Back to Guides

OpenID Connect (OIDC) authorization code flow mechanism

The Quarkus OpenID Connect (OIDC) extension can protect application HTTP endpoints by using the OIDC Authorization Code Flow mechanism supported by OIDC-compliant authorization servers, such as Keycloak.

The Authorization Code Flow mechanism authenticates users of your web application by redirecting them to an OIDC provider, such as Keycloak, to log in. After authentication, the OIDC provider redirects the user back to the application with an authorization code that confirms that authentication was successful. Then, the application exchanges this code with the OIDC provider for an ID token (which represents the authenticated user), an access token, and a refresh token to authorize the user’s access to the application.

The following diagram outlines the Authorization Code Flow mechanism in Quarkus.

Authorization Code Flow
Figure 1. Authorization code flow mechanism in Quarkus

  1. The Quarkus user requests access to a Quarkus web-app application.

  2. The Quarkus web-app redirects the user to the authorization endpoint, that is, the OIDC provider for authentication.

  3. The OIDC provider redirects the user to a login and authentication prompt.

  4. At the prompt, the user enters their user credentials.

  5. The OIDC provider authenticates the user credentials entered and, if successful, issues an authorization code then redirects the user back to the Quarkus web-app with the code included as a query parameter.

  6. The Quarkus web-app exchanges this authorization code with the OIDC provider for ID, access, and refresh tokens.

The authorization code flow is completed and the Quarkus web-app uses the tokens issued to access information about the user and grant the relevant role-based authorization to that user. The following tokens are issued:

  • ID token: The Quarkus web-app uses the user information in the ID token to enable the authenticated user to log in securely and to provide role-based access to the web-app.

  • Access token: The Quarkus web-app might use the access token to access the UserInfo API to get additional information about the authenticated user or propagate it to another endpoint.

  • Refresh token: (Optional) If the ID and access tokens expire, the Quarkus web-app can use the refresh token to get new ID and access tokens.

For information about protecting your applications using Bearer Token authorization, see Using OpenID Connect to Protect Service Applications.

For information about multitenant support, see Using OpenID Connect Multi-Tenancy.

Quickstart

Prerequisites

To complete this guide, you need:

  • Roughly 15 minutes

  • An IDE

  • JDK 11+ installed with JAVA_HOME configured appropriately

  • Apache Maven 3.8.6

  • A working container runtime (Docker or Podman)

  • Optionally the Quarkus CLI if you want to use it

  • Optionally Mandrel or GraalVM installed and configured appropriately if you want to build a native executable (or Docker if you use a native container build)

Architecture

In this example, we build a very simple web application with a single page:

  • /index.html

This page is protected and can only be accessed by authenticated users.

Solution

We recommend that you follow the instructions in the next sections and create the application step by step. However, you can go right to the completed example.

Clone the Git repository: git clone https://github.com/quarkusio/quarkus-quickstarts.git, or download an archive.

The solution is located in the security-openid-connect-web-authentication-quickstart directory.

Creating the Maven Project

First, we need a new project. Create a new project with the following command:

CLI
quarkus create app org.acme:security-openid-connect-web-authentication-quickstart \
    --extension='resteasy-reactive,oidc' \
    --no-code
cd security-openid-connect-web-authentication-quickstart

To create a Gradle project, add the --gradle or --gradle-kotlin-dsl option.

For more information about how to install the Quarkus CLI and use it, please refer to the Quarkus CLI guide.

Maven
mvn io.quarkus.platform:quarkus-maven-plugin:2.16.0.Final:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=security-openid-connect-web-authentication-quickstart \
    -Dextensions='resteasy-reactive,oidc' \
    -DnoCode
cd security-openid-connect-web-authentication-quickstart

To create a Gradle project, add the -DbuildTool=gradle or -DbuildTool=gradle-kotlin-dsl option.

If you already have your Quarkus project configured, you can add the oidc extension to your project by running the following command in your project base directory:

CLI
quarkus extension add 'oidc'
Maven
./mvnw quarkus:add-extension -Dextensions='oidc'
Gradle
./gradlew addExtension --extensions='oidc'

This will add the following to your build file:

pom.xml
<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-oidc</artifactId>
</dependency>
build.gradle
implementation("io.quarkus:quarkus-oidc")

Writing the application

Let’s write a simple JAX-RS resource which has all the tokens returned in the authorization code grant response injected:

package org.acme.security.openid.connect.web.authentication;

import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;

import org.eclipse.microprofile.jwt.JsonWebToken;

import io.quarkus.oidc.IdToken;
import io.quarkus.oidc.RefreshToken;

@Path("/tokens")
public class TokenResource {

    /**
     * Injection point for the ID Token issued by the OpenID Connect Provider
     */
    @Inject
    @IdToken
    JsonWebToken idToken;

    /**
     * Injection point for the Access Token issued by the OpenID Connect Provider
     */
    @Inject
    JsonWebToken accessToken;

    /**
     * Injection point for the Refresh Token issued by the OpenID Connect Provider
     */
    @Inject
    RefreshToken refreshToken;

    /**
     * Returns the tokens available to the application. This endpoint exists only for demonstration purposes, you should not
     * expose these tokens in a real application.
     *
     * @return a HTML page containing the tokens available to the application
     */
    @GET
    @Produces("text/html")
    public String getTokens() {
        StringBuilder response = new StringBuilder().append("<html>")
                .append("<body>")
                .append("<ul>");

        Object userName = this.idToken.getClaim("preferred_username");

        if (userName != null) {
            response.append("<li>username: ").append(userName.toString()).append("</li>");
        }

        Object scopes = this.accessToken.getClaim("scope");

        if (scopes != null) {
            response.append("<li>scopes: ").append(scopes.toString()).append("</li>");
        }

        response.append("<li>refresh_token: ").append(refreshToken.getToken() != null).append("</li>");

        return response.append("</ul>").append("</body>").append("</html>").toString();
    }
}

This endpoint has ID, access and refresh tokens injected. It returns a preferred_username claim from the ID token, a scope claim from the access token and also a refresh token availability status.

Note that you do not have to inject the tokens - it is only required if the endpoint needs to use the ID token to interact with the currently authenticated user or use the access token to access a downstream service on behalf of this user.

Please see Access ID and Access Tokens section below for more information.

Configuring the application

The OpenID Connect extension allows you to define the configuration using the application.properties file which should be located at the src/main/resources directory.

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

This is the simplest configuration you can have when enabling authentication to your application.

The quarkus.oidc.client-id property references the client_id issued by the OpenID Connect Provider and the quarkus.oidc.credentials.secret property sets the client secret.

The quarkus.oidc.application-type property is set to web-app in order to tell Quarkus that you want to enable the OpenID Connect Authorization Code Flow, so that your users are redirected to the OpenID Connect Provider to authenticate.

For last, the quarkus.http.auth.permission.authenticated permission is set to tell Quarkus about the paths you want to protect. In this case, all paths are being protected by a policy that ensures that only authenticated users are allowed to access. For more details check Security Authorization Guide.

Starting and Configuring the Keycloak Server

To start a Keycloak Server you can use Docker and just run the following command:

docker run --name keycloak -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8180:8080 quay.io/keycloak/keycloak:{keycloak.version} start-dev

where keycloak.version should be set to 17.0.0 or higher.

You should be able to access your Keycloak Server at localhost:8180.

Log in as the admin user to access the Keycloak Administration Console. Username should be admin and password admin.

Import the realm configuration file to create a new realm. For more details, see the Keycloak documentation about how to create a new realm.

Running the Application in Dev and JVM modes

To run the application in a dev mode, use:

CLI
quarkus dev
Maven
./mvnw quarkus:dev
Gradle
./gradlew --console=plain quarkusDev

When you’re done playing with dev mode you can run it as a standard Java application.

First compile it:

CLI
quarkus build
Maven
./mvnw install
Gradle
./gradlew build

Then run it:

java -jar target/quarkus-app/quarkus-run.jar

Running the Application in Native Mode

This same demo can be compiled into native code: no modifications required.

This implies that you no longer need to install a JVM on your production environment, as the runtime technology is included in the produced binary, and optimized to run with minimal resource overhead.

Compilation will take a bit longer, so this step is disabled by default; let’s build again by enabling the native build:

CLI
quarkus build --native
Maven
./mvnw install -Dnative
Gradle
./gradlew build -Dquarkus.package.type=native

After getting a cup of coffee, you’ll be able to run this binary directly:

./target/security-openid-connect-web-authentication-quickstart-runner

Testing the Application

To test the application, you should open your browser and access the following URL:

If everything is working as expected, you should be redirected to the Keycloak server to authenticate.

In order to authenticate to the application you should type the following credentials when at the Keycloak login page:

  • Username: alice

  • Password: alice

After clicking the Login button you should be redirected back to the application.

Please also see the Dev Services for Keycloak section below about writing the integration tests which depend on Dev Services for Keycloak.

Reference Guide

Accessing ID and Access Tokens

OIDC Code Authentication Mechanism acquires three tokens during the authorization code flow: IDToken, Access Token and Refresh Token.

ID Token is always a JWT token and is used to represent a user authentication with the JWT claims. One can access ID Token claims by injecting JsonWebToken with an IdToken qualifier:

import javax.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.IdToken;
import io.quarkus.security.Authenticated;

@Path("/web-app")
@Authenticated
public class ProtectedResource {

    @Inject
    @IdToken
    JsonWebToken idToken;

    @GET
    public String getUserName() {
        return idToken.getName();
    }
}

Access Token is usually used by the OIDC web-app application to access other endpoints on behalf of the currently logged-in user. The raw access token can be accessed as follows:

import javax.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.security.Authenticated;

@Path("/web-app")
@Authenticated
public class ProtectedResource {

    @Inject
    JsonWebToken accessToken;

    // or
    // @Inject
    // AccessTokenCredential accessTokenCredential;

    @GET
    public String getReservationOnBehalfOfUser() {
        String rawAccessToken = accessToken.getRawToken();
        //or
        //String rawAccessToken = accessTokenCredential.getToken();

        // Use the raw access token to access a remote endpoint
        return getReservationfromRemoteEndpoint(rawAccesstoken);
    }
}

Note that AccessTokenCredential will have to be used if the Access Token issued to the Quarkus web-app application is opaque (binary) and can not be parsed to JsonWebToken.

Injection of the JsonWebToken and AccessTokenCredential is supported in both @RequestScoped and @ApplicationScoped contexts.

RefreshToken is only used to refresh the current ID and access tokens as part of its session management process.

User Info

If IdToken does not provide enough information about the currently authenticated user then you can set a quarkus.oidc.authentication.user-info-required=true property for a UserInfo JSON object from the OIDC userinfo endpoint to be requested.

A request will be sent to the OpenID Provider UserInfo endpoint using the access token returned with the authorization code grant response and an io.quarkus.oidc.UserInfo (a simple javax.json.JsonObject wrapper) object will be created. io.quarkus.oidc.UserInfo can be either injected or accessed as a SecurityIdentity userinfo attribute.

Configuration Metadata

The current tenant’s discovered OpenID Connect Configuration Metadata is represented by io.quarkus.oidc.OidcConfigurationMetadata and can be either injected or accessed as a SecurityIdentity configuration-metadata attribute.

The default tenant’s OidcConfigurationMetadata is injected if the endpoint is public.

Token Claims And SecurityIdentity Roles

The way the roles are mapped to the SecurityIdentity roles from the verified tokens is identical to how it is done for the bearer tokens with the only difference being is that ID Token is used as a source of the roles by default.

Note if you use Keycloak then you should set a Microprofile JWT client scope for ID token to contain a groups claim, please see the Keycloak Server Administration Guide for more information.

If only the access token contains the roles and this access token is not meant to be propagated to the downstream endpoints then set quarkus.oidc.roles.source=accesstoken.

If UserInfo is the source of the roles then set quarkus.oidc.authentication.user-info-required=true and quarkus.oidc.roles.source=userinfo, and if needed, quarkus.oidc.roles.role-claim-path.

Additionally, a custom SecurityIdentityAugmentor can also be used to add the roles as documented here.

Token Verification And Introspection

Please see Token Verification And Introspection for details about how the tokens are verified and introspected.

Note that in case of web-app applications only IdToken is verified by default since the access token is not used by default to access the current Quarkus web-app endpoint and instead meant to be propagated to the services expecting this access token, for example, to the OpenID Connect Provider’s UserInfo endpoint, etc. However, if you expect the access token to contain the roles required to access the current Quarkus endpoint (quarkus.oidc.roles.source=accesstoken) then it will also be verified.

Token Introspection and UserInfo Cache

Code flow access tokens are not introspected unless they are expected to be the source of roles but will be used to get UserInfo. So there will be one or two remote calls with the code flow access token, if the token introspection and/or UserInfo are required.

Please see Token Introspection and UserInfo cache for more information about using a default token cache or registering a custom cache implementation.

JSON Web Token Claim Verification

Please see JSON Web Token Claim verification section about the claim verification, including the iss (issuer) claim. It applies to ID tokens but also to access tokens in a JWT format if the web-app application has requested the access token verification.

Redirection

When the user is redirected to the OpenID Connect Provider to authenticate, the redirect URL includes a redirect_uri query parameter which indicates to the Provider where the user has to be redirected to once the authentication has been completed.

Quarkus will set this parameter to the current request URL by default. For example, if the user is trying to access a Quarkus service endpoint at http://localhost:8080/service/1 then the redirect_uri parameter will be set to http://localhost:8080/service/1. Similarly, if the request URL is http://localhost:8080/service/2 then the redirect_uri parameter will be set to http://localhost:8080/service/2, etc.

OpenID Connect Providers may be configured to require the redirect_uri parameter to have the same value (e.g. http://localhost:8080/service/callback) for all the redirect URLs. In such cases a quarkus.oidc.authentication.redirect-path property has to be set, for example, quarkus.oidc.authentication.redirect-path=/service/callback, and Quarkus will set the redirect_uri parameter to an absolute URL such as http://localhost:8080/service/callback which will be the same regardless of the current request URL.

If quarkus.oidc.authentication.redirect-path is set but the original request URL has to be restored after the user has been redirected back to a callback URL such as http://localhost:8080/service/callback then a quarkus.oidc.authentication.restore-path-after-redirect property has to be set to true which will restore the request URL such as http://localhost:8080/service/1, etc.

Dealing with Cookies

The OIDC adapter uses cookies to keep the session, code flow and post logout state.

quarkus.oidc.authentication.cookie-path property is used to ensure the cookies are visible especially when you access the protected resources with overlapping or different roots, for example:

  • /index.html and /web-app/service

  • /web-app/service1 and /web-app/service2

  • /web-app1/service and /web-app2/service

quarkus.oidc.authentication.cookie-path is set to / by default but can be narrowed to the more specific root path such as /web-app.

You can also set a quarkus.oidc.authentication.cookie-path-header property if the cookie path needs to be set dynamically. For example, setting quarkus.oidc.authentication.cookie-path-header=X-Forwarded-Prefix means that the value of HTTP X-Forwarded-Prefix header will be used to set a cookie path.

If quarkus.oidc.authentication.cookie-path-header is set but no configured HTTP header is available in the current request then the quarkus.oidc.authentication.cookie-path will be checked.

If your application is deployed across multiple domains, make sure to set a quarkus.oidc.authentication.cookie-domain property for the session cookie be visible to all protected Quarkus services, for example, if you have 2 services deployed at:

then the quarkus.oidc.authentication.cookie-domain property must be set to company.net.

Logout

By default, the logout is based on the expiration time of the ID Token issued by the OpenID Connect Provider. When the ID Token expires, the current user session at the Quarkus endpoint is invalidated and the user is redirected to the OpenID Connect Provider again to authenticate. If the session at the OpenID Connect Provider is still active, users are automatically re-authenticated without having to provide their credentials again.

The current user session may be automatically extended by enabling a quarkus.oidc.token.refresh-expired property. If it is set to true then when the current ID Token expires a Refresh Token Grant will be used to refresh ID Token as well as Access and Refresh Tokens.

User-Initiated Logout

Users can request a logout by sending a request to the Quarkus endpoint logout path set with a quarkus.oidc.logout.path property. For example, if the endpoint address is https://application.com/webapp and the quarkus.oidc.logout.path is set to "/logout" then the logout request has to be sent to https://application.com/webapp/logout.

This logout request will start an RP-Initiated Logout and the user will be redirected to the OpenID Connect Provider to logout where a user may be asked to confirm the logout is indeed intended.

The user will be returned to the endpoint post logout page once the logout has been completed if the quarkus.oidc.logout.post-logout-path property is set. For example, if the endpoint address is https://application.com/webapp and the quarkus.oidc.logout.post-logout-path is set to "/signin" then the user will be returned to https://application.com/webapp/signin (note this URI must be registered as a valid post_logout_redirect_uri in the OpenID Connect Provider).

If the quarkus.oidc.logout.post-logout-path is set then a q_post_logout cookie will be created and a matching state query parameter will be added to the logout redirect URI and the OpenID Connect Provider will return this state once the logout has been completed. It is recommended for the Quarkus web-app applications to check that a state query parameter matches the value of the q_post_logout cookie which can be done for example in a JAX-RS filter.

Note that a cookie name will vary when using OpenID Connect Multi-Tenancy. For example, it will be named q_post_logout_tenant_1 for a tenant with a tenant_1 id, etc.

Here is an example of how to configure an RP initiated logout flow:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app

quarkus.oidc.logout.path=/logout
# Logged-out users should be returned to the /welcome.html site which will offer an option to re-login:
quarkus.oidc.logout.post-logout-path=/welcome.html

# Only the authenticated users can initiate a logout:
quarkus.http.auth.permission.authenticated.paths=/logout
quarkus.http.auth.permission.authenticated.policy=authenticated

# All users can see the welcome page:
quarkus.http.auth.permission.public.paths=/welcome.html
quarkus.http.auth.permission.public.policy=permit

You may also need to set quarkus.oidc.authentication.cookie-path to a path value common to all the application resources which is / in this example. See Dealing with Cookies for more information.

Note that some OpenID Connect providers do not support RP-Initiated Logout specification (possibly because it is still technically a draft) and do not return an OpenID Connect well-known end_session_endpoint metadata property. However, it should not be a problem since these providers' specific logout mechanisms may only differ in how the logout URL query parameters are named.

According to the RP-Initiated Logout specification, the quarkus.oidc.logout.post-logout-path property is represented as a post_logout_redirect_uri query parameter which will not be recognized by the providers which do not support this specification.

You can use quarkus.oidc.logout.post-logout-url-param to work around this issue. You can also request more logout query parameters added with quarkus.oidc.logout.extra-params. For example, here is how you can support a logout with Auth0:

quarkus.oidc.auth-server-url=https://dev-xxx.us.auth0.com
quarkus.oidc.client-id=redacted
quarkus.oidc.credentials.secret=redacted
quarkus.oidc.application-type=web-app

quarkus.oidc.tenant-logout.logout.path=/logout
quarkus.oidc.tenant-logout.logout.post-logout-path=/welcome.html

# Auth0 does not return the `end_session_endpoint` metadata property, configure it instead
quarkus.oidc.end-session-path=v2/logout
# Auth0 will not recognize the 'post_logout_redirect_uri' query parameter so make sure it is named as 'returnTo'
quarkus.oidc.logout.post-logout-uri-param=returnTo

# Set more properties if needed.
# For example, if 'client_id' is provided then a valid logout URI should be set as Auth0 Application property, without it - as Auth0 Tenant property.
quarkus.oidc.logout.extra-params.client_id=${quarkus.oidc.client-id}

Back-Channel Logout

Back-Channel Logout is used by OpenID Connect providers to log out the current user from all the applications this user is currently logged in, bypassing the user agent.

You can configure Quarkus to support Back-Channel Logout as follows:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app

quarkus.oidc.logout.backchannel.path=/back-channel-logout

Absolute Back-Channel Logout URL is calculated by adding quarkus.oidc.back-channel-logout.path to the current endpoint URL, for example, http://localhost:8080/back-channel-logout. You will need to configure this URL in the Admin Console of your OpenID Connect Provider.

Note that you will also need to configure a token age property for the logout token verification to succeed if your OpenID Connect Provider does not set an expiry claim in the current logout token, for example, quarkus.oidc.token.age=10S sets a number of seconds that must not elapse since the logout token’s iat (issued at) time to 10.

Front-Channel Logout

Front-Channel Logout can be used to logout the current user directly from the user agent.

You can configure Quarkus to support Front-Channel Logout as follows:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=frontend
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app

quarkus.oidc.logout.frontchannel.path=/front-channel-logout

This path will be compared against the current request’s path and the user will be logged out if these paths match.

Local Logout

If you work with a social provider such as Google and are concerned that the users can be logged out from all their Google applications with the User-Initiated Logout which redirects the users to the provider’s logout endpoint then you can support a local logout with the help of the OidcSession which only clears the local session cookie, for example:

import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;

import io.quarkus.oidc.OidcSession;

@Path("/service")
public class ServiceResource {

    @Inject
    OidcSession oidcSession;

    @GET
    @Path("logout")
    public String logout() {
        oidcSession.logout().await().indefinitely();
        return "You are logged out".
    }

Session Management

If you have a Single Page Application for Service Applications where your OpenID Connect Provider script such as keycloak.js is managing an authorization code flow then that script will also control the SPA authentication session lifespan.

If you work with a Quarkus OIDC web-app application then it is Quarkus OIDC Code Authentication mechanism which is managing the user session lifespan.

The session age is calculated by adding the lifespan value of the current IDToken and the values of the quarkus.oidc.authentication.session-age-extension and quarkus.oidc.token.lifespan-grace properties. Of the last two properties only quarkus.oidc.authentication.session-age-extension should be used to significantly extend the session lifespan if required since quarkus.oidc.token.lifespan-grace is only meant for taking some small clock skews into consideration.

When the currently authenticated user returns to the protected Quarkus endpoint and the ID token associated with the session cookie has expired then, by default, the user will be auto-redirected to the OIDC Authorization endpoint to re-authenticate. Most likely the OIDC provider will challenge the user again though not necessarily if the session between the user and this OIDC provider is still active which may happen if it is configured to last longer than the ID token.

If the quarkus.oidc.token.refresh-expired then the expired ID token (as well as the access token) will be refreshed using the refresh token returned with the authorization code grant response. This refresh token may also be recycled (refreshed) itself as part of this process. As a result the new session cookie will be created and the session will be extended.

Note, quarkus.oidc.authentication.session-age-extension can be important when dealing with expired ID tokens, when the user is not very active. In such cases, if the ID token expires, then the session cookie may not be returned to the Quarkus endpoint during the next user request and Quarkus will assume it is the first authentication request. Therefore, using quarkus.oidc.authentication.session-age-extension is important if you need to have even the expired ID tokens refreshed.

You can also complement refreshing the expired ID tokens by proactively refreshing the valid ID tokens which are about to be expired within the quarkus.oidc.token.refresh-token-time-skew value. If, during the current user request, it is calculated that the current ID token will expire within this quarkus.oidc.token.refresh-token-time-skew then it will be refreshed and the new session cookie will be created. This property should be set to a value which is less than the ID token lifespan; the closer it is to this lifespan value the more often the ID token will be refreshed.

You can have this process further optimized by having a simple JavaScript function periodically emulating the user activity by pinging your Quarkus endpoint thus minimizing the window during which the user may have to be re-authenticated.

Note this user session can not be extended forever - the returning user with the expired ID token will have to re-authenticate at the OIDC provider endpoint once the refresh token has expired.

OidcSession

io.quarkus.oidc.OidcSession is a wrapper around the current IdToken. It can help to perform a Local Logout, retrieve the current session’s tenant identifier and check when the session will expire. More useful methods will be added to it over time.

TokenStateManager

OIDC CodeAuthenticationMechanism is using the default io.quarkus.oidc.TokenStateManager interface implementation to keep the ID, access and refresh tokens returned in the authorization code or refresh grant responses in a session cookie. It makes Quarkus OIDC endpoints completely stateless.

Note that some endpoints do not require the access token. An access token is only required if the endpoint needs to retrieve UserInfo or access the downstream service with this access token or use the roles associated with the access token (the roles in the ID token are checked by default). In such cases you can set either quarkus.oidc.token-state-manager.strategy=id-refresh-token (keep ID and refresh tokens only) or quarkus.oidc.token-state-manager.strategy=id-token (keep ID token only).

If the ID, access and refresh tokens are JWT tokens then combining all of them (if the strategy is the default keep-all-tokens) or only ID and refresh tokens (if the strategy is id-refresh-token) may produce a session cookie value larger than 4KB and the browsers may not be able to keep this cookie. In such cases, you can use quarkus.oidc.token-state-manager.split-tokens=true to have a unique session token per each of these tokens.

You can also configure the default TokenStateManager to encrypt the tokens before storing them as cookie values which may be necessary if the tokens contain sensitive claim values. For example, here is how you configure it to split the tokens and encrypt them:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app
quarkus.oidc.token-state-manager.split-tokens=true
quarkus.oidc.token-state-manager.encryption-required=true
quarkus.oidc.token-state-manager.encryption-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU

The token encryption secret must be 32 characters long. Note that you only have to set quarkus.oidc.token-state-manager.encryption-secret if you prefer not to use quarkus.oidc.credentials.secret for encrypting the tokens or if quarkus.oidc.credentials.secret length is less than 32 characters.

Register your own io.quarkus.oidc.TokenStateManager' implementation as an `@ApplicationScoped CDI bean if you need to customize the way the tokens are associated with the session cookie. For example, you may want to keep the tokens in a database and have only a database pointer stored in a session cookie. Note though that it may present some challenges in making the tokens available across multiple microservices nodes.

Here is a simple example:

package io.quarkus.oidc.test;

import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;

import io.quarkus.arc.AlternativePriority;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenStateManager;
import io.quarkus.oidc.runtime.DefaultTokenStateManager;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
@AlternativePriority(1)
public class CustomTokenStateManager implements TokenStateManager {

    @Inject
    DefaultTokenStateManager tokenStateManager;

    @Override
    public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantConfig oidcConfig,
            AuthorizationCodeTokens sessionContent, TokenStateManager.CreateTokenStateRequestContext requestContext) {
        return tokenStateManager.createTokenState(routingContext, oidcConfig, sessionContent, requestContext)
                .map(t -> (t + "|custom"));
    }

    @Override
    public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, OidcTenantConfig oidcConfig,
            String tokenState, TokenStateManager.GetTokensRequestContext requestContext) {
        if (!tokenState.endsWith("|custom")) {
            throw new IllegalStateException();
        }
        String defaultState = tokenState.substring(0, tokenState.length() - 7);
        return tokenStateManager.getTokens(routingContext, oidcConfig, defaultState, requestContext);
    }

    @Override
    public Uni<Void> deleteTokens(RoutingContext routingContext, OidcTenantConfig oidcConfig, String tokenState,
            TokenStateManager.DeleteTokensRequestContext requestContext) {
        if (!tokenState.endsWith("|custom")) {
            throw new IllegalStateException();
        }
        String defaultState = tokenState.substring(0, tokenState.length() - 7);
        return tokenStateManager.deleteTokens(routingContext, oidcConfig, defaultState, requestContext);
    }
}

Proof Of Key for Code Exchange (PKCE)

Proof Of Key for Code Exchange (PKCE) minimizes the risk of the authorization code interception.

While PKCE is of primary importance to the public OpenID Connect clients (such as the SPA scripts running in a browser), it can also provide an extra level of protection to Quarkus OIDC web-app applications which are confidential OpenID Connect clients capable of securely storing the client secret and using it to exchange the code for the tokens.

You can enable PKCE for your OIDC web-app endpoint with a quarkus.oidc.authentication.pkce-required property and a 32 characters long secret, for example:

quarkus.oidc.authentication.pkce-required=true
quarkus.oidc.authentication.pkce-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU

If you already have a 32 characters long client secret then quarkus.oidc.authentication.pkce-secret does not have to be set unless you prefer to use a different secret key.

The secret key is required for encrypting a randomly generated PKCE code_verifier while the user is being redirected with the code_challenge query parameter to OpenID Connect Provider to authenticate. The code_verifier will be decrypted when the user is redirected back to Quarkus and sent to the token endpoint alongside the code, client secret and other parameters to complete the code exchange. The provider will fail the code exchange if a SHA256 digest of the code_verifier does not match the code_challenge provided during the authentication request.

Listening to important authentication events

One can register @ApplicationScoped bean which will observe important OIDC authentication events. The listener will be updated when a user has logged in for the first time or re-authenticated, as well as when the session has been refreshed. More events may be reported in the future. For example:

import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.event.Observes;

import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
public class SecurityEventListener {

    public void event(@Observes SecurityEvent event) {
        String tenantId = event.getSecurityIdentity().getAttribute("tenant-id");
        RoutingContext vertxContext = event.getSecurityIdentity().getAttribute(RoutingContext.class.getName());
        vertxContext.put("listener-message", String.format("event:%s,tenantId:%s", event.getEventType().name(), tenantId));
    }
}

Single Page Applications

Please check if implementing SPAs the way it is suggested in the Single Page Applications for Service Applications section can meet your requirements.

If you prefer to use SPA and JavaScript API such as Fetch or XMLHttpRequest(XHR) with Quarkus web applications, please be aware that OpenID Connect Providers may not support CORS for Authorization endpoints where the users are authenticated after a redirect from Quarkus. This will lead to authentication failures if the Quarkus application and the OpenID Connect Provider are hosted on the different HTTP domains/ports.

In such cases, set the quarkus.oidc.authentication.java-script-auto-redirect property to false which will instruct Quarkus to return a 499 status code and WWW-Authenticate header with the OIDC value. The browser script also needs to be updated to set X-Requested-With header with the JavaScript value and reload the last requested page in case of 499, for example:

Future<void> callQuarkusService() async {
    Map<String, String> headers = Map.fromEntries([MapEntry("X-Requested-With", "JavaScript")]);

    await http
        .get("https://localhost:443/serviceCall")
        .then((response) {
            if (response.statusCode == 499) {
                window.location.assign("https://localhost.com:443/serviceCall");
            }
         });
  }

Cross Origin Resource Sharing

If you plan to consume this application from a Single Page Application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the HTTP CORS documentation for more details.

Integration with GitHub and other OAuth2 providers

Some well known providers such as GitHub or LinkedIn are not OpenID Connect but OAuth2 providers which support the authorization code flow, for example, GitHub OAuth2 and LinkedIn OAuth2.

The main difference between OpenID Connect and OAuth2 providers is that OpenID Connect providers, by building on top of OAuth2, return an ID Token representing a user authentication, in addition to the standard authorization code flow access and refresh tokens returned by OAuth2 providers.

OAuth2 providers such as GitHub do not return IdToken, the fact of the user authentication is implicit and is indirectly represented by the access token which represents an authenticated user authorizing the current Quarkus web-app application to access some data on behalf of the authenticated user.

For example, when working with GitHub, the Quarkus endpoint can acquire an access token which will allow it to request a GitHub profile of the current user. In fact this is exactly how a standard OpenID Connect UserInfo acquisition also works - by authenticating into your OpenID Connect provider you also give a permission to Quarkus application to acquire your UserInfo on your behalf - and it also shows what is meant by OpenID Connect being built on top of OAuth2.

In order to support the integration with such OAuth2 servers, quarkus-oidc needs to be configured to allow the authorization code flow responses without IdToken: quarkus.oidc.authentication.id-token-required=false.

It is required because quarkus-oidc expects that not only access and refresh tokens but also IdToken will be returned once the authorization code flow completes.

Note, even though you will configure the extension to support the authorization code flows without IdToken, an internal IdToken will be generated to support the way quarkus-oidc operates where an IdToken is used to support the authentication session and to avoid redirecting the user to the provider such as GitHub on every request. In this case the session lifespan is set to 5 minutes which can be extended further as described in the session management section.

The next step is to ensure that the returned access token can be useful to the current Quarkus endpoint. If the OAuth2 provider supports the introspection endpoint then you may be able to use this access token as a source of roles with quarkus.oidc.roles.source=accesstoken. If no introspection endpoint is available then at the very least it should be possible to request UserInfo from this provider with quarkus.oidc.authentication.user-info-required - this is the case with GitHub.

Configuring the endpoint to request UserInfo is the only way quarkus-oidc can be integrated with the providers such as GitHub.

Note that requiring UserInfo involves making a remote call on every request - therefore you may want to consider caching UserInfo data, see <<token-introspection-userinfo-cache,Token Introspection and UserInfo Cache> for more details.

Alternatively, you may want to request that UserInfo is embedded into the internal generated IdToken with the quarkus.oidc.cache-user-info-in-idtoken=true property - the advantage of this approach is that by default no cached UserInfo state will be kept with the endpoint - instead it will be stored in a session cookie. You may also want to consider encrypting IdToken in this case if UserInfo contains sensitive data, please see Encrypt Tokens With TokenStateManager for more information.

Also, OAuth2 servers may not support a well-known configuration endpoint in which case the discovery has to be disabled and the authorization, token, and introspection and/or userinfo endpoint paths have to be configured manually.

Here is how you can integrate quarkus-oidc with GitHub after you have created a GitHub OAuth application. Configure your Quarkus endpoint like this:

quarkus.oidc.provider=github
quarkus.oidc.client-id=github_app_clientid
quarkus.oidc.credentials.secret=github_app_clientsecret

# user:email scope is requested by default, use 'quarkus.oidc.authentication.scopes' to request different scopes such as `read:user`.
# See https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps for more information.

# Consider enabling UserInfo Cache
# quarkus.oidc.token-cache.max-size=1000
# quarkus.oidc.token-cache.time-to-live=5M
#
# Or having UserInfo cached inside IdToken itself
# quarkus.oidc.cache-user-info-in-idtoken=true

See Well Known OpenID Connect providers for more details about configuring other well-known providers.

This is all what is needed for an endpoint like this one to return the currently authenticated user’s profile with GET http://localhost:8080/github/userinfo and access it as the individual UserInfo properties:

import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;

import io.quarkus.oidc.UserInfo;
import io.quarkus.security.Authenticated;

@Path("/github")
@Authenticated
public class TokenResource {

    @Inject
    UserInfo userInfo;

    @GET
    @Path("/userinfo")
    @Produces("application/json")
    public String getUserInfo() {
        return userInfo.getUserInfoString();
    }
}

If you support more than one social provider with the help of OpenID Connect Multi-Tenancy, for example, Google which is an OpenID Connect Provider returning IdToken and GitHub which is an OAuth2 provider returning no IdToken and only allowing to access UserInfo then you can have your endpoint working with only the injected SecurityIdentity for both Google and GitHub flows. A simple augmentation of SecurityIdentity will be required where a principal created with the internally generated IdToken will be replaced with the UserInfo based principal when the GiHub flow is active:

package io.quarkus.it.keycloak;

import java.security.Principal;

import javax.enterprise.context.ApplicationScoped;

import io.quarkus.oidc.UserInfo;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.SecurityIdentityAugmentor;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
public class CustomSecurityIdentityAugmentor implements SecurityIdentityAugmentor {

    @Override
    public Uni<SecurityIdentity> augment(SecurityIdentity identity, AuthenticationRequestContext context) {
        RoutingContext routingContext = identity.getAttribute(RoutingContext.class.getName());
        if (routingContext != null && routingContext.normalizedPath().endsWith("/github")) {
	        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder(identity);
	        UserInfo userInfo = identity.getAttribute("userinfo");
	        builder.setPrincipal(new Principal() {

	            @Override
	            public String getName() {
	                return userInfo.getString("preferred_username");
	            }

	        });
	        identity = builder.build();
        }
        return Uni.createFrom().item(identity);
    }

}

Now, the following code will work when the user is signing in into your application with both Google or GitHub:

import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;

import io.quarkus.security.Authenticated;
import io.quarkus.security.identity.SecurityIdentity;

@Path("/service")
@Authenticated
public class TokenResource {

    @Inject
    SecurityIdentity identity;

    @GET
    @Path("/google")
    @Produces("application/json")
    public String getUserName() {
        return identity.getPrincipal().getName();
    }

    @GET
    @Path("/github")
    @Produces("application/json")
    public String getUserName() {
        return identity.getPrincipal().getUserName();
    }
}

Possibly a simpler alternative is to inject both @IdToken JsonWebToken and UserInfo and use JsonWebToken when dealing with the providers returning IdToken and UserInfo - with the providers which do not return IdToken.

The last important point is to make sure the callback path you enter in the GitHub OAuth application configuration matches the endpoint path where you’d like the user be redirected to after a successful GitHub authentication and application authorization, in this case it has to be set to http:localhost:8080/github/userinfo.

Cloud Services

Google Cloud

You can have Quarkus OIDC web-app applications access Google Cloud services such as BigQuery on behalf of the currently authenticated users who have enabled OpenID Connect (Authorization Code Flow) permissions to such services in their Google Developer Consoles.

It is super easy to do with Quarkiverse Google Cloud Services, only add the latest tag service dependency, for example:

pom.xml
<dependency>
    <groupId>io.quarkiverse.googlecloudservices</groupId>
    <artifactId>quarkus-google-cloud-bigquery</artifactId>
    <version>${quarkiverse.googlecloudservices.version}</version>
</dependency>
build.gradle
implementation("io.quarkiverse.googlecloudservices:quarkus-google-cloud-bigquery:${quarkiverse.googlecloudservices.version}")

and configure Google OIDC properties:

quarkus.oidc.provider=google
quarkus.oidc.client-id={GOOGLE_CLIENT_ID}
quarkus.oidc.credentials.secret={GOOGLE_CLIENT_SECRET}
quarkus.oidc.token.issuer=https://accounts.google.com

Provider Endpoint configuration

OIDC web-app application needs to know OpenID Connect provider’s authorization, token, JsonWebKey (JWK) set and possibly UserInfo, introspection and end session (RP-initiated logout) endpoint addresses.

By default, they are discovered by adding a /.well-known/openid-configuration path to the configured quarkus.oidc.auth-server-url.

Alternatively, if the discovery endpoint is not available, or if you would like to save on the discovery endpoint round-trip, you can disable the discovery and configure them with relative path values, for example:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.discovery-enabled=false
# Authorization endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/auth
quarkus.oidc.authorization-path=/protocol/openid-connect/auth
# Token endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/token
quarkus.oidc.token-path=/protocol/openid-connect/token
# JWK set endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/certs
quarkus.oidc.jwks-path=/protocol/openid-connect/certs
# UserInfo endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/userinfo
quarkus.oidc.user-info-path=/protocol/openid-connect/userinfo
# Token Introspection endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/token/introspect
quarkus.oidc.introspection-path=/protocol/openid-connect/token/introspect
# End session endpoint: http://localhost:8180/realms/quarkus/protocol/openid-connect/logout
quarkus.oidc.end-session-path=/protocol/openid-connect/logout

Sometimes your OpenId Connect provider supports a metadata discovery but does not return all the endpoint URLs required for the authorization code flow to complete or for the application to support the additional functions such as a user logout. In such cases you can simply configure a missing endpoint URL locally:

# Metadata is auto-discovered but it does not return an end-session endpoint URL

quarkus.oidc.auth-server-url=http://localhost:8180/oidcprovider/account

# Configure the end-session URL locally, it can be an absolute or relative (to 'quarkus.oidc.auth-server-url') address
quarkus.oidc.end-session-path=logout

Exactly the same configuration can be used to override a discovered endpoint URL if that URL does not work for the local Quarkus endpoint and a more specific value is required. For example, one can imagine that in the above example, a provider which supports both global and application specific end-session endpoints returns a global end-session URL such as http://localhost:8180/oidcprovider/account/global-logout which will logout the user from all the applications this user is currently logged in, while the current application only wants to get this user logged out from this application, therefore, quarkus.oidc.end-session-path=logout is used to override the global end-session URL.

Token Propagation

Please see Token Propagation section about the Authorization Code Flow access token propagation to the downstream services.

Oidc Provider Client Authentication

quarkus.oidc.runtime.OidcProviderClient is used when a remote request to an OpenID Connect Provider has to be done. It has to authenticate to the OpenID Connect Provider when the authorization code has to be exchanged for the ID, access and refresh tokens, when the ID and access tokens have to be refreshed or introspected.

All the OIDC Client Authentication options are supported, for example:

client_secret_basic:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=mysecret

or

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.client-secret.value=mysecret

or with the secret retrieved from a CredentialsProvider:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app

# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.client-secret.provider.key=mysecret-key
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.client-secret.provider.name=oidc-credentials-provider

client_secret_post:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.client-secret.value=mysecret
quarkus.oidc.credentials.client-secret.method=post

client_secret_jwt, signature algorithm is HS256:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.secret=AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow

or with the secret retrieved from a CredentialsProvider:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app

# This is a key which will be used to retrieve a secret from the map of credentials returned from CredentialsProvider
quarkus.oidc.credentials.jwt.secret-provider.key=mysecret-key
# Set it only if more than one CredentialsProvider can be registered
quarkus.oidc.credentials.jwt.secret-provider.name=oidc-credentials-provider

private_key_jwt with the PEM key file, signature algorithm is RS256:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.key-file=privateKey.pem

private_key_jwt with the key store file, signature algorithm is RS256:

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.key-store-file=keystore.jks
quarkus.oidc.credentials.jwt.key-store-password=mypassword
quarkus.oidc.credentials.jwt.key-password=mykeypassword

# Private key alias inside the keystore
quarkus.oidc.credentials.jwt.key-id=mykeyAlias

Using client_secret_jwt or private_key_jwt authentication methods ensures that no client secret goes over the wire.

Additional JWT Authentication options

If client_secret_jwt, private_key_jwt authentication methods are used or an Apple post_jwt method is used then the JWT signature algorithm, key identifier, audience, subject and issuer can be customized, for example:

# private_key_jwt client authentication

quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.jwt.key-file=privateKey.pem

# This is a token key identifier 'kid' header - set it if your OpenID Connect provider requires it.
# Note if the key is represented in a JSON Web Key (JWK) format with a `kid` property then
# using 'quarkus.oidc.credentials.jwt.token-key-id' is not necessary.
quarkus.oidc.credentials.jwt.token-key-id=mykey

# Use RS512 signature algorithm instead of the default RS256
quarkus.oidc.credentials.jwt.signature-algorithm=RS512

# The token endpoint URL is the default audience value, use the base address URL instead:
quarkus.oidc.credentials.jwt.audience=${quarkus.oidc-client.auth-server-url}

# custom subject instead of the client id :
quarkus.oidc.credentials.jwt.subject=custom-subject

# custom issuer instead of the client id :
quarkus.oidc.credentials.jwt.issuer=custom-issuer

Apple POST JWT

Apple OpenID Connect Provider uses a client_secret_post method where a secret is a JWT produced with a private_key_jwt authentication method but with Apple account specific issuer and subject claims.

quarkus-oidc supports a non-standard client_secret_post_jwt authentication method which can be configured as follows:

# Apple provider configuration sets a 'client_secret_post_jwt' authentication method
quarkus.oidc.provider=apple

quarkus.oidc.client-id=${apple.client-id}
quarkus.oidc.credentials.jwt.key-file=ecPrivateKey.pem
quarkus.oidc.credentials.jwt.token-key-id=${apple.key-id}
# Apple provider configuration sets ES256 signature algorithm

quarkus.oidc.credentials.jwt.subject=${apple.subject}
quarkus.oidc.credentials.jwt.issuer=${apple.issuer}

Mutual TLS

Some OpenID Connect Providers may require that a client is authenticated as part of the Mutual TLS (mTLS) authentication process.

quarkus-oidc can be configured as follows to support mTLS:

quarkus.oidc.tls.verification=certificate-validation

# Keystore configuration
quarkus.oidc.tls.key-store-file=client-keystore.jks
quarkus.oidc.tls.key-store-password=${key-store-password}

# Add more keystore properties if needed:
#quarkus.oidc.tls.key-store-alias=keyAlias
#quarkus.oidc.tls.key-store-alias-password=keyAliasPassword

# Truststore configuration
quarkus.oidc.tls.trust-store-file=client-truststore.jks
quarkus.oidc.tls.trust-store-password=${trust-store-password}
# Add more truststore properties if needed:
#quarkus.oidc.tls.trust-store-alias=certAlias

Introspection Endpoint Authentication

Some OpenID Connect Providers may require authenticating to its introspection endpoint using Basic Authentication with the credentials different to client_id and client_secret which may have already been configured to support client_secret_basic or client_secret_post client authentication methods described in the Oidc Provider Client Authentication section.

If the tokens have to be introspected and the introspection endpoint specific authentication mechanism is required then you can configure quarkus-oidc like this:

quarkus.oidc.introspection-credentials.name=introspection-user-name
quarkus.oidc.introspection-credentials.secret=introspection-user-secret

Testing

Start by adding the following dependencies to your test project:

pom.xml
<dependency>
    <groupId>net.sourceforge.htmlunit</groupId>
    <artifactId>htmlunit</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.eclipse.jetty</groupId>
            <artifactId>*</artifactId>
       </exclusion>
    </exclusions>
    <scope>test</scope>
</dependency>
<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-junit5</artifactId>
    <scope>test</scope>
</dependency>
build.gradle
testImplementation("net.sourceforge.htmlunit:htmlunit")
testImplementation("io.quarkus:quarkus-junit5")

Wiremock

Add the following dependency:

pom.xml
<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-test-oidc-server</artifactId>
    <scope>test</scope>
</dependency>
build.gradle
testImplementation("io.quarkus:quarkus-test-oidc-server")

Prepare the REST test endpoints, set application.properties, for example:

# keycloak.url is set by OidcWiremockTestResource
quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus/
quarkus.oidc.client-id=quarkus-web-app
quarkus.oidc.credentials.secret=secret
quarkus.oidc.application-type=web-app

and finally write the test code, for example:

import static org.junit.jupiter.api.Assertions.assertEquals;

import org.junit.jupiter.api.Test;

import com.gargoylesoftware.htmlunit.SilentCssErrorHandler;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;

import io.quarkus.test.common.QuarkusTestResource;
import io.quarkus.test.junit.QuarkusTest;
import io.quarkus.test.oidc.server.OidcWiremockTestResource;

@QuarkusTest
@QuarkusTestResource(OidcWiremockTestResource.class)
public class CodeFlowAuthorizationTest {

    @Test
    public void testCodeFlow() throws Exception {
        try (final WebClient webClient = createWebClient()) {
            // the test REST endpoint listens on '/code-flow'
            HtmlPage page = webClient.getPage("http://localhost:8081/code-flow");

            HtmlForm form = page.getFormByName("form");
            // user 'alice' has the 'user' role
            form.getInputByName("username").type("alice");
            form.getInputByName("password").type("alice");

            page = form.getInputByValue("login").click();

            assertEquals("alice", page.getBody().asText());
        }
    }

    private WebClient createWebClient() {
        WebClient webClient = new WebClient();
        webClient.setCssErrorHandler(new SilentCssErrorHandler());
        return webClient;
    }
}

OidcWiremockTestResource recognizes alice and admin users. The user alice has the user role only by default - it can be customized with a quarkus.test.oidc.token.user-roles system property. The user admin has the user and admin roles by default - it can be customized with a quarkus.test.oidc.token.admin-roles system property.

Additionally, OidcWiremockTestResource set token issuer and audience to https://service.example.com which can be customized with quarkus.test.oidc.token.issuer and quarkus.test.oidc.token.audience system properties.

OidcWiremockTestResource can be used to emulate all OpenID Connect providers.

Dev Services for Keycloak

Using Dev Services for Keycloak is recommended for the integration testing against Keycloak. Dev Services for Keycloak will launch and initialize a test container: it will create a quarkus realm, a quarkus-app client (secret secret) and add alice (admin and user roles) and bob (user role) users, where all of these properties can be customized.

First prepare application.properties. You can start with a completely empty application.properties as Dev Services for Keycloak will register quarkus.oidc.auth-server-url pointing to the running test container as well as quarkus.oidc.client-id=quarkus-app and quarkus.oidc.credentials.secret=secret.

But if you already have all the required quarkus-oidc properties configured then you only need to associate quarkus.oidc.auth-server-url with the prod profile for `Dev Services for Keycloak`to start a container, for example:

%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus

If a custom realm file has to be imported into Keycloak before running the tests then you can configure Dev Services for Keycloak as follows:

%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.keycloak.devservices.realm-path=quarkus-realm.json

Finally, write a test code the same way as it is described in the Wiremock section above. The only difference is that @QuarkusTestResource is no longer needed:

@QuarkusTest
public class CodeFlowAuthorizationTest {
}

KeycloakTestResourceLifecycleManager

If you need to do the integration testing against Keycloak then you are encouraged to do it with Dev Services For Keycloak. Use KeycloakTestResourceLifecycleManager for your tests only if there is a good reason not to use Dev Services for Keycloak.

Start with adding the following dependency:

pom.xml
<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-test-keycloak-server</artifactId>
    <scope>test</scope>
</dependency>
build.gradle
testImplementation("io.quarkus:quarkus-test-keycloak-server")

which provides io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager - an implementation of io.quarkus.test.common.QuarkusTestResourceLifecycleManager which starts a Keycloak container.

And configure the Maven Surefire plugin as follows:

<plugin>
    <artifactId>maven-surefire-plugin</artifactId>
    <configuration>
        <systemPropertyVariables>
            <!-- or, alternatively, configure 'keycloak.version' -->
            <keycloak.docker.image>${keycloak.docker.image}</keycloak.docker.image>
            <!--
              Disable HTTPS if required:
              <keycloak.use.https>false</keycloak.use.https>
            -->
        </systemPropertyVariables>
    </configuration>
</plugin>

(and similarly the Maven Failsafe plugin when testing in native image).

And now set the configuration and write the test code the same way as it is described in the Wiremock section above. The only difference is the name of QuarkusTestResource:

import io.quarkus.test.keycloak.server.KeycloakTestResourceLifecycleManager;

@QuarkusTest
@QuarkusTestResource(KeycloakTestResourceLifecycleManager.class)
public class CodeFlowAuthorizationTest {
}

KeycloakTestResourceLifecycleManager registers alice and admin users. The user alice has the user role only by default - it can be customized with a keycloak.token.user-roles system property. The user admin has the user and admin roles by default - it can be customized with a keycloak.token.admin-roles system property.

By default, KeycloakTestResourceLifecycleManager uses HTTPS to initialize a Keycloak instance which can be disabled with keycloak.use.https=false. Default realm name is quarkus and client id - quarkus-web-app - set keycloak.realm and keycloak.web-app.client system properties to customize the values if needed.

TestSecurity annotation

Please see Use TestingSecurity with injected JsonWebToken section for more information about using @TestSecurity and @OidcSecurity annotations for testing the web-app application endpoint code which depends on the injected ID and access JsonWebToken as well as UserInfo and OidcConfigurationMetadata.

How to check the errors in the logs

Please enable io.quarkus.oidc.runtime.OidcProvider TRACE level logging to see more details about the token verification errors:

quarkus.log.category."io.quarkus.oidc.runtime.OidcProvider".level=TRACE
quarkus.log.category."io.quarkus.oidc.runtime.OidcProvider".min-level=TRACE

Please enable io.quarkus.oidc.runtime.OidcRecorder TRACE level logging to see more details about the OidcProvider client initialization errors:

quarkus.log.category."io.quarkus.oidc.runtime.OidcRecorder".level=TRACE
quarkus.log.category."io.quarkus.oidc.runtime.OidcRecorder".min-level=TRACE

Running behind a reverse proxy

OIDC authentication mechanism can be affected if your Quarkus application is running behind a reverse proxy/gateway/firewall when HTTP Host header may be reset to the internal IP address, HTTPS connection may be terminated, etc. For example, an authorization code flow redirect_uri parameter may be set to the internal host instead of the expected external one.

In such cases configuring Quarkus to recognize the original headers forwarded by the proxy will be required, see Running behind a reverse proxy Vert.x documentation section for more information.

For example, if your Quarkus endpoint runs in a cluster behind Kubernetes Ingress then a redirect from the OpenID Connect Provider back to this endpoint may not work since the calculated redirect_uri parameter may point to the internal endpoint address. This problem can be resolved with the following configuration:

quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-forwarded=false
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.forwarded-host-header=X-ORIGINAL-HOST

where X-ORIGINAL-HOST is set by Kubernetes Ingress to represent the external endpoint address.

quarkus.oidc.authentication.force-redirect-https-scheme property may also be used when the Quarkus application is running behind an SSL terminating reverse proxy.

External and Internal Access to OpenID Connect Provider

Note that the OpenID Connect Provider externally accessible authorization, logout and other endpoints may have different HTTP(S) URLs compared to the URLs auto-discovered or configured relative to quarkus.oidc.auth-server-url internal URL. In such cases an issuer verification failure may be reported by the endpoint and redirects to the externally accessible Connect Provider endpoints may fail.

In such cases, if you work with Keycloak then please start it with a KEYCLOAK_FRONTEND_URL system property set to the externally accessible base URL. If you work with other Openid Connect providers then please check your provider’s documentation.

Customize authentication requests

By default, only the response_type (set to code), scope (set to 'openid'), client_id, redirect_uri and state properties are passed as HTTP query parameters to the OpenID Connect provider’s authorization endpoint when the user is redirected to it to authenticate.

You can add more properties to it with quarkus.oidc.authentication.extra-params. For example, some OpenID Connect providers may choose to return the authorization code as part of the redirect URI’s fragment which would break the authentication process - it can be fixed as follows:

quarkus.oidc.authentication.extra-params.response_mode=query

Customize authentication error response

If the user authentication has failed at the OpenID Connect Authorization endpoint, for example, due to an invalid scope or other invalid parameters included in the redirect to the provider, then the provider will redirect the user back to Quarkus not with the code but error and error_description parameters.

In such cases HTTP 401 will be returned by default. However, you can instead request that a custom public error endpoint is called in order to return a user-friendly HTML error page. Use quarkus.oidc.authentication.error-path, for example:

quarkus.oidc.authentication.error-path=/error

It has to start from a forward slash and be relative to the current endpoint’s base URI. For example, if it is set as '/error' and the current request URI is https://localhost:8080/callback?error=invalid_scope then a final redirect will be made to https://localhost:8080/error?error=invalid_scope.

It is important that this error endpoint is a public resource to avoid the user redirected to this page be authenticated again.

Configuration Reference

Configuration property fixed at build time - All other configuration properties are overridable at runtime

Configuration property

Type

Default

quarkus.keycloak.devservices.enabled

If DevServices has been explicitly enabled or disabled. When DevServices is enabled Quarkus will attempt to automatically configure and start Keycloak when running in Dev or Test mode and when Docker is running.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_ENABLED

boolean

true

quarkus.keycloak.devservices.image-name

The container image name to use, for container based DevServices providers. Image with a Quarkus based distribution is used by default. Image with a WildFly based distribution can be selected instead, for example: 'quay.io/keycloak/keycloak:19.0.3-legacy'. Note Keycloak Quarkus and Keycloak WildFly images are initialized differently. By default, Dev Services for Keycloak will assume it is a Keycloak Quarkus image if the image version does not end with a '-legacy' string. Set 'quarkus.keycloak.devservices.keycloak-x-image' to override this check.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_IMAGE_NAME

string

quay.io/keycloak/keycloak:20.0.2

quarkus.keycloak.devservices.keycloak-x-image

If Keycloak-X image is used. By default, Dev Services for Keycloak will assume a Keycloak-X image is used if the image name contains a 'keycloak-x' string. Set 'quarkus.keycloak.devservices.keycloak-x-image' to override this check which may be necessary if you build custom Keycloak-X or Keycloak images. You do not need to set this property if the default check works.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_KEYCLOAK_X_IMAGE

boolean

quarkus.keycloak.devservices.shared

Indicates if the Keycloak container managed by Quarkus Dev Services is shared. When shared, Quarkus looks for running containers using label-based service discovery. If a matching container is found, it is used, and so a second one is not started. Otherwise, Dev Services for Keycloak starts a new container. The discovery uses the quarkus-dev-service-label label. The value is configured using the service-name property. Container sharing is only used in dev mode.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_SHARED

boolean

true

quarkus.keycloak.devservices.service-name

The value of the quarkus-dev-service-keycloak label attached to the started container. This property is used when shared is set to true. In this case, before starting a container, Dev Services for Keycloak looks for a container with the quarkus-dev-service-keycloak label set to the configured value. If found, it will use this container instead of starting a new one. Otherwise, it starts a new container with the quarkus-dev-service-keycloak label set to the specified value. Container sharing is only used in dev mode.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_SERVICE_NAME

string

quarkus

quarkus.keycloak.devservices.realm-path

The comma-separated list of class or file system paths to Keycloak realm files which will be used to initialize Keycloak. The first value in this list will be used to initialize default tenant connection properties.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_REALM_PATH

list of string

quarkus.keycloak.devservices.java-opts

The JAVA_OPTS passed to the keycloak JVM

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_JAVA_OPTS

string

quarkus.keycloak.devservices.show-logs

Show Keycloak log messages with a "Keycloak:" prefix.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_SHOW_LOGS

boolean

false

quarkus.keycloak.devservices.start-command

Keycloak start command. Use this property to experiment with Keycloak start options, see https://www.keycloak.org/server/all-config. Note it will be ignored when loading legacy Keycloak WildFly images.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_START_COMMAND

string

quarkus.keycloak.devservices.realm-name

The Keycloak realm name. This property will be used to create the realm if the realm file pointed to by the 'realm-path' property does not exist, default value is 'quarkus' in this case. If the realm file pointed to by the 'realm-path' property exists then it is still recommended to set this property for Dev Services for Keycloak to avoid parsing the realm file in order to determine the realm name.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_REALM_NAME

string

quarkus.keycloak.devservices.create-realm

Indicates if the Keycloak realm has to be created when the realm file pointed to by the 'realm-path' property does not exist. Disable it if you’d like to create a realm using Keycloak Administration Console or Keycloak Admin API from io.quarkus.test.common.QuarkusTestResourceLifecycleManager.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_CREATE_REALM

boolean

true

quarkus.keycloak.devservices.port

Optional fixed port the dev service will listen to. If not defined, the port will be chosen randomly.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_PORT

int

quarkus.keycloak.devservices.users

The Keycloak users map containing the username and password pairs. If this map is empty then two users, 'alice' and 'bob' with the passwords matching their names will be created. This property will be used to create the Keycloak users if the realm file pointed to by the 'realm-path' property does not exist.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_USERS

Map<String,String>

quarkus.keycloak.devservices.roles

The Keycloak user roles. If this map is empty then a user named 'alice' will get 'admin' and 'user' roles and all other users will get a 'user' role. This property will be used to create the Keycloak roles if the realm file pointed to by the 'realm-path' property does not exist.

Environment variable: QUARKUS_KEYCLOAK_DEVSERVICES_ROLES

Map<String,List<String>>

quarkus.oidc.enabled

If the OIDC extension is enabled.

Environment variable: QUARKUS_OIDC_ENABLED

boolean

true

quarkus.oidc.devui.grant.type

Grant type which will be used to acquire a token to test the OIDC 'service' applications

Environment variable: QUARKUS_OIDC_DEVUI_GRANT_TYPE

client'client_credentials' grant, password'password' grant, code'authorization_code' grant, implicit'implicit' grant

quarkus.oidc.devui.web-client-timeout

The WebClient timeout. Use this property to configure how long an HTTP client used by Dev UI handlers will wait for a response when requesting tokens from OpenId Connect Provider and sending them to the service endpoint.

Environment variable: QUARKUS_OIDC_DEVUI_WEB_CLIENT_TIMEOUT

Duration

4S

quarkus.oidc.default-token-cache-enabled

Enable the registration of the Default TokenIntrospection and UserInfo Cache implementation bean. Note it only allows to use the default implementation, one needs to configure it in order to activate it, please see OidcConfig#tokenCache.

Environment variable: QUARKUS_OIDC_DEFAULT_TOKEN_CACHE_ENABLED

boolean

true

quarkus.oidc.auth-server-url

The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm.

Environment variable: QUARKUS_OIDC_AUTH_SERVER_URL

string

quarkus.oidc.discovery-enabled

Enables OIDC discovery. If the discovery is disabled then the OIDC endpoint URLs must be configured individually.

Environment variable: QUARKUS_OIDC_DISCOVERY_ENABLED

boolean

true

quarkus.oidc.token-path

Relative path or absolute URL of the OIDC token endpoint which issues access and refresh tokens.

Environment variable: QUARKUS_OIDC_TOKEN_PATH

string

quarkus.oidc.revoke-path

Relative path or absolute URL of the OIDC token revocation endpoint.

Environment variable: QUARKUS_OIDC_REVOKE_PATH

string

quarkus.oidc.client-id

The client-id of the application. Each application has a client-id that is used to identify the application

Environment variable: QUARKUS_OIDC_CLIENT_ID

string

quarkus.oidc.connection-delay

The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.

Environment variable: QUARKUS_OIDC_CONNECTION_DELAY

Duration

quarkus.oidc.connection-retry-count

The number of times an attempt to re-establish an already available connection will be repeated for. Note this property is different to the connection-delay property which is only effective during the initial OIDC connection creation. This property is used to try to recover the existing connection which may have been temporarily lost. For example, if a request to the OIDC token endpoint fails due to a connection exception then the request will be retried for a number of times configured by this property.

Environment variable: QUARKUS_OIDC_CONNECTION_RETRY_COUNT

int

3

quarkus.oidc.connection-timeout

The amount of time after which the current OIDC connection request will time out.

Environment variable: QUARKUS_OIDC_CONNECTION_TIMEOUT

Duration

10S

quarkus.oidc.max-pool-size

The maximum size of the connection pool used by the WebClient

Environment variable: QUARKUS_OIDC_MAX_POOL_SIZE

int

quarkus.oidc.credentials.secret

Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.

Environment variable: QUARKUS_OIDC_CREDENTIALS_SECRET

string

quarkus.oidc.credentials.client-secret.value

The client secret value - it will be ignored if 'secret.key' is set

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_VALUE

string

quarkus.oidc.credentials.client-secret.provider.name

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME

string

quarkus.oidc.credentials.client-secret.provider.key

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY

string

quarkus.oidc.credentials.client-secret.method

Authentication method.

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_METHOD

basicclient_secret_basic (default): client id and secret are submitted with the HTTP Authorization Basic scheme, postclient_secret_post: client id and secret are submitted as the 'client_id' and 'client_secret' form parameters., post-jwtclient_secret_jwt: client id and generated JWT secret are submitted as the 'client_id' and 'client_secret' form parameters.

quarkus.oidc.credentials.jwt.secret

If provided, indicates that JWT is signed using a secret key

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET

string

quarkus.oidc.credentials.jwt.secret-provider.name

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_NAME

string

quarkus.oidc.credentials.jwt.secret-provider.key

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEY

string

quarkus.oidc.credentials.jwt.key-file

If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_FILE

string

quarkus.oidc.credentials.jwt.key-store-file

If provided, indicates that JWT is signed using a private key from a key store

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_FILE

string

quarkus.oidc.credentials.jwt.key-store-password

A parameter to specify the password of the key store file. If not given, the default ("password") is used.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_PASSWORD

string

password

quarkus.oidc.credentials.jwt.key-id

The private key id/alias

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_ID

string

quarkus.oidc.credentials.jwt.key-password

The private key password

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_PASSWORD

string

password

quarkus.oidc.credentials.jwt.audience

JWT audience ('aud') claim value. By default, the audience is set to the address of the OpenId Connect Provider’s token endpoint.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_AUDIENCE

string

quarkus.oidc.credentials.jwt.token-key-id

Key identifier of the signing key added as a JWT 'kid' header

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_TOKEN_KEY_ID

string

quarkus.oidc.credentials.jwt.issuer

Issuer of the signing key added as a JWT 'iss' claim (default: client id)

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_ISSUER

string

quarkus.oidc.credentials.jwt.subject

Subject of the signing key added as a JWT 'sub' claim (default: client id)

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SUBJECT

string

quarkus.oidc.credentials.jwt.signature-algorithm

Signature algorithm, also used for the key-file property. Supported values: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SIGNATURE_ALGORITHM

string

quarkus.oidc.credentials.jwt.lifespan

JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_LIFESPAN

int

10

quarkus.oidc.proxy.host

The host (name or IP address) of the Proxy. Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.

Environment variable: QUARKUS_OIDC_PROXY_HOST

string

quarkus.oidc.proxy.port

The port number of the Proxy. Default value is 80.

Environment variable: QUARKUS_OIDC_PROXY_PORT

int

80

quarkus.oidc.proxy.username

The username, if Proxy needs authentication.

Environment variable: QUARKUS_OIDC_PROXY_USERNAME

string

quarkus.oidc.proxy.password

The password, if Proxy needs authentication.

Environment variable: QUARKUS_OIDC_PROXY_PASSWORD

string

quarkus.oidc.tls.verification

Certificate validation and hostname verification, which can be one of the following values from enum Verification. Default is required.

Environment variable: QUARKUS_OIDC_TLS_VERIFICATION

requiredCertificates are validated and hostname verification is enabled. This is the default value., certificate-validationCertificates are validated but hostname verification is disabled., noneAll certificated are trusted and hostname verification is disabled.

quarkus.oidc.tls.key-store-file

An optional key store which holds the certificate information instead of specifying separate files.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_FILE

path

quarkus.oidc.tls.key-store-file-type

An optional parameter to specify type of the key store file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_FILE_TYPE

string

quarkus.oidc.tls.key-store-provider

An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_PROVIDER

string

quarkus.oidc.tls.key-store-password

A parameter to specify the password of the key store file. If not given, the default ("password") is used.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_PASSWORD

string

password

quarkus.oidc.tls.key-store-key-alias

An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_KEY_ALIAS

string

quarkus.oidc.tls.key-store-key-password

An optional parameter to define the password for the key, in case it’s different from key-store-password.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_KEY_PASSWORD

string

quarkus.oidc.tls.trust-store-file

An optional trust store which holds the certificate information of the certificates to trust

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_FILE

path

quarkus.oidc.tls.trust-store-password

A parameter to specify the password of the trust store file.

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD

string

quarkus.oidc.tls.trust-store-cert-alias

A parameter to specify the alias of the trust store certificate.

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_CERT_ALIAS

string

quarkus.oidc.tls.trust-store-file-type

An optional parameter to specify type of the trust store file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_FILE_TYPE

string

quarkus.oidc.tls.trust-store-provider

An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_PROVIDER

string

quarkus.oidc.tenant-id

A unique tenant identifier. It must be set by TenantConfigResolver providers which resolve the tenant configuration dynamically and is optional in all other cases.

Environment variable: QUARKUS_OIDC_TENANT_ID

string

quarkus.oidc.tenant-enabled

If this tenant configuration is enabled.

Environment variable: QUARKUS_OIDC_TENANT_ENABLED

boolean

true

quarkus.oidc.application-type

The application type, which can be one of the following values from enum ApplicationType.

Environment variable: QUARKUS_OIDC_APPLICATION_TYPE

web-appA WEB_APP is a client that serves pages, usually a frontend application. For this type of client the Authorization Code Flow is defined as the preferred method for authenticating users., serviceA SERVICE is a client that has a set of protected HTTP resources, usually a backend application following the RESTful Architectural Design. For this type of client, the Bearer Authorization method is defined as the preferred method for authenticating and authorizing users., hybridA combined SERVICE and WEB_APP client. For this type of client, the Bearer Authorization method will be used if the Authorization header is set and Authorization Code Flow - if not.

service

quarkus.oidc.authorization-path

Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_AUTHORIZATION_PATH

string

quarkus.oidc.user-info-path

Relative path or absolute URL of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_USER_INFO_PATH

string

quarkus.oidc.introspection-path

Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_INTROSPECTION_PATH

string

quarkus.oidc.jwks-path

Relative path or absolute URL of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_JWKS_PATH

string

quarkus.oidc.end-session-path

Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_END_SESSION_PATH

string

quarkus.oidc.public-key

Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.

Environment variable: QUARKUS_OIDC_PUBLIC_KEY

string

quarkus.oidc.introspection-credentials.name

Name

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_NAME

string

quarkus.oidc.introspection-credentials.secret

Secret

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_SECRET

string

quarkus.oidc.introspection-credentials.include-client-id

Include OpenId Connect Client ID configured with 'quarkus.oidc.client-id'

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_INCLUDE_CLIENT_ID

boolean

true

quarkus.oidc.roles.role-claim-path

List of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in one or more different claims.

Environment variable: QUARKUS_OIDC_ROLES_ROLE_CLAIM_PATH

list of string

quarkus.oidc.roles.role-claim-separator

Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.

Environment variable: QUARKUS_OIDC_ROLES_ROLE_CLAIM_SEPARATOR

string

quarkus.oidc.roles.source

Source of the principal roles.

Environment variable: QUARKUS_OIDC_ROLES_SOURCE

idtokenID Token - the default value for the 'web-app' applications., accesstokenAccess Token - the default value for the 'service' applications; can also be used as the source of roles for the 'web-app' applications., userinfoUser Info

quarkus.oidc.token.issuer

Expected issuer 'iss' claim value. Note this property overrides the issuer property which may be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.

Environment variable: QUARKUS_OIDC_TOKEN_ISSUER

string

quarkus.oidc.token.audience

Expected audience 'aud' claim value which may be a string or an array of strings.

Environment variable: QUARKUS_OIDC_TOKEN_AUDIENCE

list of string

quarkus.oidc.token.token-type

Expected token type

Environment variable: QUARKUS_OIDC_TOKEN_TOKEN_TYPE

string

quarkus.oidc.token.lifespan-grace

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

Environment variable: QUARKUS_OIDC_TOKEN_LIFESPAN_GRACE

int

quarkus.oidc.token.age

Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with 'quarkus.oidc.token.lifespan-grace' to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid ('exp') expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an 'exp' claim. However, even if the current logout token is allowed to have no 'exp' claim, the exp claim will be still verified if the logout token contains it.

Environment variable: QUARKUS_OIDC_TOKEN_AGE

Duration

quarkus.oidc.token.principal-claim

Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and sub claims are checked.

Environment variable: QUARKUS_OIDC_TOKEN_PRINCIPAL_CLAIM

string

quarkus.oidc.token.refresh-expired

Refresh expired ID tokens. If this property is enabled then a refresh token request will be performed if the ID token has expired and, if successful, the local session will be updated with the new set of tokens. Otherwise, the local session will be invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case the user may not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a non-zero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}.

Environment variable: QUARKUS_OIDC_TOKEN_REFRESH_EXPIRED

boolean

false

quarkus.oidc.token.refresh-token-time-skew

Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token’s expiration time then a refresh is going to happen. This property will be ignored if the 'refresh-expired' property is not enabled.

Environment variable: QUARKUS_OIDC_TOKEN_REFRESH_TOKEN_TIME_SKEW

Duration

quarkus.oidc.token.forced-jwk-refresh-interval

Forced JWK set refresh interval in minutes.

Environment variable: QUARKUS_OIDC_TOKEN_FORCED_JWK_REFRESH_INTERVAL

Duration

10M

quarkus.oidc.token.header

Custom HTTP header that contains a bearer token. This option is valid only when the application is of type ApplicationType#SERVICE}.

Environment variable: QUARKUS_OIDC_TOKEN_HEADER

string

quarkus.oidc.token.decryption-key-location

Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.

Environment variable: QUARKUS_OIDC_TOKEN_DECRYPTION_KEY_LOCATION

string

quarkus.oidc.token.allow-jwt-introspection

Allow the remote introspection of JWT tokens when no matching JWK key is available. Note this property is set to 'true' by default for backward-compatibility reasons and will be set to false instead in one of the next releases. Also note this property will be ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.

Environment variable: QUARKUS_OIDC_TOKEN_ALLOW_JWT_INTROSPECTION

boolean

true

quarkus.oidc.token.require-jwt-introspection-only

Require that JWT tokens are only introspected remotely.

Environment variable: QUARKUS_OIDC_TOKEN_REQUIRE_JWT_INTROSPECTION_ONLY

boolean

false

quarkus.oidc.token.allow-opaque-token-introspection

Allow the remote introspection of the opaque tokens. Set this property to 'false' if only JWT tokens are expected.

Environment variable: QUARKUS_OIDC_TOKEN_ALLOW_OPAQUE_TOKEN_INTROSPECTION

boolean

true

quarkus.oidc.token.verify-access-token-with-user-info

Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens have to be accepted but OpenId Connect provider does not have a token introspection endpoint. This property will have no effect when JWT tokens have to be verified.

Environment variable: QUARKUS_OIDC_TOKEN_VERIFY_ACCESS_TOKEN_WITH_USER_INFO

boolean

false

quarkus.oidc.logout.path

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC_LOGOUT_PATH

string

quarkus.oidc.logout.post-logout-path

Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.

Environment variable: QUARKUS_OIDC_LOGOUT_POST_LOGOUT_PATH

string

quarkus.oidc.logout.post-logout-uri-param

Name of the post logout URI parameter which will be added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC_LOGOUT_POST_LOGOUT_URI_PARAM

string

post_logout_redirect_uri

quarkus.oidc.logout.backchannel.path

The relative path of the Back-Channel Logout endpoint at the application.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_PATH

string

quarkus.oidc.logout.frontchannel.path

The relative path of the Front-Channel Logout endpoint at the application.

Environment variable: QUARKUS_OIDC_LOGOUT_FRONTCHANNEL_PATH

string

quarkus.oidc.authentication.response-mode

Authorization code flow response mode

Environment variable: QUARKUS_OIDC_AUTHENTICATION_RESPONSE_MODE

queryAuthorization response parameters are encoded in the query string added to the redirect_uri, form-postAuthorization response parameters are encoded as HTML form values that are auto-submitted in the browser and transmitted via the HTTP POST method using the application/x-www-form-urlencoded content type

query

quarkus.oidc.authentication.redirect-path

Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated if 'restorePathAfterRedirect' is set to 'true'.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_REDIRECT_PATH

string

quarkus.oidc.authentication.restore-path-after-redirect

If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI will be restored even if this property is disabled.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_RESTORE_PATH_AFTER_REDIRECT

boolean

false

quarkus.oidc.authentication.remove-redirect-parameters

Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_REMOVE_REDIRECT_PARAMETERS

boolean

true

quarkus.oidc.authentication.error-path

Relative path to the public endpoint which will process the error response from the OIDC authorization endpoint. If the user authentication has failed then the OIDC provider will return an 'error' and an optional 'error_description' parameters, instead of the expected authorization 'code'. If this property is set then the user will be redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if it is set as '/error' and the current request URI is 'https://localhost:8080/callback?error=invalid_scope' then a redirect will be made to 'https://localhost:8080/error?error=invalid_scope'. If this property is not set then HTTP 401 status will be returned in case of the user authentication failure.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ERROR_PATH

string

quarkus.oidc.authentication.verify-access-token

Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles. Access token is not verified by default since it is meant to be propagated to the downstream services. The verification of the access token should be enabled if it is injected as a JWT token. Access tokens obtained as part of the code flow will always be verified if quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision will be based on the roles extracted from the access token. Bearer access tokens are always verified.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_VERIFY_ACCESS_TOKEN

boolean

false

quarkus.oidc.authentication.force-redirect-https-scheme

Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout post_logout_redirect_uri and the local redirect requests.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME

boolean

false

quarkus.oidc.authentication.scopes

List of scopes

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SCOPES

list of string

quarkus.oidc.authentication.add-openid-scope

Add the 'openid' scope automatically to the list of scopes. This is required for OpenId Connect providers but will not work for OAuth2 providers such as Twitter OAuth2 which does not accept that scope and throws an error.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ADD_OPENID_SCOPE

boolean

true

quarkus.oidc.authentication.forward-params

Request URL query parameters which, if present, will be added to the authentication redirect URI.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_FORWARD_PARAMS

list of string

quarkus.oidc.authentication.cookie-force-secure

If enabled the state, session and post logout cookies will have their 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookies will always be secure if HTTPS is used even if this property is set to false.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_FORCE_SECURE

boolean

false

quarkus.oidc.authentication.cookie-suffix

Cookie name suffix. For example, a session cookie name for the default OIDC tenant is 'q_session' but can be changed to 'q_session_test' if this property is set to 'test'.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_SUFFIX

string

quarkus.oidc.authentication.cookie-path

Cookie path parameter value which, if set, will be used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, will be checked first.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_PATH

string

/

quarkus.oidc.authentication.cookie-path-header

Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value will be used to set a path parameter for the session, state and post logout cookies. If the header is missing then the cookie-path property will be checked.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_PATH_HEADER

string

quarkus.oidc.authentication.cookie-domain

Cookie domain parameter value which, if set, will be used for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_DOMAIN

string

quarkus.oidc.authentication.cookie-same-site

SameSite attribute for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_SAME_SITE

strict, lax, none

strict

quarkus.oidc.authentication.user-info-required

If this property is set to 'true' then an OIDC UserInfo endpoint will be called.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_USER_INFO_REQUIRED

boolean

false

quarkus.oidc.authentication.session-age-extension

Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user will be redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a non-zero value then the expired ID token can be refreshed before the session has expired. This property will be ignored if the token.refresh-expired property has not been enabled.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SESSION_AGE_EXTENSION

Duration

5M

quarkus.oidc.authentication.java-script-auto-redirect

If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since it automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to false then a status code of '499' will be returned to allow the client to handle the redirect manually

Environment variable: QUARKUS_OIDC_AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

boolean

true

quarkus.oidc.authentication.id-token-required

Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken will be generated in such cases.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ID_TOKEN_REQUIRED

boolean

true

quarkus.oidc.authentication.internal-id-token-lifespan

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Duration

5M

quarkus.oidc.authentication.pkce-required

Requires that a Proof Key for Code Exchange (PKCE) is used.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_PKCE_REQUIRED

boolean

false

quarkus.oidc.authentication.pkce-secret

Secret which will be used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state. This secret must be set if PKCE is required but no client secret is set. The length of the secret which will be used to encrypt the code verifier must be 32 characters long.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_PKCE_SECRET

string

quarkus.oidc.token-state-manager.strategy

Default TokenStateManager strategy.

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_STRATEGY

keep-all-tokensKeep ID, access and refresh tokens., id-tokenKeep ID token only, id-refresh-tokensKeep ID and refresh tokens only

keep-all-tokens

quarkus.oidc.token-state-manager.split-tokens

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_SPLIT_TOKENS

boolean

false

quarkus.oidc.token-state-manager.encryption-required

Requires that the tokens are encrypted before being stored in the cookies.

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_ENCRYPTION_REQUIRED

boolean

false

quarkus.oidc.token-state-manager.encryption-secret

Secret which will be used to encrypt the tokens. This secret must be set if the token encryption is required but no client secret is set. The length of the secret which will be used to encrypt the tokens must be 32 characters long.

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

string

quarkus.oidc.allow-token-introspection-cache

Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.

Environment variable: QUARKUS_OIDC_ALLOW_TOKEN_INTROSPECTION_CACHE

boolean

true

quarkus.oidc.allow-user-info-cache

Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.

Environment variable: QUARKUS_OIDC_ALLOW_USER_INFO_CACHE

boolean

true

quarkus.oidc.cache-user-info-in-idtoken

Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.

Environment variable: QUARKUS_OIDC_CACHE_USER_INFO_IN_IDTOKEN

boolean

false

quarkus.oidc.provider

Well known OpenId Connect provider identifier

Environment variable: QUARKUS_OIDC_PROVIDER

apple, facebook, github, google, microsoft, spotify, twitter

quarkus.oidc.token-cache.max-size

Maximum number of cache entries. Set it to a positive value if the cache has to be enabled.

Environment variable: QUARKUS_OIDC_TOKEN_CACHE_MAX_SIZE

int

0

quarkus.oidc.token-cache.time-to-live

Maximum amount of time a given cache entry is valid for.

Environment variable: QUARKUS_OIDC_TOKEN_CACHE_TIME_TO_LIVE

Duration

3M

quarkus.oidc.token-cache.clean-up-timer-interval

Clean up timer interval. If this property is set then a timer will check and remove the stale entries periodically.

Environment variable: QUARKUS_OIDC_TOKEN_CACHE_CLEAN_UP_TIMER_INTERVAL

Duration

quarkus.oidc.devui.grant-options

Grant options

Environment variable: QUARKUS_OIDC_DEVUI_GRANT_OPTIONS

Map<String,Map<String,String>>

quarkus.oidc.token.required-claims

A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

Environment variable: QUARKUS_OIDC_TOKEN_REQUIRED_CLAIMS

Map<String,String>

quarkus.oidc.logout.extra-params

Additional properties which will be added as the query parameters to the logout redirect URI.

Environment variable: QUARKUS_OIDC_LOGOUT_EXTRA_PARAMS

Map<String,String>

quarkus.oidc.authentication.extra-params

Additional properties which will be added as the query parameters to the authentication redirect URI.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_EXTRA_PARAMS

Map<String,String>

quarkus.oidc.code-grant.extra-params

Additional parameters, in addition to the required code and redirect-uri parameters, which have to be included to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC_CODE_GRANT_EXTRA_PARAMS

Map<String,String>

quarkus.oidc.code-grant.headers

Custom HTTP headers which have to be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC_CODE_GRANT_HEADERS

Map<String,String>

Additional named tenants

Type

Default

quarkus.oidc."tenant".auth-server-url

The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: https://host:port/realms/{realm} where {realm} has to be replaced by the name of the Keycloak realm.

Environment variable: QUARKUS_OIDC__TENANT__AUTH_SERVER_URL

string

quarkus.oidc."tenant".discovery-enabled

Enables OIDC discovery. If the discovery is disabled then the OIDC endpoint URLs must be configured individually.

Environment variable: QUARKUS_OIDC__TENANT__DISCOVERY_ENABLED

boolean

true

quarkus.oidc."tenant".token-path

Relative path or absolute URL of the OIDC token endpoint which issues access and refresh tokens.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_PATH

string

quarkus.oidc."tenant".revoke-path

Relative path or absolute URL of the OIDC token revocation endpoint.

Environment variable: QUARKUS_OIDC__TENANT__REVOKE_PATH

string

quarkus.oidc."tenant".client-id

The client-id of the application. Each application has a client-id that is used to identify the application

Environment variable: QUARKUS_OIDC__TENANT__CLIENT_ID

string

quarkus.oidc."tenant".connection-delay

The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_DELAY

Duration

quarkus.oidc."tenant".connection-retry-count

The number of times an attempt to re-establish an already available connection will be repeated for. Note this property is different to the connection-delay property which is only effective during the initial OIDC connection creation. This property is used to try to recover the existing connection which may have been temporarily lost. For example, if a request to the OIDC token endpoint fails due to a connection exception then the request will be retried for a number of times configured by this property.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_RETRY_COUNT

int

3

quarkus.oidc."tenant".connection-timeout

The amount of time after which the current OIDC connection request will time out.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_TIMEOUT

Duration

10S

quarkus.oidc."tenant".max-pool-size

The maximum size of the connection pool used by the WebClient

Environment variable: QUARKUS_OIDC__TENANT__MAX_POOL_SIZE

int

quarkus.oidc."tenant".credentials.secret

Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_SECRET

string

quarkus.oidc."tenant".credentials.client-secret.value

The client secret value - it will be ignored if 'secret.key' is set

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_VALUE

string

quarkus.oidc."tenant".credentials.client-secret.provider.name

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME

string

quarkus.oidc."tenant".credentials.client-secret.provider.key

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY

string

quarkus.oidc."tenant".credentials.client-secret.method

Authentication method.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_METHOD

basicclient_secret_basic (default): client id and secret are submitted with the HTTP Authorization Basic scheme, postclient_secret_post: client id and secret are submitted as the 'client_id' and 'client_secret' form parameters., post-jwtclient_secret_jwt: client id and generated JWT secret are submitted as the 'client_id' and 'client_secret' form parameters.

quarkus.oidc."tenant".credentials.jwt.secret

If provided, indicates that JWT is signed using a secret key

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET

string

quarkus.oidc."tenant".credentials.jwt.secret-provider.name

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_NAME

string

quarkus.oidc."tenant".credentials.jwt.secret-provider.key

The CredentialsProvider client secret key

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_KEY

string

quarkus.oidc."tenant".credentials.jwt.key-file

If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_FILE

string

quarkus.oidc."tenant".credentials.jwt.key-store-file

If provided, indicates that JWT is signed using a private key from a key store

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_FILE

string

quarkus.oidc."tenant".credentials.jwt.key-store-password

A parameter to specify the password of the key store file. If not given, the default ("password") is used.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_PASSWORD

string

password

quarkus.oidc."tenant".credentials.jwt.key-id

The private key id/alias

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_ID

string

quarkus.oidc."tenant".credentials.jwt.key-password

The private key password

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_PASSWORD

string

password

quarkus.oidc."tenant".credentials.jwt.audience

JWT audience ('aud') claim value. By default, the audience is set to the address of the OpenId Connect Provider’s token endpoint.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_AUDIENCE

string

quarkus.oidc."tenant".credentials.jwt.token-key-id

Key identifier of the signing key added as a JWT 'kid' header

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_TOKEN_KEY_ID

string

quarkus.oidc."tenant".credentials.jwt.issuer

Issuer of the signing key added as a JWT 'iss' claim (default: client id)

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_ISSUER

string

quarkus.oidc."tenant".credentials.jwt.subject

Subject of the signing key added as a JWT 'sub' claim (default: client id)

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SUBJECT

string

quarkus.oidc."tenant".credentials.jwt.signature-algorithm

Signature algorithm, also used for the key-file property. Supported values: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SIGNATURE_ALGORITHM

string

quarkus.oidc."tenant".credentials.jwt.lifespan

JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_LIFESPAN

int

10

quarkus.oidc."tenant".proxy.host

The host (name or IP address) of the Proxy. Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_HOST

string

quarkus.oidc."tenant".proxy.port

The port number of the Proxy. Default value is 80.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_PORT

int

80

quarkus.oidc."tenant".proxy.username

The username, if Proxy needs authentication.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_USERNAME

string

quarkus.oidc."tenant".proxy.password

The password, if Proxy needs authentication.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_PASSWORD

string

quarkus.oidc."tenant".tls.verification

Certificate validation and hostname verification, which can be one of the following values from enum Verification. Default is required.

Environment variable: QUARKUS_OIDC__TENANT__TLS_VERIFICATION

requiredCertificates are validated and hostname verification is enabled. This is the default value., certificate-validationCertificates are validated but hostname verification is disabled., noneAll certificated are trusted and hostname verification is disabled.

quarkus.oidc."tenant".tls.key-store-file

An optional key store which holds the certificate information instead of specifying separate files.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE

path

quarkus.oidc."tenant".tls.key-store-file-type

An optional parameter to specify type of the key store file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE_TYPE

string

quarkus.oidc."tenant".tls.key-store-provider

An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PROVIDER

string

quarkus.oidc."tenant".tls.key-store-password

A parameter to specify the password of the key store file. If not given, the default ("password") is used.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PASSWORD

string

password

quarkus.oidc."tenant".tls.key-store-key-alias

An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_ALIAS

string

quarkus.oidc."tenant".tls.key-store-key-password

An optional parameter to define the password for the key, in case it’s different from key-store-password.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_PASSWORD

string

quarkus.oidc."tenant".tls.trust-store-file

An optional trust store which holds the certificate information of the certificates to trust

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE

path

quarkus.oidc."tenant".tls.trust-store-password

A parameter to specify the password of the trust store file.

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PASSWORD

string

quarkus.oidc."tenant".tls.trust-store-cert-alias

A parameter to specify the alias of the trust store certificate.

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_CERT_ALIAS

string

quarkus.oidc."tenant".tls.trust-store-file-type

An optional parameter to specify type of the trust store file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE_TYPE

string

quarkus.oidc."tenant".tls.trust-store-provider

An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PROVIDER

string

quarkus.oidc."tenant".tenant-id

A unique tenant identifier. It must be set by TenantConfigResolver providers which resolve the tenant configuration dynamically and is optional in all other cases.

Environment variable: QUARKUS_OIDC__TENANT__TENANT_ID

string

quarkus.oidc."tenant".tenant-enabled

If this tenant configuration is enabled.

Environment variable: QUARKUS_OIDC__TENANT__TENANT_ENABLED

boolean

true

quarkus.oidc."tenant".application-type

The application type, which can be one of the following values from enum ApplicationType.

Environment variable: QUARKUS_OIDC__TENANT__APPLICATION_TYPE

web-appA WEB_APP is a client that serves pages, usually a frontend application. For this type of client the Authorization Code Flow is defined as the preferred method for authenticating users., serviceA SERVICE is a client that has a set of protected HTTP resources, usually a backend application following the RESTful Architectural Design. For this type of client, the Bearer Authorization method is defined as the preferred method for authenticating and authorizing users., hybridA combined SERVICE and WEB_APP client. For this type of client, the Bearer Authorization method will be used if the Authorization header is set and Authorization Code Flow - if not.

service

quarkus.oidc."tenant".authorization-path

Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__AUTHORIZATION_PATH

string

quarkus.oidc."tenant".user-info-path

Relative path or absolute URL of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__USER_INFO_PATH

string

quarkus.oidc."tenant".introspection-path

Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_PATH

string

quarkus.oidc."tenant".jwks-path

Relative path or absolute URL of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__JWKS_PATH

string

quarkus.oidc."tenant".end-session-path

Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__END_SESSION_PATH

string

quarkus.oidc."tenant".public-key

Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.

Environment variable: QUARKUS_OIDC__TENANT__PUBLIC_KEY

string

quarkus.oidc."tenant".introspection-credentials.name

Name

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_CREDENTIALS_NAME

string

quarkus.oidc."tenant".introspection-credentials.secret

Secret

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_CREDENTIALS_SECRET

string

quarkus.oidc."tenant".introspection-credentials.include-client-id

Include OpenId Connect Client ID configured with 'quarkus.oidc.client-id'

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_CREDENTIALS_INCLUDE_CLIENT_ID

boolean

true

quarkus.oidc."tenant".roles.role-claim-path

List of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in one or more different claims.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_ROLE_CLAIM_PATH

list of string

quarkus.oidc."tenant".roles.role-claim-separator

Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_ROLE_CLAIM_SEPARATOR

string

quarkus.oidc."tenant".roles.source

Source of the principal roles.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_SOURCE

idtokenID Token - the default value for the 'web-app' applications., accesstokenAccess Token - the default value for the 'service' applications; can also be used as the source of roles for the 'web-app' applications., userinfoUser Info

quarkus.oidc."tenant".token.issuer

Expected issuer 'iss' claim value. Note this property overrides the issuer property which may be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_ISSUER

string

quarkus.oidc."tenant".token.audience

Expected audience 'aud' claim value which may be a string or an array of strings.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_AUDIENCE

list of string

quarkus.oidc."tenant".token.required-claims

A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REQUIRED_CLAIMS

Map<String,String>

quarkus.oidc."tenant".token.token-type

Expected token type

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_TOKEN_TYPE

string

quarkus.oidc."tenant".token.lifespan-grace

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_LIFESPAN_GRACE

int

quarkus.oidc."tenant".token.age

Token age. It allows for the number of seconds to be specified that must not elapse since the iat (issued at) time. A small leeway to account for clock skew which can be configured with 'quarkus.oidc.token.lifespan-grace' to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid ('exp') expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an 'exp' claim. However, even if the current logout token is allowed to have no 'exp' claim, the exp claim will be still verified if the logout token contains it.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_AGE

Duration

quarkus.oidc."tenant".token.principal-claim

Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and sub claims are checked.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_PRINCIPAL_CLAIM

string

quarkus.oidc."tenant".token.refresh-expired

Refresh expired ID tokens. If this property is enabled then a refresh token request will be performed if the ID token has expired and, if successful, the local session will be updated with the new set of tokens. Otherwise, the local session will be invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case the user may not be challenged again if the OIDC provider session is still active. For this option be effective the authentication.session-age-extension property should also be set to a non-zero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type ApplicationType#WEB_APP}.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REFRESH_EXPIRED

boolean

false

quarkus.oidc."tenant".token.refresh-token-time-skew

Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token’s expiration time then a refresh is going to happen. This property will be ignored if the 'refresh-expired' property is not enabled.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REFRESH_TOKEN_TIME_SKEW

Duration

quarkus.oidc."tenant".token.forced-jwk-refresh-interval

Forced JWK set refresh interval in minutes.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_FORCED_JWK_REFRESH_INTERVAL

Duration

10M

quarkus.oidc."tenant".token.header

Custom HTTP header that contains a bearer token. This option is valid only when the application is of type ApplicationType#SERVICE}.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_HEADER

string

quarkus.oidc."tenant".token.decryption-key-location

Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_DECRYPTION_KEY_LOCATION

string

quarkus.oidc."tenant".token.allow-jwt-introspection

Allow the remote introspection of JWT tokens when no matching JWK key is available. Note this property is set to 'true' by default for backward-compatibility reasons and will be set to false instead in one of the next releases. Also note this property will be ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_ALLOW_JWT_INTROSPECTION

boolean

true

quarkus.oidc."tenant".token.require-jwt-introspection-only

Require that JWT tokens are only introspected remotely.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REQUIRE_JWT_INTROSPECTION_ONLY

boolean

false

quarkus.oidc."tenant".token.allow-opaque-token-introspection

Allow the remote introspection of the opaque tokens. Set this property to 'false' if only JWT tokens are expected.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_ALLOW_OPAQUE_TOKEN_INTROSPECTION

boolean

true

quarkus.oidc."tenant".token.verify-access-token-with-user-info

Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens have to be accepted but OpenId Connect provider does not have a token introspection endpoint. This property will have no effect when JWT tokens have to be verified.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_VERIFY_ACCESS_TOKEN_WITH_USER_INFO

boolean

false

quarkus.oidc."tenant".logout.path

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_PATH

string

quarkus.oidc."tenant".logout.post-logout-path

Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_POST_LOGOUT_PATH

string

quarkus.oidc."tenant".logout.post-logout-uri-param

Name of the post logout URI parameter which will be added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_POST_LOGOUT_URI_PARAM

string

post_logout_redirect_uri

quarkus.oidc."tenant".logout.extra-params

Additional properties which will be added as the query parameters to the logout redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_EXTRA_PARAMS

Map<String,String>

quarkus.oidc."tenant".logout.backchannel.path

The relative path of the Back-Channel Logout endpoint at the application.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_PATH

string

quarkus.oidc."tenant".logout.frontchannel.path

The relative path of the Front-Channel Logout endpoint at the application.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_FRONTCHANNEL_PATH

string

quarkus.oidc."tenant".authentication.response-mode

Authorization code flow response mode

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_RESPONSE_MODE

queryAuthorization response parameters are encoded in the query string added to the redirect_uri, form-postAuthorization response parameters are encoded as HTML form values that are auto-submitted in the browser and transmitted via the HTTP POST method using the application/x-www-form-urlencoded content type

query

quarkus.oidc."tenant".authentication.redirect-path

Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated if 'restorePathAfterRedirect' is set to 'true'.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_REDIRECT_PATH

string

quarkus.oidc."tenant".authentication.restore-path-after-redirect

If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI will be restored even if this property is disabled.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_RESTORE_PATH_AFTER_REDIRECT

boolean

false

quarkus.oidc."tenant".authentication.remove-redirect-parameters

Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_REMOVE_REDIRECT_PARAMETERS

boolean

true

quarkus.oidc."tenant".authentication.error-path

Relative path to the public endpoint which will process the error response from the OIDC authorization endpoint. If the user authentication has failed then the OIDC provider will return an 'error' and an optional 'error_description' parameters, instead of the expected authorization 'code'. If this property is set then the user will be redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if it is set as '/error' and the current request URI is 'https://localhost:8080/callback?error=invalid_scope' then a redirect will be made to 'https://localhost:8080/error?error=invalid_scope'. If this property is not set then HTTP 401 status will be returned in case of the user authentication failure.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_ERROR_PATH

string

quarkus.oidc."tenant".authentication.verify-access-token

Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles. Access token is not verified by default since it is meant to be propagated to the downstream services. The verification of the access token should be enabled if it is injected as a JWT token. Access tokens obtained as part of the code flow will always be verified if quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision will be based on the roles extracted from the access token. Bearer access tokens are always verified.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_VERIFY_ACCESS_TOKEN

boolean

false

quarkus.oidc."tenant".authentication.force-redirect-https-scheme

Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout post_logout_redirect_uri and the local redirect requests.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME

boolean

false

quarkus.oidc."tenant".authentication.scopes

List of scopes

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_SCOPES

list of string

quarkus.oidc."tenant".authentication.add-openid-scope

Add the 'openid' scope automatically to the list of scopes. This is required for OpenId Connect providers but will not work for OAuth2 providers such as Twitter OAuth2 which does not accept that scope and throws an error.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_ADD_OPENID_SCOPE

boolean

true

quarkus.oidc."tenant".authentication.extra-params

Additional properties which will be added as the query parameters to the authentication redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_EXTRA_PARAMS

Map<String,String>

quarkus.oidc."tenant".authentication.forward-params

Request URL query parameters which, if present, will be added to the authentication redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_FORWARD_PARAMS

list of string

quarkus.oidc."tenant".authentication.cookie-force-secure

If enabled the state, session and post logout cookies will have their 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookies will always be secure if HTTPS is used even if this property is set to false.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_FORCE_SECURE

boolean

false

quarkus.oidc."tenant".authentication.cookie-suffix

Cookie name suffix. For example, a session cookie name for the default OIDC tenant is 'q_session' but can be changed to 'q_session_test' if this property is set to 'test'.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_SUFFIX

string

quarkus.oidc."tenant".authentication.cookie-path

Cookie path parameter value which, if set, will be used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, will be checked first.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_PATH

string

/

quarkus.oidc."tenant".authentication.cookie-path-header

Cookie path header parameter value which, if set, identifies the incoming HTTP header whose value will be used to set a path parameter for the session, state and post logout cookies. If the header is missing then the cookie-path property will be checked.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_PATH_HEADER

string

quarkus.oidc."tenant".authentication.cookie-domain

Cookie domain parameter value which, if set, will be used for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_DOMAIN

string

quarkus.oidc."tenant".authentication.cookie-same-site

SameSite attribute for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_SAME_SITE

strict, lax, none

strict

quarkus.oidc."tenant".authentication.user-info-required

If this property is set to 'true' then an OIDC UserInfo endpoint will be called.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_USER_INFO_REQUIRED

boolean

false

quarkus.oidc."tenant".authentication.session-age-extension

Session age extension in minutes. The user session age property is set to the value of the ID token life-span by default and the user will be redirected to the OIDC provider to re-authenticate once the session has expired. If this property is set to a non-zero value then the expired ID token can be refreshed before the session has expired. This property will be ignored if the token.refresh-expired property has not been enabled.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_SESSION_AGE_EXTENSION

Duration

5M

quarkus.oidc."tenant".authentication.java-script-auto-redirect

If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since it automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to false then a status code of '499' will be returned to allow the client to handle the redirect manually

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

boolean

true

quarkus.oidc."tenant".authentication.id-token-required

Requires that ID token is available when the authorization code flow completes. Disable this property only when you need to use the authorization code flow with OAuth2 providers which do not return ID token - an internal IdToken will be generated in such cases.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_ID_TOKEN_REQUIRED

boolean

true

quarkus.oidc."tenant".authentication.internal-id-token-lifespan

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Duration

5M

quarkus.oidc."tenant".authentication.pkce-required

Requires that a Proof Key for Code Exchange (PKCE) is used.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_PKCE_REQUIRED

boolean

false

quarkus.oidc."tenant".authentication.pkce-secret

Secret which will be used to encrypt a Proof Key for Code Exchange (PKCE) code verifier in the code flow state. This secret must be set if PKCE is required but no client secret is set. The length of the secret which will be used to encrypt the code verifier must be 32 characters long.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_PKCE_SECRET

string

quarkus.oidc."tenant".code-grant.extra-params

Additional parameters, in addition to the required code and redirect-uri parameters, which have to be included to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC__TENANT__CODE_GRANT_EXTRA_PARAMS

Map<String,String>

quarkus.oidc."tenant".code-grant.headers

Custom HTTP headers which have to be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC__TENANT__CODE_GRANT_HEADERS

Map<String,String>

quarkus.oidc."tenant".token-state-manager.strategy

Default TokenStateManager strategy.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_STRATEGY

keep-all-tokensKeep ID, access and refresh tokens., id-tokenKeep ID token only, id-refresh-tokensKeep ID and refresh tokens only

keep-all-tokens

quarkus.oidc."tenant".token-state-manager.split-tokens

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_SPLIT_TOKENS

boolean

false

quarkus.oidc."tenant".token-state-manager.encryption-required

Requires that the tokens are encrypted before being stored in the cookies.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_ENCRYPTION_REQUIRED

boolean

false

quarkus.oidc."tenant".token-state-manager.encryption-secret

Secret which will be used to encrypt the tokens. This secret must be set if the token encryption is required but no client secret is set. The length of the secret which will be used to encrypt the tokens must be 32 characters long.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

string

quarkus.oidc."tenant".allow-token-introspection-cache

Allow caching the token introspection data. Note enabling this property does not enable the cache itself but only permits to cache the token introspection for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.

Environment variable: QUARKUS_OIDC__TENANT__ALLOW_TOKEN_INTROSPECTION_CACHE

boolean

true

quarkus.oidc."tenant".allow-user-info-cache

Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.

Environment variable: QUARKUS_OIDC__TENANT__ALLOW_USER_INFO_CACHE

boolean

true

quarkus.oidc."tenant".cache-user-info-in-idtoken

Allow inlining UserInfo in IdToken instead of caching it in the token cache. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken. Inlining UserInfo in the generated IdToken allows to store it in the session cookie and avoids introducing a cached state.

Environment variable: QUARKUS_OIDC__TENANT__CACHE_USER_INFO_IN_IDTOKEN

boolean

false

quarkus.oidc."tenant".provider

Well known OpenId Connect provider identifier

Environment variable: QUARKUS_OIDC__TENANT__PROVIDER

apple, facebook, github, google, microsoft, spotify, twitter
About the Duration format

The format for durations uses the standard java.time.Duration format. You can learn more about it in the Duration#parse() javadoc.

You can also provide duration values starting with a number. In this case, if the value consists only of a number, the converter treats the value as seconds. Otherwise, PT is implicitly prepended to the value to obtain a standard java.time.Duration format.

References

Quarkus is open. All dependencies of this project are available under the Apache Software License 2.0 or compatible license.

This website was built with Jekyll, is hosted on GitHub Pages and is completely open source. If you want to make it better, fork the website and show us what you’ve got.

Navigation
Follow Us
Get Help
Languages
Quarkus is made of community projects
CC by 3.0 | Privacy Policy Sponsored by