cors-allowed-methods |
| If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses. |
cors-exposed-headers |
| If CORS is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optinal. If not set, this header is not returned in CORS responses. |
cors-max-age |
|
Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between |
disable-trust-manager |
| Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. |
enable-cors |
| Enable Red Hat Single Sign-On Cross-Origin Resource Sharing (CORS) support. |
expose-token |
|
If set to |
ignore-oauth-query-parameter |
| Disable query parameter parsing for access_token. |
principal-attribute |
| Specify which claim value from the ID token to use as the principal for the identity |
provider-url |
| Specify the OpenID provider URL. |
proxy-url |
| Specify the URL for the HTTP proxy if you use one. |
realm-public-key |
| Specify the public key of the realm. |
register-node-at-startup |
|
If set to |
register-node-period |
| Specify how often to re-register the node. |
socket-timeout-millis |
| Specify the timeout for socket waiting for data in milliseconds. |
ssl-required |
| Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:
|
token-signature-algorithm |
| Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:
|
token-store |
| Specify cookie or session storage for auth-session data. |
truststore |
| Specify the truststore used for client HTTPS requests. |
truststore-password |
| Specify the truststore password. |
verify-token-audience |
|
If set to |
Attribute | Default value | Description |
---|---|---|
allow-any-hostname |
|
If you set the value to |
always-refresh-token |
|
If set to |
auth-server-url |
|
The base URL of the Red Hat Single Sign-On realm authorization server You can alternatively use the |
autodetect-bearer-only |
|
Set whether to automatically detect bearer-only requests. When a bearer-only request is received and |
bearer-only | false |
Set this to |
client-id |
| The client-id of JBoss EAP registered with the OpenID provider. |
client-key-password |
|
If you specify |
client-keystore |
| If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute. |
client-keystore-password |
|
If you specify the |
confidential-port |
| Specify the confidential port (SSL/TLS) used by OpenID provider. |
connection-pool-size |
| Specify the connection pool size to be used when communicating with the OpenID provider. |
connection-timeout-millis |
|
Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is |
connection-ttl-millis |
|
Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is |
cors-allowed-headers |
|
If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the |
cors-allowed-methods |
|
If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the |
cors-exposed-headers |
|
If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the |
cors-max-age |
|
Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between |
credential |
| Specify the credential to use to communicate with the OpenID provider. |
disable-trust-manager |
| Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. |
enable-cors |
| Enable Red Hat Single Sign-On Cross-Origin Resource Sharing (CORS) support. |
enable-basic-auth |
| Enable Basic Authentication to specify the credentials to be used to obtain a bearer token. |
expose-token |
|
If set to |
ignore-oauth-query-parameter |
| Disable query parameter parsing for access_token. |
min-time-between-jwks-requests |
|
If adapter recognizes a token signed by an unknown public key, JBoss EAP tries to download new public key from the |
principal-attribute |
| Specify which claim value from the ID token to use as the principal for the identity |
provider |
| Specify the OpenID provider. |
provider-url |
| Specify the OpenID provider URL. |
proxy-url |
| Specify the URL for the HTTP proxy if you use one. |
public-client |
|
If set to |
realm |
| The realm with which to connect in Red Hat Single Sign-On. |
realm-public-key |
| Specify the public key of the realm. |
redirect-rewrite-rule |
| Specify the rewrite rule to apply to the redirect URI. |
register-node-at-startup |
|
If set to |
register-node-period |
| Specify how often to re-register the node. |
resource |
|
Specify the name of the application you are securing with OIDC. Alternatively, you can specify the |
socket-timeout-millis |
| Specify the timeout for socket waiting for data in milliseconds. |
ssl-required |
| Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:
|
token-minimum-time-to-live |
| The adapter refreshes the token if the current token is expired or is to expire within the amount of time you set in seconds. |
token-signature-algorithm |
| Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:
|
token-store |
| Specify cookie or session storage for auth-session data. |
truststore |
| Specify the truststore used for adapter client HTTPS requests. |
truststore-password |
| Specify the truststore password. |
turn-off-change-session-id-on-login |
|
The session id is changed by default on a successful login. Set the value to |
use-resource-role-mappings |
| Use resource-level permissions obtained from token. |
verify-token-audience |
|
If set to |
Attribute | Default value | Description |
---|---|---|
allow-any-hostname |
|
If you set the value to |
always-refresh-token |
|
If set to |
auth-server-url |
|
The base URL of the Red Hat Single Sign-On realm authorization server You can alternatively use the |
autodetect-bearer-only |
|
Set whether to automatically detect bearer-only requests. When a bearer-only request is received and |
client-key-password |
|
If you specify |
client-keystore |
| If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute. |
client-keystore-password |
|
If you specify the |
confidential-port |
| Specify the confidential port (SSL/TLS) used by Red Hat Single Sign-On. |
connection-pool-size |
| Specify the connection pool size to be used when communicating with Red Hat Single Sign-On. |
connection-timeout-millis |
|
Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is |
connection-ttl-millis |
|
Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is |
cors-allowed-headers |
| If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses. |
cors-allowed-methods |
|
If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the |
cors-exposed-headers |
|
If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the |
cors-max-age |
|
Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between |
disable-trust-manager |
| Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS._ |
enable-cors |
| Enable {RHProductShortName} Cross-Origin Resource Sharing (CORS) support. |
expose-token |
|
If set to |
ignore-oauth-query-parameter |
| Disable query parameter parsing for access_token. |
principal-attribute |
| Specify which claim value from the ID token to use as the principal for the identity |
provider-url |
| Specify the OpenID provider URL. |
proxy-url |
| Specify the URL for the HTTP proxy if you use one. |
realm-public-key |
| Specify the public key of the realm. |
register-node-at-startup |
|
If set to |
register-node-period |
| Specify how often to re-register the node. |
socket-timeout-millis |
| Specify the timeout for socket waiting for data in milliseconds. |
ssl-required |
| Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:
|
token-signature-algorithm |
| Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:
|
token-store |
| Specify cookie or session storage for auth-session data. |
truststore |
| Specify the truststore used for client HTTPS requests. |
truststore-password |
| Specify the truststore password. |
verify-token-audience |
|
If set to |
Additional resources