Package io.quarkus.oidc
Class OidcTenantConfig.Token
java.lang.Object
io.quarkus.oidc.OidcTenantConfig.Token
- Enclosing class:
- OidcTenantConfig
-
Field Summary
Modifier and TypeFieldDescriptionToken age.boolean
Allow the remote introspection of JWT tokens when no matching JWK key is available.boolean
Allow the remote introspection of the opaque tokens.The expected audience `aud` claim value, which can be a string or an array of strings.HTTP Authorization header scheme.Token customizer name.Decryption key location.The forced JWK set refresh interval in minutes.Custom HTTP header that contains a bearer token.boolean
Require that the token includes a `iat` (issued at) claim Set this property to `false` if your JWT token does not contain an `iat` (issued at) claim.The expected issuer `iss` claim value.Life span grace period in seconds.Name of the claim which contains a principal name.boolean
Refresh expired authorization code flow ID or access tokens.The refresh token time skew, in seconds.A map of required claims and their expected values.boolean
Require that JWT tokens are only introspected remotely.Required signature algorithm.boolean
Require that the token includes a `sub` (subject) claim which is a unique and never reassigned identifier for the current user.Expected token typeIndirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic OidcTenantConfig.Token
fromAudience
(String... audience) static OidcTenantConfig.Token
fromIssuer
(String issuer) getAge()
boolean
boolean
boolean
boolean
boolean
boolean
void
void
setAllowJwtIntrospection
(boolean allowJwtIntrospection) void
setAllowOpaqueTokenIntrospection
(boolean allowOpaqueTokenIntrospection) void
setAudience
(List<String> audience) void
setAuthorizationScheme
(String authorizationScheme) void
setCustomizerName
(String customizerName) void
setDecryptionKeyLocation
(String decryptionKeyLocation) void
setForcedJwkRefreshInterval
(Duration forcedJwkRefreshInterval) void
void
setIssuedAtRequired
(boolean issuedAtRequired) void
void
setLifespanGrace
(int lifespanGrace) void
setPrincipalClaim
(String principalClaim) void
setRefreshExpired
(boolean refreshExpired) void
setRefreshTokenTimeSkew
(Duration refreshTokenTimeSkew) void
setRequiredClaims
(Map<String, String> requiredClaims) void
setRequireJwtIntrospectionOnly
(boolean requireJwtIntrospectionOnly) void
setSignatureAlgorithm
(OidcTenantConfig.SignatureAlgorithm signatureAlgorithm) void
setSubjectRequired
(boolean subjectRequired) void
setTokenType
(String tokenType) void
setVerifyAccessTokenWithUserInfo
(boolean verify)
-
Field Details
-
issuer
The expected issuer `iss` claim value. This property overrides the `issuer` property, which might be set in OpenId Connect provider's well-known configuration. If the `iss` claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the issuer verification by setting this property to `any`, but it should be done only when other options (such as configuring the provider to use the fixed `iss` claim value) are not possible. -
audience
The expected audience `aud` claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of `quarkus.oidc.client-id` property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to `any` if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured. -
subjectRequired
Require that the token includes a `sub` (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required, both the token and UserInfo `sub` claims must be present and match each other. -
requiredClaims
A map of required claims and their expected values. For example, `quarkus.oidc.token.required-claims.org_id = org_xyz` would require tokens to have the `org_id` claim to be present and set to `org_xyz`. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims. -
tokenType
Expected token type -
lifespanGrace
Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds. -
age
Token age. It allows for the number of seconds to be specified that must not elapse since the `iat` (issued at) time. A small leeway to account for clock skew which can be configured with `quarkus.oidc.token.lifespan-grace` to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid (`exp`) expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an `exp` claim. However, even if the current logout token is allowed to have no `exp` claim, the `exp` claim is still verified if the logout token contains it. -
issuedAtRequired
Require that the token includes a `iat` (issued at) claim Set this property to `false` if your JWT token does not contain an `iat` (issued at) claim. Note that ID token is always required to have an `iat` claim and therefore this property has no impact on the ID token verification process. -
principalClaim
Name of the claim which contains a principal name. By default, the `upn`, `preferred_username` and `sub` claims are checked. -
refreshExpired
Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the `authentication.session-age-extension` property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of typeOidcTenantConfig.ApplicationType.WEB_APP
}. This property is enabled if `quarkus.oidc.token.refresh-token-time-skew` is configured, you do not need to enable this property manually in this case. -
refreshTokenTimeSkew
The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token's expiration time, a refresh is going to happen. -
forcedJwkRefreshInterval
The forced JWK set refresh interval in minutes. -
header
Custom HTTP header that contains a bearer token. This option is valid only when the application is of typeOidcTenantConfig.ApplicationType.SERVICE
}. -
authorizationScheme
HTTP Authorization header scheme. -
signatureAlgorithm
Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property. -
decryptionKeyLocation
Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the `private_key_jwt` client authentication method is used, the private key used to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens. -
allowJwtIntrospection
Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to `true` by default for backward-compatibility reasons. It is planned that this default value will be changed to `false` in an upcoming release. Also note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option. -
requireJwtIntrospectionOnly
Require that JWT tokens are only introspected remotely. -
allowOpaqueTokenIntrospection
Allow the remote introspection of the opaque tokens. Set this property to `false` if only JWT tokens are expected. -
customizerName
Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer usingTenantFeature
qualifier when registering customTokenCustomizer
. Use this property only to refer to `TokenCustomizer` implementations provided by this extension. -
verifyAccessTokenWithUserInfo
@ConfigItem(defaultValueDocumentation="false") public Optional<Boolean> verifyAccessTokenWithUserInfoIndirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.
-
-
Constructor Details
-
Token
public Token()
-
-
Method Details
-
fromIssuer
-
fromAudience
-
isVerifyAccessTokenWithUserInfo
-
setVerifyAccessTokenWithUserInfo
public void setVerifyAccessTokenWithUserInfo(boolean verify) -
getIssuer
-
setIssuer
-
getHeader
-
setHeader
-
getAudience
-
setAudience
-
getLifespanGrace
-
setLifespanGrace
public void setLifespanGrace(int lifespanGrace) -
getPrincipalClaim
-
setPrincipalClaim
-
isRefreshExpired
public boolean isRefreshExpired() -
setRefreshExpired
public void setRefreshExpired(boolean refreshExpired) -
getForcedJwkRefreshInterval
-
setForcedJwkRefreshInterval
-
getTokenType
-
setTokenType
-
getRefreshTokenTimeSkew
-
setRefreshTokenTimeSkew
-
isAllowJwtIntrospection
public boolean isAllowJwtIntrospection() -
setAllowJwtIntrospection
public void setAllowJwtIntrospection(boolean allowJwtIntrospection) -
isAllowOpaqueTokenIntrospection
public boolean isAllowOpaqueTokenIntrospection() -
setAllowOpaqueTokenIntrospection
public void setAllowOpaqueTokenIntrospection(boolean allowOpaqueTokenIntrospection) -
getAge
-
setAge
-
isIssuedAtRequired
public boolean isIssuedAtRequired() -
setIssuedAtRequired
public void setIssuedAtRequired(boolean issuedAtRequired) -
getDecryptionKeyLocation
-
setDecryptionKeyLocation
-
getRequiredClaims
-
setRequiredClaims
-
isRequireJwtIntrospectionOnly
public boolean isRequireJwtIntrospectionOnly() -
setRequireJwtIntrospectionOnly
public void setRequireJwtIntrospectionOnly(boolean requireJwtIntrospectionOnly) -
getSignatureAlgorithm
-
setSignatureAlgorithm
-
getCustomizerName
-
setCustomizerName
-
isSubjectRequired
public boolean isSubjectRequired() -
setSubjectRequired
public void setSubjectRequired(boolean subjectRequired) -
getAuthorizationScheme
-
setAuthorizationScheme
-