Chapter 5. Reference

provider

Configuration for an OpenID Connect provider.

secure-deployment

A deployment secured by an OpenID Connect provider.

realm

Configuration for a Red Hat build of Keycloak realm. This is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using the provider is recommended instead.

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to true in a production environment.

always-refresh-token

If set to true, the subsystem refreshes the token every time your application receives a web request, and sends a new request to the OpenID provider to obtain a new access token.

auth-server-url

The base URL of the Red Hat build of Keycloak realm authorization server. If you use this attribute, you must also define the realm attribute.

You can alternatively use the provider-url attribute to provide both base URL and the realm in a single attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests.

When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

Use this attribute to automatically detect Simple Object Access Protocol (SOAP) or REST clients based on headers like X-Requested-With, SOAPAction or Accept.

client-id

The client-id of JBoss EAP registered with the OpenID provider.

client-key-password

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by the OpenID provider.

connection-pool-size

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

-1L

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L.-1L indicates that the value is undefined, which is the default.

connection-ttl-millis

-1L

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

If CORS is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optinal. If not set, this header is not returned in CORS responses.

cors-max-age

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

disable-trust-manager

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-cors

false

Enable Red Hat build of Keycloak Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional. This is specific to Red Hat build of Keycloak.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

principal-attribute

Specify which claim value from the ID token to use as the principal for the identity

provider-url

Specify the OpenID provider URL.

proxy-url

Specify the URL for the HTTP proxy if you use one.

realm-public-key

Specify the public key of the realm.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat build of Keycloak. This attribute is useful only when your application is clustered.

register-node-period

Specify how often to re-register the node.

socket-timeout-millis

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

token-store

Specify cookie or session storage for auth-session data.

truststore

Specify the truststore used for client HTTPS requests.

truststore-password

Specify the truststore password.

verify-token-audience

false

If set to true, then during bearer-only authentication,verify if token contains this client name (resource) as an audience.

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

The base URL of the Red Hat build of Keycloak realm authorization server You can alternatively use the provider-url attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests. When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

bearer-only

false

Set this to true to secure the application with Bearer Token authentication. When Bearer Token authentication is enabled, users are not redirected to the OpenID provider to log in; instead, the elytron-oidc-client subsystem attempts to verify the user’s bearer token.

client-id

The unique identifier for a client registered in the OpenID provider.

client-key-password

If you specify client-keystore, specify its password in this attribute.

client-keystore

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by OpenID provider.

connection-pool-size

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

-1L

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

-1L

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

credential

Specify the credential to use to communicate with the OpenID provider.

disable-trust-manager

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-cors

false

Enable Red Hat build of Keycloak Cross-Origin Resource Sharing (CORS) support.

enable-basic-auth

false

Enable Basic Authentication to specify the credentials to be used to obtain a bearer token.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.This is specific to Red Hat build of Keycloak.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

min-time-between-jwks-requests

If the subsystem detects a token signed by an unknown public key, JBoss EAP tries to download new public key from the elytron-oidc-client server. The attribute specifies the interval, in seconds, that JBoss EAP waits before subsequent download attempts.The value can be between -1L and 2147483647L.

principal-attribute

Specify which claim value from the ID token to use as the principal for the identity

provider

Specify the OpenID provider.

provider-url

Specify the OpenID provider URL.

proxy-url

Specify the URL for the HTTP proxy if you use one.

public-client

false

If set to true, no client credentials are sent when communicating with the OpenID provider. This is optional.

realm

The realm with which to connect in Red Hat build of Keycloak.

realm-public-key

Specify the public key of the OpenID provider in PEM format.

redirect-rewrite-rule

Specify the rewrite rule to apply to the redirect URI.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat build of Keycloak. This attribute is useful only when your application is clustered.

register-node-period

Specify how often to re-register the node in seconds.

resource

Specify the name of the application you are securing with OIDC. Alternatively, you can specify the client-id.

socket-timeout-millis

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

token-minimum-time-to-live

The adapter refreshes the token if the current token is expired or is to expire within the amount of time you set in seconds.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

token-store

Specify cookie or session storage for auth-session data.

truststore

Specify the truststore used for adapter client HTTPS requests.

truststore-password

Specify the truststore password.

turn-off-change-session-id-on-login

false

The session id is changed by default on a successful login. Set the value to true to turn this off.

use-resource-role-mappings

false

Use resource-level permissions obtained from token.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

adapter-state-cookie-path

If set, this defines the path used in cookies set by the subsystem. If not set,"" is used as the path.

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to true in a production environment.

always-refresh-token

If set to true, the subsystem refreshes the token every time your application receives a web request, and sends a new request to the OpenID provider to obtain a new access token.

auth-server-url-for-backend-requests

Specifies the URL to use only for backend requests to invoke OpenID provider directly without having to go through a load balancer or a reverse proxy.

auth-server-url

The base URL of the Red Hat build of Keycloak realm authorization server You can alternatively use the provider-url attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests.

When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

Use this attribute to automatically detect Simple Object Access Protocol (SOAP) or REST clients based on headers like X-Requested-With, SOAPAction or Accept.

bearer-only

false

Set this to true to secure the application with Bearer Token authentication.

When Bearer Token authentication is enabled, users are not redirected to the OpenID provider to log in; instead, the elytron-oidc-client subsystem attempts to verify the user’s bearer token.

client-id

The unique identifier for a client registered in the OpenID provider.

client-key-password

If you specify client-keystore, specify its password in this attribute.

client-keystore-password

If you specify the client keystore, provide the password for accessing it in this attribute.

client-keystore

When communicating with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by OpenID provider.

connection-pool-size

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

-1L

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

-1L

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

credential

Specify the credential to use to communicate with the OpenID provider.

disable-trust-manager

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-basic-auth

false

Enable Basic Authentication to specify the credentials to be used to obtain a bearer token.

enable-cors

false

Enable Red Hat build of Keycloak Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.This is specific to Red Hat build of Keycloak.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

min-time-between-jwks-requests

If the subsystem detects a token signed by an unknown public key, JBoss EAP tries to download new public key from the elytron-oidc-client server. However, JBoss EAP deosn’t try to download new public key if it has already tried it in less than the value, in seconds, that you set for this attribute. The value can be between -1L and 2147483647L.

principal-attribute

Specify which claim value from the ID token to use as the principal for the identity

principal-attribute

Specify which claim value from the ID token to use as the principal for the identity.

provider

Specify the OpenID provider.

provider-url

Specify the OpenID provider URL.

proxy-url

Specify the URL for the HTTP proxy if you use one.

public-client

false

If set to true, no client credentials are sent when communicating with the OpenID provider. This is optional.

public-key-cache-ttl

The maximum interval between two requests to retrieve new public keys in seconds.

realm-public-key

Specify the public key of the OpenID provider in PEM format.

realm

The realm with which to connect in Red Hat build of Keycloak.

redirect-rewrite-rule

Specify the rewrite rule to apply to the redirect URI.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat build of Keycloak. This attribute is useful only when your application is clustered.

register-node-period

Specify how often to re-register the node in seconds.

resource

Specify the name of the application you are securing with OIDC. Alternatively, you can specify the client-id.

socket-timeout-millis

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

token-minimum-time-to-live

The adapter refreshes the token if the current token is expired or is to expire within the amount of time you set in seconds.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

token-store

Specify cookie or session storage for auth-session data.

truststore-password

Specify the truststore password.

truststore

Specify the truststore used for adapter client HTTPS requests.

turn-off-change-session-id-on-login

false

The session id is changed by default on a successful login. Set the value to true to turn this off.

use-resource-role-mappings

false

Use resource-level permissions obtained from token.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

If set to true, the subsystem refreshes the token every time your application receives a web request, and sends a new request to the OpenID provider to obtain a new access token.

auth-server-url

The base URL of the Red Hat build of Keycloak realm authorization server You can alternatively use the provider-url attribute.

autodetect-bearer-only

false

Set whether to automatically detect bearer-only requests. When a bearer-only request is received and autodetect-bearer-only is set to true, the application cannot participate in browser logins.

client-key-password

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by Red Hat build of Keycloak.

connection-pool-size

Specify the connection pool size to be used when communicating with Red Hat build of Keycloak.

connection-timeout-millis

-1L

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

-1L

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

disable-trust-manager

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS._

enable-cors

false

Enable Red Hat build of Keycloak Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

principal-attribute

Specify which claim value from the ID token to use as the principal for the identity

provider-url

Specify the OpenID provider URL.

proxy-url

Specify the URL for the HTTP proxy if you use one.

realm-public-key

Specify the public key of the realm.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat build of Keycloak. This attribute is useful only when your application is clustered.

register-node-period

Specify how often to re-register the node.

socket-timeout-millis

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

token-store

Specify cookie or session storage for auth-session data.

truststore

Specify the truststore used for client HTTPS requests.

truststore-password

Specify the truststore password.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

default-realm

The default realm contained by this security domain.

evidence-decoder

A reference to an EvidenceDecoder to be used by this domain.

outflow-anonymous

This attribute specifies whether the anonymous identity should be used if outflow to a security domain is not possible, which happens in the following scenarios:

Outflowing anonymous identity clears any previously established identity for that domain.

outflow-security-domains

The list of security domains that the security identity from this domain should automatically outflow to.

permission-mapper

A reference to a PermissionMapper to be used by this domain.

post-realm-principal-transformer

A reference to a principal transformer to be applied after the realm has operated on the supplied identity name.

pre-realm-principal-transformer

A reference to a principal transformer to be applied before the realm is selected.

principal-decoder

A reference to a PrincipalDecoder to be used by this domain.

realm-mapper

Reference to the RealmMapper to be used by this domain.

realms

The list of realms contained by this security domain.

role-decoder

Reference to the RoleDecoder to be used by this domain.

role-mapper

Reference to the RoleMapper to be used by this domain.

security-event-listener

Reference to a listener for security events.

trusted-security-domains

The list of security domains that are trusted by this security domain.

trusted-virtual-security-domains

The list of virtual security domains that are trusted by this security domain.

outflow-anonymous

Set this attribute to true to outflow anonymous identity if outflowing the security identity to a security domain is not possible, which happens in the following scenarios:

Outflowing anonymous identity has the effect of clearing any identity already established for that domain.

The default value is false.

outflow-security-domains

The list of security domains that the security identity from this virtual domain should automatically outflow to.