• Home
• io.quarkus
• quarkus-oidc
• 3.12.0.CR1
• source code
• OidcTenantConfig$Token.jdp

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.quarkus.oidc.OidcTenantConfig$Token.jdp Maven / Gradle / Ivy

io.quarkus.oidc.OidcTenantConfig.Token.age=Token age.\n\nIt allows for the number of seconds to be specified that must not elapse since the `iat` (issued at) time.\nA small leeway to account for clock skew which can be configured with `quarkus.oidc.token.lifespan-grace` to verify\nthe token expiry time\ncan also be used to verify the token age property.\n\nNote that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens\nmust have a valid (`exp`) expiry claim value. The only exception where setting this property relaxes the requirement\nis when a logout token is sent with a back-channel logout request since the current\nOpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an `exp` claim.\nHowever, even if the current logout token is allowed to have no `exp` claim, the `exp` claim is still verified\nif the logout token contains it.
io.quarkus.oidc.OidcTenantConfig.Token.allowJwtIntrospection=Allow the remote introspection of JWT tokens when no matching JWK key is available.\n\nThis property is set to `true` by default for backward-compatibility reasons. It is planned that this default value\nwill be changed to `false` in an upcoming release.\n\nAlso note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is\nthe only verification option.
io.quarkus.oidc.OidcTenantConfig.Token.allowOpaqueTokenIntrospection=Allow the remote introspection of the opaque tokens.\n\nSet this property to `false` if only JWT tokens are expected.
io.quarkus.oidc.OidcTenantConfig.Token.audience=The expected audience `aud` claim value, which can be a string or an array of strings.\n\nNote the audience claim is verified for ID tokens by default.\nID token audience must be equal to the value of `quarkus.oidc.client-id` property.\nUse this property to override the expected value if your OpenID Connect provider\nsets a different audience claim value in ID tokens. Set it to `any` if your provider\ndoes not set ID token audience` claim.\n\nAudience verification for access tokens is only done if this property is configured.
io.quarkus.oidc.OidcTenantConfig.Token.authorizationScheme=HTTP Authorization header scheme.
io.quarkus.oidc.OidcTenantConfig.Token.customizerName=Token customizer name.\n\nAllows to select a tenant specific token customizer as a named bean.\nPrefer using {@link TenantFeature} qualifier when registering custom {@link TokenCustomizer}.\nUse this property only to refer to `TokenCustomizer` implementations provided by this extension.
io.quarkus.oidc.OidcTenantConfig.Token.decryptionKeyLocation=Decryption key location.\nJWT tokens can be inner-signed and encrypted by OpenId Connect providers.\nHowever, it is not always possible to remotely introspect such tokens because\nthe providers might not control the private decryption keys.\nIn such cases set this property to point to the file containing the decryption private key in\nPEM or JSON Web Key (JWK) format.\nIf this property is not set and the `private_key_jwt` client authentication method is used, the private key\nused to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens.
io.quarkus.oidc.OidcTenantConfig.Token.forcedJwkRefreshInterval=The forced JWK set refresh interval in minutes.
io.quarkus.oidc.OidcTenantConfig.Token.header=Custom HTTP header that contains a bearer token.\nThis option is valid only when the application is of type {@link ApplicationType\#SERVICE}}.
io.quarkus.oidc.OidcTenantConfig.Token.issuedAtRequired=Require that the token includes a `iat` (issued at) claim\n\nSet this property to `false` if your JWT token does not contain an `iat` (issued at) claim.\nNote that ID token is always required to have an `iat` claim and therefore this property has no impact on the ID\ntoken verification process.
io.quarkus.oidc.OidcTenantConfig.Token.issuer=The expected issuer `iss` claim value.\nThis property overrides the `issuer` property, which might be set in OpenId Connect provider's well-known\nconfiguration.\nIf the `iss` claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the\nissuer verification by setting this property to `any`, but it should be done only when other options (such as\nconfiguring\nthe provider to use the fixed `iss` claim value) are not possible.
io.quarkus.oidc.OidcTenantConfig.Token.lifespanGrace=Life span grace period in seconds.\nWhen checking token expiry, current time is allowed to be later than token expiration time by at most the configured\nnumber of seconds.\nWhen checking token issuance, current time is allowed to be sooner than token issue time by at most the configured\nnumber of seconds.
io.quarkus.oidc.OidcTenantConfig.Token.principalClaim=Name of the claim which contains a principal name. By default, the `upn`, `preferred_username` and `sub`\nclaims are\nchecked.
io.quarkus.oidc.OidcTenantConfig.Token.refreshExpired=Refresh expired authorization code flow ID or access tokens.\nIf this property is enabled, a refresh token request is performed if the authorization code\nID or access token has expired and, if successful, the local session is updated with the new set of tokens.\nOtherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate.\nIn this case, the user might not be challenged again if the OIDC provider session is still active.\n\nFor this option be effective the `authentication.session-age-extension` property should also be set to a nonzero\nvalue since the refresh token is currently kept in the user session.\n\nThis option is valid only when the application is of type {@link ApplicationType\#WEB_APP}}.\n\nThis property is enabled if `quarkus.oidc.token.refresh-token-time-skew` is configured,\nyou do not need to enable this property manually in this case.
io.quarkus.oidc.OidcTenantConfig.Token.refreshTokenTimeSkew=The refresh token time skew, in seconds.\nIf this property is enabled, the configured number of seconds is added to the current time\nwhen checking if the authorization code ID or access token should be refreshed.\nIf the sum is greater than the authorization code ID or access token's expiration time, a refresh is going to\nhappen.
io.quarkus.oidc.OidcTenantConfig.Token.requireJwtIntrospectionOnly=Require that JWT tokens are only introspected remotely.
io.quarkus.oidc.OidcTenantConfig.Token.requiredClaims=A map of required claims and their expected values.\nFor example, `quarkus.oidc.token.required-claims.org_id \= org_xyz` would require tokens to have the `org_id` claim to\nbe present and set to `org_xyz`.\nStrings are the only supported types. Use {@linkplain SecurityIdentityAugmentor} to verify claims of other types or\ncomplex claims.
io.quarkus.oidc.OidcTenantConfig.Token.signatureAlgorithm=Required signature algorithm.\nOIDC providers support many signature algorithms but if necessary you can restrict\nQuarkus application to accept tokens signed only using an algorithm configured with this property.
io.quarkus.oidc.OidcTenantConfig.Token.subjectRequired=Require that the token includes a `sub` (subject) claim which is a unique\nand never reassigned identifier for the current user.\nNote that if you enable this property and if UserInfo is also required,\nboth the token and UserInfo `sub` claims must be present and match each other.
io.quarkus.oidc.OidcTenantConfig.Token.tokenType=Expected token type
io.quarkus.oidc.OidcTenantConfig.Token.verifyAccessTokenWithUserInfo=Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo.\nOpaque access token is considered valid if the provider accepted this token and returned a valid UserInfo.\nYou should only enable this option if the opaque access tokens must be accepted but OpenId Connect\nprovider does not have a token introspection endpoint.\nThis property has no effect when JWT tokens must be verified.