Package io.quarkus.oidc

Class OidcTenantConfig.Token

    • Field Detail

      • issuer

        @ConfigItem
public Optional<String> issuer
        Expected issuer 'iss' claim value. Note this property overrides the `issuer` property which may be set in OpenId Connect provider's well-known configuration. If the `iss` claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed `iss` claim value) are not possible.

      • requiredClaims

        @ConfigItem
@ConfigDocMapKey("claim-name")
public Map<String,​String> requiredClaims
        A map of required claims and their expected values. For example, `quarkus.oidc.token.required-claims.org_id = org_xyz` would require tokens to have the `org_id` claim to be present and set to `org_xyz`. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

      • lifespanGrace

        @ConfigItem
public OptionalInt lifespanGrace
        Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

      • age

        @ConfigItem
public Optional<Duration> age
        Token age. It allows for the number of seconds to be specified that must not elapse since the `iat` (issued at) time. A small leeway to account for clock skew which can be configured with 'quarkus.oidc.token.lifespan-grace' to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid ('exp') expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an 'exp' claim. However, even if the current logout token is allowed to have no 'exp' claim, the `exp` claim will be still verified if the logout token contains it.

      • principalClaim

        @ConfigItem
public Optional<String> principalClaim
        Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and `sub` claims are checked.

      • refreshExpired

        @ConfigItem
public boolean refreshExpired
        Refresh expired authorization code flow ID or access tokens. If this property is enabled then a refresh token request will be performed if the authorization code ID or access token has expired and, if successful, the local session will be updated with the new set of tokens. Otherwise, the local session will be invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case the user may not be challenged again if the OIDC provider session is still active. For this option be effective the `authentication.session-age-extension` property should also be set to a non-zero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type OidcTenantConfig.ApplicationType.WEB_APP}.

      • refreshTokenTimeSkew

        @ConfigItem
public Optional<Duration> refreshTokenTimeSkew
        Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token's expiration time then a refresh is going to happen. This property will be ignored if the 'refresh-expired' property is not enabled.

      • decryptionKeyLocation

        @ConfigItem
public Optional<String> decryptionKeyLocation
        Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.

      • allowJwtIntrospection

        @ConfigItem(defaultValue="true")
public boolean allowJwtIntrospection
        Allow the remote introspection of JWT tokens when no matching JWK key is available. Note this property is set to 'true' by default for backward-compatibility reasons and will be set to `false` instead in one of the next releases. Also note this property will be ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.

      • requireJwtIntrospectionOnly

        @ConfigItem(defaultValue="false")
public boolean requireJwtIntrospectionOnly
        Require that JWT tokens are only introspected remotely.

      • allowOpaqueTokenIntrospection

        @ConfigItem(defaultValue="true")
public boolean allowOpaqueTokenIntrospection
        Allow the remote introspection of the opaque tokens. Set this property to 'false' if only JWT tokens are expected.

      • verifyAccessTokenWithUserInfo

        @ConfigItem(defaultValue="false")
public boolean verifyAccessTokenWithUserInfo
        Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens have to be accepted but OpenId Connect provider does not have a token introspection endpoint. This property will have no effect when JWT tokens have to be verified.

    • Constructor Detail

      • Token

        public Token()

    • Method Detail

      • setIssuer

        public void setIssuer​(String issuer)

      • setHeader

        public void setHeader​(String header)

      • setAudience

        public void setAudience​(List<String> audience)

      • getLifespanGrace

        public OptionalInt getLifespanGrace()

      • setLifespanGrace

        public void setLifespanGrace​(int lifespanGrace)

      • setPrincipalClaim

        public void setPrincipalClaim​(String principalClaim)

      • isRefreshExpired

        public boolean isRefreshExpired()

      • setRefreshExpired

        public void setRefreshExpired​(boolean refreshExpired)

      • getForcedJwkRefreshInterval

        public Duration getForcedJwkRefreshInterval()

      • setForcedJwkRefreshInterval

        public void setForcedJwkRefreshInterval​(Duration forcedJwkRefreshInterval)

      • setTokenType

        public void setTokenType​(String tokenType)

      • setRefreshTokenTimeSkew

        public void setRefreshTokenTimeSkew​(Duration refreshTokenTimeSkew)

      • isAllowJwtIntrospection

        public boolean isAllowJwtIntrospection()

      • setAllowJwtIntrospection

        public void setAllowJwtIntrospection​(boolean allowJwtIntrospection)

      • isAllowOpaqueTokenIntrospection

        public boolean isAllowOpaqueTokenIntrospection()

      • setAllowOpaqueTokenIntrospection

        public void setAllowOpaqueTokenIntrospection​(boolean allowOpaqueTokenIntrospection)

      • setAge

        public void setAge​(Duration age)

      • getDecryptionKeyLocation

        public Optional<String> getDecryptionKeyLocation()

      • setDecryptionKeyLocation

        public void setDecryptionKeyLocation​(String decryptionKeyLocation)

      • setRequiredClaims

        public void setRequiredClaims​(Map<String,​String> requiredClaims)

      • isRequireJwtIntrospectionOnly

        public boolean isRequireJwtIntrospectionOnly()

      • setRequireJwtIntrospectionOnly

        public void setRequireJwtIntrospectionOnly​(boolean requireJwtIntrospectionOnly)