Package io.quarkus.oidc.runtime

Interface OidcTenantConfig

All Superinterfaces:
OidcClientCommonConfig, OidcCommonConfig
All Known Implementing Classes:
OidcTenantConfig
public interface OidcTenantConfig extends OidcClientCommonConfig

  • Method Details

    • tenantId

      Optional<String> tenantId()
      A unique tenant identifier. It can be set by TenantConfigResolver providers, which resolve the tenant configuration dynamically.

    • tenantEnabled

      @WithDefault("true") boolean tenantEnabled()
      If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a TenantConfigResolver that resolves tenant configurations is registered, or named tenants are configured. In this case, you do not need to disable the default tenant.

    • applicationType

      @ConfigDocDefault("service") Optional<OidcTenantConfig.ApplicationType> applicationType()
      The application type, which can be one of the following OidcTenantConfig.ApplicationType values.

    • authorizationPath

      Optional<String> authorizationPath()
      The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for `web-app` applications if OIDC discovery is disabled. This property is ignored if OIDC discovery is enabled.

    • userInfoPath

      Optional<String> userInfoPath()
      The relative path or absolute URL of the OIDC UserInfo endpoint. You must set this property for `web-app` applications if OIDC discovery is disabled and the `authentication.user-info-required` property is enabled. This property is ignored if OIDC discovery is enabled.

    • introspectionPath

      Optional<String> introspectionPath()
      Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.

    • jwksPath

      Optional<String> jwksPath()
      Relative path or absolute URL of the OIDC JSON Web Key Set (JWKS) endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property is ignored if the discovery is enabled.

    • endSessionPath

      Optional<String> endSessionPath()
      Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the `web-app` applications is required. This property is ignored if the discovery is enabled.

    • tenantPaths

      Optional<List<String>> tenantPaths()
      The paths which must be secured by this tenant. Tenant with the most specific path wins. Please see the xref:security-openid-connect-multitenancy.adoc#configure-tenant-paths[Configure tenant paths] section of the OIDC multitenancy guide for explanation of allowed path patterns.

    • publicKey

      Optional<String> publicKey()
      The public key for the local JWT token verification. OIDC server connection is not created when this property is set.

    • introspectionCredentials

      @ConfigDocSection OidcTenantConfig.IntrospectionCredentials introspectionCredentials()
      Optional introspection endpoint-specific basic authentication configuration. It must be configured only if the introspection is required but OpenId Connect Provider does not support the OIDC client authentication configured with OidcCommonConfig#credentials for its introspection endpoint.

    • roles

      @ConfigDocSection OidcTenantConfig.Roles roles()
      Configuration to find and parse custom claims which contain roles.

    • token

      @ConfigDocSection OidcTenantConfig.Token token()
      Configuration to customize validation of token claims.

    • logout

      @ConfigDocSection OidcTenantConfig.Logout logout()
      RP-initiated, back-channel and front-channel logout configuration.

    • certificateChain

      @ConfigDocSection OidcTenantConfig.CertificateChain certificateChain()
      Configuration of the certificate chain which can be used to verify tokens. If the certificate chain truststore is configured, the tokens can be verified using the certificate chain inlined in the Base64-encoded format as an `x5c` header in the token itself.

      The certificate chain inlined in the token is verified. Signature of every certificate in the chain but the root certificate is verified by the next certificate in the chain. Thumbprint of the root certificate in the chain must match a thumbprint of one of the certificates in the truststore.

      Additionally, a direct trust in the leaf chain certificate which will be used to verify the token signature must be established. By default, the leaf certificate's thumbprint must match a thumbprint of one of the certificates in the truststore. If the truststore does not have the leaf certificate imported, then the leaf certificate must be identified by its Common Name.

    • authentication

      @ConfigDocSection OidcTenantConfig.Authentication authentication()
      Configuration for managing an authorization code flow.

    • codeGrant

      @ConfigDocSection OidcTenantConfig.CodeGrant codeGrant()
      Configuration to complete an authorization code flow grant.

    • tokenStateManager

      @ConfigDocSection OidcTenantConfig.TokenStateManager tokenStateManager()
      Default token state manager configuration

    • allowTokenIntrospectionCache

      @WithDefault("true") boolean allowTokenIntrospectionCache()
      Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.

    • allowUserInfoCache

      @WithDefault("true") boolean allowUserInfoCache()
      Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.

    • cacheUserInfoInIdtoken

      Optional<Boolean> cacheUserInfoInIdtoken()
      Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.

      Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the allowUserInfoCache() property set to `false`.

    • jwks

      @ConfigDocSection OidcTenantConfig.Jwks jwks()
      How JsonWebKey verification key set should be acquired and managed.

    • provider

      Optional<OidcTenantConfig.Provider> provider()
      Well known OpenId Connect provider identifier