• Home
• io.quarkus
• quarkus-oidc
• 3.12.0.CR1
• source code
• OidcTenantConfig$Authentication.jdp

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.quarkus.oidc.OidcTenantConfig$Authentication.jdp Maven / Gradle / Ivy

io.quarkus.oidc.OidcTenantConfig.Authentication.FORM_POST=Authorization response parameters are encoded as HTML form values that are auto-submitted in the browser\nand transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type
io.quarkus.oidc.OidcTenantConfig.Authentication.QUERY=Authorization response parameters are encoded in the query string added to the `redirect_uri`
io.quarkus.oidc.OidcTenantConfig.Authentication.addOpenidScope=Add the `openid` scope automatically to the list of scopes. This is required for OpenId Connect providers,\nbut does not work for OAuth2 providers such as Twitter OAuth2, which do not accept this scope and throw errors.
io.quarkus.oidc.OidcTenantConfig.Authentication.allowMultipleCodeFlows=If a state cookie is present, a `state` query parameter must also be present and both the state\ncookie name suffix and state cookie value must match the value of the `state` query parameter when\nthe redirect path matches the current path.\nHowever, if multiple authentications are attempted from the same browser, for example, from the different\nbrowser tabs, then the currently available state cookie might represent the authentication flow\ninitiated from another tab and not related to the current request.\nDisable this property to permit only a single authorization code flow in the same browser.
io.quarkus.oidc.OidcTenantConfig.Authentication.cookieDomain=Cookie domain parameter value which, if set, is used for the session, state and post logout cookies.
io.quarkus.oidc.OidcTenantConfig.Authentication.cookieForceSecure=If enabled the state, session, and post logout cookies have their `secure` parameter set to `true`\nwhen HTTP is used. It might be necessary when running behind an SSL/TLS terminating reverse proxy.\nThe cookies are always secure if HTTPS is used, even if this property is set to false.
io.quarkus.oidc.OidcTenantConfig.Authentication.cookiePath=Cookie path parameter value which, if set, is used to set a path parameter for the session, state and post\nlogout cookies.\nThe `cookie-path-header` property, if set, is checked first.
io.quarkus.oidc.OidcTenantConfig.Authentication.cookiePathHeader=Cookie path header parameter value which, if set, identifies the incoming HTTP header\nwhose value is used to set a path parameter for the session, state and post logout cookies.\nIf the header is missing, the `cookie-path` property is checked.
io.quarkus.oidc.OidcTenantConfig.Authentication.cookieSameSite=SameSite attribute for the session cookie.
io.quarkus.oidc.OidcTenantConfig.Authentication.cookieSuffix=Cookie name suffix.\nFor example, a session cookie name for the default OIDC tenant is `q_session` but can be changed to `q_session_test`\nif this property is set to `test`.
io.quarkus.oidc.OidcTenantConfig.Authentication.errorPath=Relative path to the public endpoint which processes the error response from the OIDC authorization\nendpoint.\nIf the user authentication has failed, the OIDC provider returns an `error` and an optional\n`error_description`\nparameters, instead of the expected authorization `code`.\n\nIf this property is set, the user is redirected to the endpoint which can return a user-friendly\nerror description page. It has to start from a forward slash and is appended to the request URI's host and port.\nFor example, if it is set as `/error` and the current request URI is\n`https\://localhost\:8080/callback?error\=invalid_scope`,\na redirect is made to `https\://localhost\:8080/error?error\=invalid_scope`.\n\nIf this property is not set, HTTP 401 status is returned in case of the user authentication failure.
io.quarkus.oidc.OidcTenantConfig.Authentication.extraParams=Additional properties added as query parameters to the authentication redirect URI.
io.quarkus.oidc.OidcTenantConfig.Authentication.failOnMissingStateParam=Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present.\n
\nWhen either multiple authentications are disabled or the redirect URL\nmatches the original request URL, the stale state cookie might remain in the browser cache from\nthe earlier failed redirect to an OpenId Connect provider and be visible during the current request.\nFor example, if Single-page application (SPA) uses XHR to handle redirects to the provider\nwhich does not support CORS for its authorization endpoint, the browser blocks it\nand the state cookie created by Quarkus remains in the browser cache.\nQuarkus reports an authentication failure when it detects such an old state cookie but find no matching state\nquery parameter.\n
\nReporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the\nbrowser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects.\nFor example, enabling {@link \#javaScriptAutoRedirect} or having the provider redirect to URL configured\nwith {@link \#redirectPath} might be needed to avoid such errors.\n
\nHowever, setting this property to `false` might help if the above options are not suitable.\nIt causes a new authentication redirect to OpenId Connect provider. Doing so might increase the\nrisk of browser redirect loops.
io.quarkus.oidc.OidcTenantConfig.Authentication.forceRedirectHttpsScheme=Force `https` as the `redirect_uri` parameter scheme when running behind an SSL/TLS terminating reverse\nproxy.\nThis property, if enabled, also affects the logout `post_logout_redirect_uri` and the local redirect requests.
io.quarkus.oidc.OidcTenantConfig.Authentication.forwardParams=Request URL query parameters which, if present, are added to the authentication redirect URI.
io.quarkus.oidc.OidcTenantConfig.Authentication.idTokenRequired=Requires that ID token is available when the authorization code flow completes.\nDisable this property only when you need to use the authorization code flow with OAuth2 providers which do not return\nID token - an internal IdToken is generated in such cases.
io.quarkus.oidc.OidcTenantConfig.Authentication.internalIdTokenLifespan=Internal ID token lifespan.\nThis property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.
io.quarkus.oidc.OidcTenantConfig.Authentication.javaScriptAutoRedirect=If this property is set to `true`, a normal 302 redirect response is returned\nif the request was initiated by a JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be\n(re)authenticated, which might not be desirable for Single-page applications (SPA) since\nit automatically following the redirect might not work given that OIDC authorization endpoints typically do not\nsupport\nCORS.\n
\nIf this property is set to `false`, a status code of `499` is returned to allow\nSPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found.\n`X-Requested-With` request header with its value set to either `JavaScript` or `XMLHttpRequest` is expected by\ndefault if\nthis property is enabled. You can register a custom {@linkplain JavaScriptRequestChecker} to do a custom JavaScript\nrequest check instead.
io.quarkus.oidc.OidcTenantConfig.Authentication.nonceRequired=Require that ID token includes a `nonce` claim which must match `nonce` authentication request query parameter.\nEnabling this property can help mitigate replay attacks.\nDo not enable this property if your OpenId Connect provider does not support setting `nonce` in ID token\nor if you work with OAuth2 provider such as `GitHub` which does not issue ID tokens.
io.quarkus.oidc.OidcTenantConfig.Authentication.pkceRequired=Requires that a Proof Key for Code Exchange (PKCE) is used.
io.quarkus.oidc.OidcTenantConfig.Authentication.pkceSecret=Secret used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state.\nThis secret should be at least 32 characters long.\n\n@deprecated This field is deprecated. Use {@link \#stateSecret} instead.
io.quarkus.oidc.OidcTenantConfig.Authentication.redirectPath=The relative path for calculating a `redirect_uri` query parameter.\nIt has to start from a forward slash and is appended to the request URI's host and port.\nFor example, if the current request URI is `https\://localhost\:8080/service`, a `redirect_uri` parameter\nis set to `https\://localhost\:8080/` if this property is set to `/` and be the same as the request URI\nif this property has not been configured.\nNote the original request URI is restored after the user has authenticated if `restorePathAfterRedirect` is set\nto `true`.
io.quarkus.oidc.OidcTenantConfig.Authentication.removeRedirectParameters=Remove the query parameters such as `code` and `state` set by the OIDC server on the redirect URI\nafter the user has authenticated by redirecting a user to the same URI but without the query parameters.
io.quarkus.oidc.OidcTenantConfig.Authentication.responseMode=Authorization code flow response mode.
io.quarkus.oidc.OidcTenantConfig.Authentication.restorePathAfterRedirect=If this property is set to `true`, the original request URI which was used before\nthe authentication is restored after the user has been redirected back to the application.\n\nNote if `redirectPath` property is not set, the original request URI is restored even if this property is\ndisabled.
io.quarkus.oidc.OidcTenantConfig.Authentication.scopeSeparator=The separator which is used when more than one scope is configured.\nA single space is used by default.
io.quarkus.oidc.OidcTenantConfig.Authentication.scopes=List of scopes
io.quarkus.oidc.OidcTenantConfig.Authentication.sessionAgeExtension=Session age extension in minutes.\nThe user session age property is set to the value of the ID token life-span by default and\nthe user is redirected to the OIDC provider to re-authenticate once the session has expired.\nIf this property is set to a nonzero value, then the expired ID token can be refreshed before\nthe session has expired.\nThis property is ignored if the `token.refresh-expired` property has not been enabled.
io.quarkus.oidc.OidcTenantConfig.Authentication.sessionExpiredPath=Relative path to the public endpoint which an authenticated user is redirected to when the session has expired.\n
\nWhen the OIDC session has expired and the session can not be refreshed, a user is redirected\nto the OIDC provider to re-authenticate. The user experience may not be ideal in this case\nas it may not be obvious to the authenticated user why an authentication challenge is returned.\n
\nSet this property if you would like the user whose session has expired be redirected to a public application specific\npage\ninstead, which can inform that the session has expired and advise the user to re-authenticated by following\na link to the secured initial entry page.
io.quarkus.oidc.OidcTenantConfig.Authentication.stateCookieAge=State cookie age in minutes.\nState cookie is created every time a new authorization code flow redirect starts\nand removed when this flow is completed.\nState cookie name is unique by default, see {@link \#allowMultipleCodeFlows}.\nKeep its age to the reasonable minimum value such as 5 minutes or less.
io.quarkus.oidc.OidcTenantConfig.Authentication.stateSecret=Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow\nstate.\nThis secret should be at least 32 characters long.\n
\nIf this secret is not set, the client secret configured with\neither `quarkus.oidc.credentials.secret` or `quarkus.oidc.credentials.client-secret.value` is checked.\nFinally, `quarkus.oidc.credentials.jwt.secret` which can be used for `client_jwt_secret` authentication is\nchecked. A client secret is not be used as a state encryption secret if it is less than 32 characters\nlong.\n
\nThe secret is auto-generated if it remains uninitialized after checking all of these properties.\n
\nError is reported if the secret length is less than 16 characters.
io.quarkus.oidc.OidcTenantConfig.Authentication.userInfoRequired=If this property is set to `true`, an OIDC UserInfo endpoint is called.\n
\nThis property is enabled automatically if `quarkus.oidc.roles.source` is set to `userinfo`\nor `quarkus.oidc.token.verify-access-token-with-user-info` is set to `true`\nor `quarkus.oidc.authentication.id-token-required` is set to `false`,\nthe current OIDC tenant must support a UserInfo endpoint in these cases.\n
\nIt is also enabled automatically if `io.quarkus.oidc.UserInfo` injection point is detected but only\nif the current OIDC tenant supports a UserInfo endpoint.
io.quarkus.oidc.OidcTenantConfig.Authentication.verifyAccessToken=Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow.\n
\nID token is always verified on every user request as the primary token which is used\nto represent the principal and extract the roles.\n
\nAuthorization code flow access token is meant to be propagated to downstream services\nand is not verified by default unless `quarkus.oidc.roles.source` property is set to `accesstoken`\nwhich means the authorization decision is based on the roles extracted from the access token.\n
\nAuthorization code flow access token verification is also enabled if this token is injected as JsonWebToken.\nSet this property to `false` if it is not required.\n
\nBearer access token is always verified.