15.2. HawtIO 中的通用 OpenID Connect 身份验证

OpenID Connect configuration requred at client side
URL of OpenID Connect Provider - the URL after which ".well-known/openid-configuration" can be appended for
discovery purposes
OpenID client identifier
response mode according to https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
scope to request when performing OpenID authentication. MUST include "openid" and required permissions
redirect URI after OpenID authentication - must also be configured at provider side
challenge method according to https://datatracker.ietf.org/doc/html/rfc7636
prompt hint according to https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
additional configuration for the server side
if true, .well-known/openid-configuration will be fetched at server side. This is required
for proper JWT access token validation
time in minutes to cache public keys from jwks_uri
a path for an array of roles found in JWT payload. Property placeholders can be used for parameterized parts
of the path (like for Keycloak) - but only for properties from this particular file
example for properly configured Entra ID token
example for Keycloak with use-resource-role-mappings=true
example for Keycloak with use-resource-role-mappings=false
properties for role mapping. Each property with "roleMapping." prefix is used to map an original role
from JWT token (found at ${oidc.rolesPath}) to a role used by the application
timeout for connection establishment (milliseconds)
timeout for reading from established connection (milliseconds)
HTTP proxy to use when connecting to OpenID Connect provider
TLS configuration (system properties can be used, e.g., "${catalina.home}/conf/hawtio.jks")

# OpenID Connect configuration requred at client side

# URL of OpenID Connect Provider - the URL after which ".well-known/openid-configuration" can be appended for
# discovery purposes
provider = http://localhost:18080/realms/hawtio-demo
# OpenID client identifier
client_id = hawtio-client
# response mode according to https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
response_mode = fragment
# scope to request when performing OpenID authentication. MUST include "openid" and required permissions
scope = openid email profile
# redirect URI after OpenID authentication - must also be configured at provider side
redirect_uri = http://localhost:8080/hawtio
# challenge method according to https://datatracker.ietf.org/doc/html/rfc7636
code_challenge_method = S256
# prompt hint according to https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
prompt = login

# additional configuration for the server side

# if true, .well-known/openid-configuration will be fetched at server side. This is required
# for proper JWT access token validation
oidc.cacheConfig = true

# time in minutes to cache public keys from jwks_uri
jwks.cacheTime = 60

# a path for an array of roles found in JWT payload. Property placeholders can be used for parameterized parts
# of the path (like for Keycloak) - but only for properties from this particular file
# example for properly configured Entra ID token
#oidc.rolesPath = roles
# example for Keycloak with use-resource-role-mappings=true
#oidc.rolesPath = resource_access.${client_id}.roles
# example for Keycloak with use-resource-role-mappings=false
oidc.rolesPath = realm_access.roles

# properties for role mapping. Each property with "roleMapping." prefix is used to map an original role
# from JWT token (found at ${oidc.rolesPath}) to a role used by the application
roleMapping.admin = admin
roleMapping.user = user
roleMapping.viewer = viewer
roleMapping.manager = manager

# timeout for connection establishment (milliseconds)
http.connectionTimeout = 5000
# timeout for reading from established connection (milliseconds)
http.readTimeout = 10000
# HTTP proxy to use when connecting to OpenID Connect provider
#http.proxyURL = http://127.0.0.1:3128

# TLS configuration (system properties can be used, e.g., "${catalina.home}/conf/hawtio.jks")

#ssl.protocol = TLSv1.3
#ssl.truststore = src/test/resources/hawtio.jks
#ssl.truststorePassword = hawtio
#ssl.keystore = src/test/resources/hawtio.jks
#ssl.keystorePassword = hawtio
#ssl.keyAlias = openid connect test provider
#ssl.keyPassword = hawtio