OpenID Connect (OIDC) configuration properties

Grant type which will be used to acquire a token to test the OIDC 'service' applications

Environment variable: QUARKUS_OIDC_DEVUI_GRANT_TYPE

The WebClient timeout. Use this property to configure how long an HTTP client used by Dev UI handlers will wait for a response when requesting tokens from OpenId Connect Provider and sending them to the service endpoint.

Environment variable: QUARKUS_OIDC_DEVUI_WEB_CLIENT_TIMEOUT

The port number of the Proxy. The default value is 80.

Environment variable: QUARKUS_OIDC_PROXY_PORT

The password, if the Proxy needs authentication.

Environment variable: QUARKUS_OIDC_PROXY_PASSWORD

The client secret used by the client_secret_basic authentication method. Must be set unless a secret is set in client-secret or jwt client authentication is required. You can use client-secret.value instead, but both properties are mutually exclusive.

Environment variable: QUARKUS_OIDC_CREDENTIALS_SECRET

The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY

JWT token source: OIDC provider client or an existing JWT bearer token.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SOURCE

If provided, indicates that JWT is signed using a secret key. It is mutually exclusive with key, key-file and key-store properties.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET

The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME

String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. It is mutually exclusive with secret, key-file and key-store properties. You can use the signature-algorithm property to override the default key algorithm, RS256.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY

If provided, indicates that JWT is signed using a private key from a keystore. It is mutually exclusive with secret, key and key-file properties.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_FILE

The private key id or alias.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_ID

The JWT audience (aud) claim value. By default, the audience is set to the address of the OpenId Connect Provider’s token endpoint.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_AUDIENCE

The issuer of the signing key added as a JWT iss claim. The default value is the client id.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_ISSUER

Additional claims.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_

The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_LIFESPAN

Name

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_NAME

Include OpenId Connect Client ID configured with quarkus.oidc.client-id.

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_INCLUDE_CLIENT_ID

The separator for splitting strings that contain multiple group values. It is only used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space is used by default because the standard scope claim can contain a space-separated sequence.

Environment variable: QUARKUS_OIDC_ROLES_ROLE_CLAIM_SEPARATOR

The expected issuer iss claim value. This property overrides the issuer property, which might be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the issuer verification by setting this property to any, but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.

Environment variable: QUARKUS_OIDC_TOKEN_ISSUER

Require that the token includes a sub (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required, both the token and UserInfo sub claims must be present and match each other.

Environment variable: QUARKUS_OIDC_TOKEN_SUBJECT_REQUIRED

Expected token type

Environment variable: QUARKUS_OIDC_TOKEN_TOKEN_TYPE

Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with quarkus.oidc.token.lifespan-grace to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid (exp) expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an exp claim. However, even if the current logout token is allowed to have no exp claim, the exp claim is still verified if the logout token contains it.

Environment variable: QUARKUS_OIDC_TOKEN_AGE

Name of the claim which contains a principal name. By default, the upn, preferred_username and sub claims are checked.

Environment variable: QUARKUS_OIDC_TOKEN_PRINCIPAL_CLAIM

The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time, a refresh is going to happen.

Environment variable: QUARKUS_OIDC_TOKEN_REFRESH_TOKEN_TIME_SKEW

Custom HTTP header that contains a bearer token. This option is valid only when the application is of type ApplicationType#SERVICE.

Environment variable: QUARKUS_OIDC_TOKEN_HEADER

Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.

Environment variable: QUARKUS_OIDC_TOKEN_SIGNATURE_ALGORITHM

Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to true by default for backward-compatibility reasons. It is planned that this default value will be changed to false in an upcoming release. Also note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.

Environment variable: QUARKUS_OIDC_TOKEN_ALLOW_JWT_INTROSPECTION

Allow the remote introspection of the opaque tokens. Set this property to false if only JWT tokens are expected.

Environment variable: QUARKUS_OIDC_TOKEN_ALLOW_OPAQUE_TOKEN_INTROSPECTION

Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.

Environment variable: QUARKUS_OIDC_TOKEN_VERIFY_ACCESS_TOKEN_WITH_USER_INFO

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC_LOGOUT_PATH

Name of the post logout URI parameter which is added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC_LOGOUT_POST_LOGOUT_URI_PARAM

The relative path of the Back-Channel Logout endpoint at the application. It must start with the forward slash '/', for example, '/back-channel-logout'. This value is always resolved relative to 'quarkus.http.root-path'.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_PATH

Number of minutes a logout token can be cached for.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_TOKEN_CACHE_TIME_TO_LIVE

Logout token claim whose value is used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_LOGOUT_TOKEN_KEY

Clear-Site-Data header directives

Environment variable: QUARKUS_OIDC_LOGOUT_CLEAR_SITE_DATA

Truststore file which keeps thumbprints of the trusted certificates.

Environment variable: QUARKUS_OIDC_CERTIFICATE_CHAIN_TRUST_STORE_FILE

A parameter to specify the alias of the truststore certificate.

Environment variable: QUARKUS_OIDC_CERTIFICATE_CHAIN_TRUST_STORE_CERT_ALIAS

Authorization code flow response mode.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_RESPONSE_MODE

If this property is set to true, the original request URI which was used before the authentication is restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI is restored even if this property is disabled.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_RESTORE_PATH_AFTER_REDIRECT

Relative path to the public endpoint which processes the error response from the OIDC authorization endpoint. If the user authentication has failed, the OIDC provider returns an error and an optional error_description parameters, instead of the expected authorization code. If this property is set, the user is redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and is appended to the request URI’s host and port. For example, if it is set as /error and the current request URI is https://localhost:8080/callback?error=invalid_scope, a redirect is made to https://localhost:8080/error?error=invalid_scope. If this property is not set, HTTP 401 status is returned in case of the user authentication failure.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ERROR_PATH

Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow.

ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles.

Authorization code flow access token is meant to be propagated to downstream services and is not verified by default unless quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision is based on the roles extracted from the access token.

Authorization code flow access token verification is also enabled if this token is injected as JsonWebToken. Set this property to false if it is not required.

Bearer access token is always verified.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_VERIFY_ACCESS_TOKEN

List of scopes

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SCOPES

Require that ID token includes a nonce claim which must match nonce authentication request query parameter. Enabling this property can help mitigate replay attacks. Do not enable this property if your OpenId Connect provider does not support setting nonce in ID token or if you work with OAuth2 provider such as GitHub which does not issue ID tokens.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_NONCE_REQUIRED

Additional properties added as query parameters to the authentication redirect URI.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_EXTRA_PARAMS__PARAMETER_NAME_

If enabled the state, session, and post logout cookies have their secure parameter set to true when HTTP is used. It might be necessary when running behind an SSL/TLS terminating reverse proxy. The cookies are always secure if HTTPS is used, even if this property is set to false.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_FORCE_SECURE

Cookie path parameter value which, if set, is used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, is checked first.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_PATH

Cookie domain parameter value which, if set, is used for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_DOMAIN

If a state cookie is present, a state query parameter must also be present and both the state cookie name suffix and state cookie value must match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie might represent the authentication flow initiated from another tab and not related to the current request. Disable this property to permit only a single authorization code flow in the same browser.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ALLOW_MULTIPLE_CODE_FLOWS

Fail with the HTTP 401 error if the ID token signature can not be verified during the re-authentication only due to an unresolved token key identifier (kid).

This property might need to be disabled when multiple tab authentications are allowed, with one of the tabs keeping an expired ID token with its kid unresolved due to the verification key set refreshed due to another tab initiating an authorization code flow. In such cases, instead of failing with the HTTP 401 error, redirecting the user to re-authenticate with the HTTP 302 status may provide better user experience.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_FAIL_ON_UNRESOLVED_KID

Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user is redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a nonzero value, then the expired ID token can be refreshed before the session has expired. This property is ignored if the token.refresh-expired property has not been enabled.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SESSION_AGE_EXTENSION

If this property is set to true, a normal 302 redirect response is returned if the request was initiated by a JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated, which might not be desirable for Single-page applications (SPA) since it automatically following the redirect might not work given that OIDC authorization endpoints typically do not support CORS.

If this property is set to false, a status code of 499 is returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. X-Requested-With request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when OAuth2 providers do not return IdToken. If this property is not configured then an access token expires_in property in the OAuth2 authorization code flow response is used to set an internal IdToken lifespan.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Secret used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. A client secret is not be used as a state encryption secret if it is less than 32 characters long.

The secret is auto-generated if it remains uninitialized after checking all of these properties.

Error is reported if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_STATE_SECRET

Custom HTTP headers which must be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC_CODE_GRANT_HEADERS__HEADER_NAME_

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_SPLIT_TOKENS

The secret used by the Default TokenStateManager to encrypt the session cookie storing the tokens when encryption-required property is enabled.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value is checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication is checked. The secret is auto-generated every time an application starts if it remains uninitialized after checking all of these properties. Generated secret can not decrypt the session cookie encrypted before the restart, therefore a user re-authentication will be required.

The length of the secret used to encrypt the tokens should be at least 32 characters long. A warning is logged if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

If JWK verification keys should be fetched at the moment a connection to the OIDC provider is initialized.

Disabling this property delays the key acquisition until the moment the current token has to be verified. Typically it can only be necessary if the token or other telated request properties provide an additional context which is required to resolve the keys correctly.

Environment variable: QUARKUS_OIDC_JWKS_RESOLVE_EARLY

Number of minutes a JWK key can be cached for. This property is ignored if the resolve-early property is set to true.

Environment variable: QUARKUS_OIDC_JWKS_CACHE_TIME_TO_LIVE

In case there is no key identifier ('kid') or certificate thumbprints ('x5t', 'x5t#S256') specified in the JOSE header and no key could be determined, check all available keys matching the token algorithm ('alg') header value.

Environment variable: QUARKUS_OIDC_JWKS_TRY_ALL

Maximum amount of time a given cache entry is valid for.

Environment variable: QUARKUS_OIDC_TOKEN_CACHE_TIME_TO_LIVE

Flag to enable (default) or disable Dev Services. When enabled, Dev Services for Keycloak automatically configures and starts Keycloak in Dev or Test mode, and when Docker is running.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_ENABLED

Indicates if a Keycloak-X image is used. By default, the image is identified by keycloak-x in the image name. For custom images, override with quarkus.keycloak.devservices.keycloak-x-image. You do not need to set this property if the default check works.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_KEYCLOAK_X_IMAGE

The value of the quarkus-dev-service-keycloak label for identifying the Keycloak container. Used in shared mode to locate an existing container with this label. If not found, a new container is initialized with this label. Applicable only in dev mode.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_SERVICE_NAME

Aliases to additional class or file system resources that are used to initialize Keycloak. Each map entry represents a mapping between an alias and a class or file system resource path.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_RESOURCE_ALIASES__ALIAS_NAME_

The JAVA_OPTS passed to the keycloak JVM

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_JAVA_OPTS

Keycloak start command. Use this property to experiment with Keycloak start options, see https://www.keycloak.org/server/all-config. Note, it is ignored when loading legacy Keycloak WildFly images.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_START_COMMAND

The name of the Keycloak realm. This property is used to create the realm if the realm file pointed to by the realm-path property does not exist. The default value is quarkus in this case. It is recommended to always set this property so that Dev Services for Keycloak can identify the realm name without parsing the realm file.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_REALM_NAME

Specifies whether to create the default client id quarkus-app with a secret secret and register them if the create-realm property is set to true. For OIDC extension configuration properties quarkus.oidc.client.id and quarkus.oidc.credentials.secret will be configured. For OIDC Client extension configuration properties quarkus.oidc-client.client.id and quarkus.oidc-client.credentials.secret will be configured. Set to false if clients have to be created using either the Keycloak Administration Console or the Keycloak Admin API provided by io.quarkus.test.common.QuarkusTestResourceLifecycleManager or registered dynamically.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_CREATE_CLIENT

A map of Keycloak usernames to passwords. If empty, default users alice and bob are created with their names as passwords. This map is used for user creation when no realm file is found at the realm-path.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_USERS__USERS_

The specific port for the dev service to listen on.

If not specified, a random port is selected.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_PORT

Memory limit for Keycloak container, up to Long.MAX_VALUE bytes.

If not specified, 1250MiB is the default memory limit.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_CONTAINER_MEMORY_LIMIT