OpenID Connect (OIDC) configuration properties

The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_NAME

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEY

If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_FILE

A parameter to specify the password of the keystore file.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_PASSWORD

The private key password.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_PASSWORD

The key identifier of the signing key added as a JWT kid header.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_TOKEN_KEY_ID

Subject of the signing key added as a JWT sub claim The default value is the client id.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SUBJECT

The signature algorithm used for the key-file property. Supported values: RS256 (default), RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SIGNATURE_ALGORITHM

If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_ASSERTION

If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a TenantConfigResolver that resolves tenant configurations is registered, or named tenants are configured. In this case, you do not need to disable the default tenant.

Environment variable: QUARKUS_OIDC_TENANT_ENABLED

The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for web-app applications if OIDC discovery is disabled. This property is ignored if OIDC discovery is enabled.

Environment variable: QUARKUS_OIDC_AUTHORIZATION_PATH

Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_INTROSPECTION_PATH

Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the web-app applications is required. This property is ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_END_SESSION_PATH

The public key for the local JWT token verification. OIDC server connection is not created when this property is set.

Environment variable: QUARKUS_OIDC_PUBLIC_KEY

Secret

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_SECRET

A list of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments. Each segment represents a JSON object name only; for example: "realm/groups". Use double quotes with the namespace-qualified claim names. This property can be used if a token has no groups claim but has the groups set in one or more different claims.

Environment variable: QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH

Source of the principal roles.

Environment variable: QUARKUS_OIDC_ROLES_SOURCE

The expected audience aud claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured.

Environment variable: QUARKUS_OIDC_TOKEN_AUDIENCE

A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

Environment variable: QUARKUS_OIDC_TOKEN_REQUIRED_CLAIMS__CLAIM_NAME_

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

Environment variable: QUARKUS_OIDC_TOKEN_LIFESPAN_GRACE

Require that the token includes a iat (issued at) claim Set this property to false if your JWT token does not contain an iat (issued at) claim. Note that ID token is always required to have an iat claim and therefore this property has no impact on the ID token verification process.

Environment variable: QUARKUS_OIDC_TOKEN_ISSUED_AT_REQUIRED

Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}. This property is enabled if quarkus.oidc.token.refresh-token-time-skew is configured, you do not need to enable this property manually in this case.

Environment variable: QUARKUS_OIDC_TOKEN_REFRESH_EXPIRED

The forced JWK set refresh interval in minutes.

Environment variable: QUARKUS_OIDC_TOKEN_FORCED_JWK_REFRESH_INTERVAL

HTTP Authorization header scheme.

Environment variable: QUARKUS_OIDC_TOKEN_AUTHORIZATION_SCHEME

Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the private_key_jwt client authentication method is used, the private key used to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens.

Environment variable: QUARKUS_OIDC_TOKEN_DECRYPTION_KEY_LOCATION

Require that JWT tokens are only introspected remotely.

Environment variable: QUARKUS_OIDC_TOKEN_REQUIRE_JWT_INTROSPECTION_ONLY

Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.

Environment variable: QUARKUS_OIDC_TOKEN_CUSTOMIZER_NAME

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC_LOGOUT_PATH

Name of the post logout URI parameter which is added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC_LOGOUT_POST_LOGOUT_URI_PARAM

The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_PATH

Number of minutes a logout token can be cached for.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_TOKEN_CACHE_TIME_TO_LIVE

Logout token claim whose value is used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_LOGOUT_TOKEN_KEY

Common name of the leaf certificate. It must be set if the trust-store-file does not have this certificate imported.

Environment variable: QUARKUS_OIDC_CERTIFICATE_CHAIN_LEAF_CERTIFICATE_NAME

A parameter to specify the password of the truststore file if it is configured with trust-store-file.

Environment variable: QUARKUS_OIDC_CERTIFICATE_CHAIN_TRUST_STORE_PASSWORD

An optional parameter to specify type of the truststore file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC_CERTIFICATE_CHAIN_TRUST_STORE_FILE_TYPE

The relative path for calculating a redirect_uri query parameter. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if the current request URI is https://localhost:8080/service, a redirect_uri parameter is set to https://localhost:8080/ if this property is set to / and be the same as the request URI if this property has not been configured. Note the original request URI is restored after the user has authenticated if restorePathAfterRedirect is set to true.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_REDIRECT_PATH

Remove the query parameters such as code and state set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_REMOVE_REDIRECT_PARAMETERS

Relative path to the public endpoint which an authenticated user is redirected to when the session has expired.

When the OIDC session has expired and the session can not be refreshed, a user is redirected to the OIDC provider to re-authenticate. The user experience may not be ideal in this case as it may not be obvious to the authenticated user why an authentication challenge is returned.

Set this property if you would like the user whose session has expired be redirected to a public application specific page instead, which can inform that the session has expired and advise the user to re-authenticated by following a link to the secured initial entry page.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SESSION_EXPIRED_PATH

Force https as the redirect_uri parameter scheme when running behind an SSL/TLS terminating reverse proxy. This property, if enabled, also affects the logout post_logout_redirect_uri and the local redirect requests.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME

The separator which is used when more than one scope is configured. A single space is used by default.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SCOPE_SEPARATOR

Add the openid scope automatically to the list of scopes. This is required for OpenId Connect providers, but does not work for OAuth2 providers such as Twitter OAuth2, which do not accept this scope and throw errors.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ADD_OPENID_SCOPE

Request URL query parameters which, if present, are added to the authentication redirect URI.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_FORWARD_PARAMS

Cookie name suffix. For example, a session cookie name for the default OIDC tenant is q_session but can be changed to q_session_test if this property is set to test.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_SUFFIX

Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value is used to set a path parameter for the session, state and post logout cookies. If the header is missing, the cookie-path property is checked.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_PATH_HEADER

SameSite attribute for the session cookie.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_SAME_SITE

Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present.

When either multiple authentications are disabled or the redirect URL matches the original request URL, the stale state cookie might remain in the browser cache from the earlier failed redirect to an OpenId Connect provider and be visible during the current request. For example, if Single-page application (SPA) uses XHR to handle redirects to the provider which does not support CORS for its authorization endpoint, the browser blocks it and the state cookie created by Quarkus remains in the browser cache. Quarkus reports an authentication failure when it detects such an old state cookie but find no matching state query parameter.

Reporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the browser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects. For example, enabling java-script-auto-redirect or having the provider redirect to URL configured with redirect-path might be needed to avoid such errors.

However, setting this property to false might help if the above options are not suitable. It causes a new authentication redirect to OpenId Connect provider. Doing so might increase the risk of browser redirect loops.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_FAIL_ON_MISSING_STATE_PARAM

Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the token.refresh-expired property has not been enabled.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SESSION_AGE_EXTENSION

If this property is set to true, a normal 302 redirect response is returned if the request was initiated by a JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated, which might not be desirable for Single-page applications (SPA) since it automatically following the redirect might not work given that OIDC authorization endpoints typically do not support CORS.

If this property is set to false, a status code of 499 is returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. X-Requested-With request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. A client secret is not be used as a state encryption secret if it is less than 32 characters long.

The secret is auto-generated if it remains uninitialized after checking all of these properties.

Error is reported if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_STATE_SECRET

Custom HTTP headers which must be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC_CODE_GRANT_HEADERS__HEADER_NAME_

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_SPLIT_TOKENS

The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when encryption-required property is enabled.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these properties. Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication will be required.

The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.

Environment variable: QUARKUS_OIDC_ALLOW_TOKEN_INTROSPECTION_CACHE

Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.

Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the allow-user-info-cache property set to false.

Environment variable: QUARKUS_OIDC_CACHE_USER_INFO_IN_IDTOKEN

Maximum number of JWK keys that can be cached. This property is ignored if the resolve-early property is set to true.

Environment variable: QUARKUS_OIDC_JWKS_CACHE_SIZE

Cache timer interval. If this property is set, a timer checks and removes the stale entries periodically. This property is ignored if the resolve-early property is set to true.

Environment variable: QUARKUS_OIDC_JWKS_CLEAN_UP_TIMER_INTERVAL

Well known OpenId Connect provider identifier

Environment variable: QUARKUS_OIDC_PROVIDER

Maximum amount of time a given cache entry is valid for.

Environment variable: QUARKUS_OIDC_TOKEN_CACHE_TIME_TO_LIVE

If OIDC tenants should be resolved using the bearer access token’s issuer (iss) claim value.

Environment variable: QUARKUS_OIDC_RESOLVE_TENANTS_WITH_ISSUER

Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually.

Environment variable: QUARKUS_OIDC__TENANT__DISCOVERY_ENABLED

The duration to attempt the initial connection to an OIDC server. For example, setting the duration to 20S allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the connection-retry-count property instead.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_DELAY

The number of seconds after which the current OIDC connection request times out.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_TIMEOUT

The maximum size of the connection pool used by the WebClient.

Environment variable: QUARKUS_OIDC__TENANT__MAX_POOL_SIZE

The port number of the Proxy. The default value is 80.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_PORT

The password, if the Proxy needs authentication.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_PASSWORD

The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if discovery-enabled is false or a discovered token endpoint path must be customized.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_PATH

The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if application-type is service and no token introspection is required.

Environment variable: QUARKUS_OIDC__TENANT__CLIENT_ID

The client secret used by the client_secret_basic authentication method. Must be set unless a secret is set in client-secret or jwt client authentication is required. You can use client-secret.value instead, but both properties are mutually exclusive.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_SECRET

The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY

JWT token source: OIDC provider client or an existing JWT bearer token.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SOURCE

The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_NAME

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_KEY

If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_FILE

A parameter to specify the password of the keystore file.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_PASSWORD

The private key password.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_PASSWORD

The key identifier of the signing key added as a JWT kid header.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_TOKEN_KEY_ID

Subject of the signing key added as a JWT sub claim The default value is the client id.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SUBJECT

The signature algorithm used for the key-file property. Supported values: RS256 (default), RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SIGNATURE_ALGORITHM

If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_ASSERTION

If this tenant configuration is enabled. The default tenant is disabled if it is not configured but a TenantConfigResolver that resolves tenant configurations is registered, or named tenants are configured. In this case, you do not need to disable the default tenant.

Environment variable: QUARKUS_OIDC__TENANT__TENANT_ENABLED

The relative path or absolute URL of the OpenID Connect (OIDC) authorization endpoint, which authenticates users. You must set this property for web-app applications if OIDC discovery is disabled. This property is ignored if OIDC discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__AUTHORIZATION_PATH

Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JSON Web Token (JWT) tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens must be verified or 2) JWT tokens must be verified while the cached JWK verification set with no matching JWK is being refreshed. This property is ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_PATH

Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the web-app applications is required. This property is ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__END_SESSION_PATH

The public key for the local JWT token verification. OIDC server connection is not created when this property is set.

Environment variable: QUARKUS_OIDC__TENANT__PUBLIC_KEY

Secret

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_CREDENTIALS_SECRET

A list of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments. Each segment represents a JSON object name only; for example: "realm/groups". Use double quotes with the namespace-qualified claim names. This property can be used if a token has no groups claim but has the groups set in one or more different claims.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_ROLE_CLAIM_PATH

Source of the principal roles.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_SOURCE

The expected audience aud claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_AUDIENCE

A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REQUIRED_CLAIMS__CLAIM_NAME_

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_LIFESPAN_GRACE

Require that the token includes a iat (issued at) claim Set this property to false if your JWT token does not contain an iat (issued at) claim. Note that ID token is always required to have an iat claim and therefore this property has no impact on the ID token verification process.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_ISSUED_AT_REQUIRED

Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}. This property is enabled if quarkus.oidc.token.refresh-token-time-skew is configured, you do not need to enable this property manually in this case.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REFRESH_EXPIRED

The forced JWK set refresh interval in minutes.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_FORCED_JWK_REFRESH_INTERVAL

HTTP Authorization header scheme.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_AUTHORIZATION_SCHEME

Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the private_key_jwt client authentication method is used, the private key used to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_DECRYPTION_KEY_LOCATION

Require that JWT tokens are only introspected remotely.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REQUIRE_JWT_INTROSPECTION_ONLY

Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_CUSTOMIZER_NAME

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_PATH

Name of the post logout URI parameter which is added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_POST_LOGOUT_URI_PARAM

The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_PATH

Number of minutes a logout token can be cached for.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_TOKEN_CACHE_TIME_TO_LIVE

Logout token claim whose value is used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_LOGOUT_TOKEN_KEY

Common name of the leaf certificate. It must be set if the trust-store-file does not have this certificate imported.

Environment variable: QUARKUS_OIDC__TENANT__CERTIFICATE_CHAIN_LEAF_CERTIFICATE_NAME

A parameter to specify the password of the truststore file if it is configured with trust-store-file.

Environment variable: QUARKUS_OIDC__TENANT__CERTIFICATE_CHAIN_TRUST_STORE_PASSWORD

An optional parameter to specify type of the truststore file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC__TENANT__CERTIFICATE_CHAIN_TRUST_STORE_FILE_TYPE

The relative path for calculating a redirect_uri query parameter. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if the current request URI is https://localhost:8080/service, a redirect_uri parameter is set to https://localhost:8080/ if this property is set to / and be the same as the request URI if this property has not been configured. Note the original request URI is restored after the user has authenticated if restorePathAfterRedirect is set to true.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_REDIRECT_PATH

Remove the query parameters such as code and state set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_REMOVE_REDIRECT_PARAMETERS

Relative path to the public endpoint which an authenticated user is redirected to when the session has expired.

When the OIDC session has expired and the session can not be refreshed, a user is redirected to the OIDC provider to re-authenticate. The user experience may not be ideal in this case as it may not be obvious to the authenticated user why an authentication challenge is returned.

Set this property if you would like the user whose session has expired be redirected to a public application specific page instead, which can inform that the session has expired and advise the user to re-authenticated by following a link to the secured initial entry page.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_SESSION_EXPIRED_PATH

Force https as the redirect_uri parameter scheme when running behind an SSL/TLS terminating reverse proxy. This property, if enabled, also affects the logout post_logout_redirect_uri and the local redirect requests.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME

The separator which is used when more than one scope is configured. A single space is used by default.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_SCOPE_SEPARATOR

Add the openid scope automatically to the list of scopes. This is required for OpenId Connect providers, but does not work for OAuth2 providers such as Twitter OAuth2, which do not accept this scope and throw errors.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_ADD_OPENID_SCOPE

Request URL query parameters which, if present, are added to the authentication redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_FORWARD_PARAMS

Cookie name suffix. For example, a session cookie name for the default OIDC tenant is q_session but can be changed to q_session_test if this property is set to test.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_SUFFIX

Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value is used to set a path parameter for the session, state and post logout cookies. If the header is missing, the cookie-path property is checked.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_PATH_HEADER

SameSite attribute for the session cookie.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_SAME_SITE

Fail with the HTTP 401 error if the state cookie is present but no state query parameter is present.

When either multiple authentications are disabled or the redirect URL matches the original request URL, the stale state cookie might remain in the browser cache from the earlier failed redirect to an OpenId Connect provider and be visible during the current request. For example, if Single-page application (SPA) uses XHR to handle redirects to the provider which does not support CORS for its authorization endpoint, the browser blocks it and the state cookie created by Quarkus remains in the browser cache. Quarkus reports an authentication failure when it detects such an old state cookie but find no matching state query parameter.

Reporting HTTP 401 error is usually the right thing to do in such cases, it minimizes a risk of the browser redirect loop but also can identify problems in the way SPA or Quarkus application manage redirects. For example, enabling java-script-auto-redirect or having the provider redirect to URL configured with redirect-path might be needed to avoid such errors.

However, setting this property to false might help if the above options are not suitable. It causes a new authentication redirect to OpenId Connect provider. Doing so might increase the risk of browser redirect loops.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_FAIL_ON_MISSING_STATE_PARAM

Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the token.refresh-expired property has not been enabled.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_SESSION_AGE_EXTENSION

If this property is set to true, a normal 302 redirect response is returned if the request was initiated by a JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated, which might not be desirable for Single-page applications (SPA) since it automatically following the redirect might not work given that OIDC authorization endpoints typically do not support CORS.

If this property is set to false, a status code of 499 is returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. X-Requested-With request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. A client secret is not be used as a state encryption secret if it is less than 32 characters long.

The secret is auto-generated if it remains uninitialized after checking all of these properties.

Error is reported if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_STATE_SECRET

Custom HTTP headers which must be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC__TENANT__CODE_GRANT_HEADERS__HEADER_NAME_

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_SPLIT_TOKENS

The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when encryption-required property is enabled.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these properties. Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication will be required.

The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used, see OidcConfig.TokenCache to enable it.

Environment variable: QUARKUS_OIDC__TENANT__ALLOW_TOKEN_INTROSPECTION_CACHE

Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.

Inlining UserInfo in the generated IdToken is enabled if the session cookie is encrypted and the UserInfo cache is not enabled or caching UserInfo is disabled for the current tenant with the allow-user-info-cache property set to false.

Environment variable: QUARKUS_OIDC__TENANT__CACHE_USER_INFO_IN_IDTOKEN

Maximum number of JWK keys that can be cached. This property is ignored if the resolve-early property is set to true.

Environment variable: QUARKUS_OIDC__TENANT__JWKS_CACHE_SIZE