OpenID Connect (OIDC) configuration properties

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME

Authentication method.

Environment variable: QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_METHOD

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_NAME

If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_FILE

A parameter to specify the password of the key store file.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_PASSWORD

The private key password

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_KEY_PASSWORD

Key identifier of the signing key added as a JWT 'kid' header

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_TOKEN_KEY_ID

Subject of the signing key added as a JWT 'sub' claim (default: client id)

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_SUBJECT

JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.

Environment variable: QUARKUS_OIDC_CREDENTIALS_JWT_LIFESPAN

The port number of the Proxy. Default value is 80.

Environment variable: QUARKUS_OIDC_PROXY_PORT

The password, if Proxy needs authentication.

Environment variable: QUARKUS_OIDC_PROXY_PASSWORD

An optional key store which holds the certificate information instead of specifying separate files.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_FILE

An optional parameter to specify a provider of the key store file. If not given, the provider is automatically detected based on the key store file type.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_PROVIDER

An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains multiple keys and no alias is specified, the behavior is undefined.

Environment variable: QUARKUS_OIDC_TLS_KEY_STORE_KEY_ALIAS

An optional trust store which holds the certificate information of the certificates to trust

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_FILE

A parameter to specify the alias of the trust store certificate.

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_CERT_ALIAS

An optional parameter to specify a provider of the trust store file. If not given, the provider is automatically detected based on the trust store file type.

Environment variable: QUARKUS_OIDC_TLS_TRUST_STORE_PROVIDER

If this tenant configuration is enabled. Note that the default tenant will be disabled if it is not configured but either TenantConfigResolver which will resolve tenant configurations is registered or named tenants are configured. You do not have to disable the default tenant in this case.

Environment variable: QUARKUS_OIDC_TENANT_ENABLED

Relative path or absolute URL of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_AUTHORIZATION_PATH

Relative path or absolute URL of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_INTROSPECTION_PATH

Relative path or absolute URL of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC_END_SESSION_PATH

Name

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_NAME

Include OpenId Connect Client ID configured with 'quarkus.oidc.client-id'

Environment variable: QUARKUS_OIDC_INTROSPECTION_CREDENTIALS_INCLUDE_CLIENT_ID

Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to one or more custom claims whose values are strings. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.

Environment variable: QUARKUS_OIDC_ROLES_ROLE_CLAIM_SEPARATOR

Expected issuer 'iss' claim value. Note this property overrides the issuer property which may be set in OpenId Connect provider’s well-known configuration. If the iss claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed iss claim value) are not possible.

Environment variable: QUARKUS_OIDC_TOKEN_ISSUER

Require that the token includes a sub (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required then both the token and UserInfo sub claims must be present and match each other.

Environment variable: QUARKUS_OIDC_TOKEN_SUBJECT_REQUIRED

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

Environment variable: QUARKUS_OIDC_TOKEN_LIFESPAN_GRACE

Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and sub claims are checked.

Environment variable: QUARKUS_OIDC_TOKEN_PRINCIPAL_CLAIM

Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time then a refresh is going to happen.

Environment variable: QUARKUS_OIDC_TOKEN_REFRESH_TOKEN_TIME_SKEW

Custom HTTP header that contains a bearer token. This option is valid only when the application is of type ApplicationType#SERVICE}.

Environment variable: QUARKUS_OIDC_TOKEN_HEADER

Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.

Environment variable: QUARKUS_OIDC_TOKEN_DECRYPTION_KEY_LOCATION

Require that JWT tokens are only introspected remotely.

Environment variable: QUARKUS_OIDC_TOKEN_REQUIRE_JWT_INTROSPECTION_ONLY

Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.

Environment variable: QUARKUS_OIDC_TOKEN_CUSTOMIZER_NAME

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC_LOGOUT_PATH

Name of the post logout URI parameter which will be added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC_LOGOUT_POST_LOGOUT_URI_PARAM

Maximum number of logout tokens that can be cached before they are matched against ID tokens stored in session cookies.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_TOKEN_CACHE_SIZE

Token cache timer interval. If this property is set then a timer will check and remove the stale entries periodically.

Environment variable: QUARKUS_OIDC_LOGOUT_BACKCHANNEL_CLEAN_UP_TIMER_INTERVAL

The relative path of the Front-Channel Logout endpoint at the application.

Environment variable: QUARKUS_OIDC_LOGOUT_FRONTCHANNEL_PATH

Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated if 'restorePathAfterRedirect' is set to 'true'.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_REDIRECT_PATH

Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_REMOVE_REDIRECT_PARAMETERS

Both ID and access tokens are fetched from the OIDC provider as part of the authorization code flow. ID token is always verified on every user request as the primary token which is used to represent the principal and extract the roles. Access token is not verified by default since it is meant to be propagated to the downstream services. The verification of the access token should be enabled if it is injected as a JWT token. Access tokens obtained as part of the code flow will always be verified if quarkus.oidc.roles.source property is set to accesstoken which means the authorization decision will be based on the roles extracted from the access token. Bearer access tokens are always verified.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_VERIFY_ACCESS_TOKEN

List of scopes

Environment variable: QUARKUS_OIDC_AUTHENTICATION_SCOPES

Add the 'openid' scope automatically to the list of scopes. This is required for OpenId Connect providers but will not work for OAuth2 providers such as Twitter OAuth2 which does not accept that scope and throws an error.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ADD_OPENID_SCOPE

If enabled the state, session and post logout cookies will have their 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookies will always be secure if HTTPS is used even if this property is set to false.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_FORCE_SECURE

Cookie path parameter value which, if set, will be used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, will be checked first.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_PATH

Cookie domain parameter value which, if set, will be used for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_COOKIE_DOMAIN

If a state cookie is present then a state query parameter must also be present and both the state cookie name suffix and state cookie value have to match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie may represent the authentication flow initiated from another tab and not related to the current request. Disable this property if you would like to avoid supporting multiple authorization code flows running in the same browser.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_ALLOW_MULTIPLE_CODE_FLOWS

If this property is set to 'true' then an OIDC UserInfo endpoint will be called. This property will be enabled if quarkus.oidc.roles.source is userinfo or quarkus.oidc.token.verify-access-token-with-user-info is true or quarkus.oidc.authentication.id-token-required is set to false, you do not have to enable this property manually in these cases.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_USER_INFO_REQUIRED

If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated which may not be desirable for Single-page applications (SPA) since it automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS.

If this property is set to 'false' then a status code of '499' will be returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. 'X-Requested-With' request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Secret which will be used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value will be checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication will be checked. Client secret will not be used as a state encryption secret if it is less than 32 characters long.

The secret will be auto-generated if it remains uninitialized after checking all of these properties.

Error will be reported if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_STATE_SECRET

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_SPLIT_TOKENS

Secret which will be used to encrypt the session cookie storing the tokens when encryption-required property is enabled.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value will be checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication will be checked. The secret will be auto-generated if it remains uninitialized after checking all of these properties.

The length of the secret which will be used to encrypt the tokens should be at least 32 characters long. Warning will be logged if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC_TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.

Environment variable: QUARKUS_OIDC_ALLOW_USER_INFO_CACHE

Well known OpenId Connect provider identifier

Environment variable: QUARKUS_OIDC_PROVIDER

Maximum amount of time a given cache entry is valid for.

Environment variable: QUARKUS_OIDC_TOKEN_CACHE_TIME_TO_LIVE

Grant options

Environment variable: QUARKUS_OIDC_DEVUI_GRANT_OPTIONS

A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

Environment variable: QUARKUS_OIDC_TOKEN_REQUIRED_CLAIMS

Additional properties which will be added as the query parameters to the authentication redirect URI.

Environment variable: QUARKUS_OIDC_AUTHENTICATION_EXTRA_PARAMS

Custom HTTP headers which have to be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC_CODE_GRANT_HEADERS

Enables OIDC discovery. If the discovery is disabled then the OIDC endpoint URLs must be configured individually.

Environment variable: QUARKUS_OIDC__TENANT__DISCOVERY_ENABLED

Relative path or absolute URL of the OIDC token revocation endpoint.

Environment variable: QUARKUS_OIDC__TENANT__REVOKE_PATH

The maximum amount of time connecting to the currently unavailable OIDC server will be attempted for. The number of times the connection request will be repeated is calculated by dividing the value of this property by 2. For example, setting it to 20S will allow for requesting the connection up to 10 times with a 2 seconds delay between the retries. Note this property is only effective when the initial OIDC connection is created, for example, when requesting a well-known OIDC configuration. Use the 'connection-retry-count' property to support trying to re-establish an already available connection which may have been dropped.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_DELAY

The amount of time after which the current OIDC connection request will time out.

Environment variable: QUARKUS_OIDC__TENANT__CONNECTION_TIMEOUT

Client secret which is used for a client_secret_basic authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_SECRET

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME

Authentication method.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_METHOD

The CredentialsProvider name which should only be set if more than one CredentialsProvider is registered

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_NAME

If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the signature-algorithm property to specify the key algorithm.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_FILE

A parameter to specify the password of the key store file.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_PASSWORD

The private key password

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_PASSWORD

Key identifier of the signing key added as a JWT 'kid' header

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_TOKEN_KEY_ID

Subject of the signing key added as a JWT 'sub' claim (default: client id)

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SUBJECT

Signature algorithm, also used for the key-file property. Supported values: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, HS256, HS384, HS512.

Environment variable: QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SIGNATURE_ALGORITHM

The host (name or IP address) of the Proxy.
Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_HOST

The username, if Proxy needs authentication.

Environment variable: QUARKUS_OIDC__TENANT__PROXY_USERNAME

Certificate validation and hostname verification, which can be one of the following values from enum Verification. Default is required.

Environment variable: QUARKUS_OIDC__TENANT__TLS_VERIFICATION

An optional parameter to specify type of the key store file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE_TYPE

A parameter to specify the password of the key store file. If not given, the default ("password") is used.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PASSWORD

An optional parameter to define the password for the key, in case it’s different from key-store-password.

Environment variable: QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_PASSWORD

A parameter to specify the password of the trust store file.

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PASSWORD

An optional parameter to specify type of the trust store file. If not given, the type is automatically detected based on the file name.

Environment variable: QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE_TYPE

A unique tenant identifier. It must be set by TenantConfigResolver providers which resolve the tenant configuration dynamically and is optional in all other cases.

Environment variable: QUARKUS_OIDC__TENANT__TENANT_ID

The application type, which can be one of the following values from enum ApplicationType.

Environment variable: QUARKUS_OIDC__TENANT__APPLICATION_TYPE

Relative path or absolute URL of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__USER_INFO_PATH

Relative path or absolute URL of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.

Environment variable: QUARKUS_OIDC__TENANT__JWKS_PATH

Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.

Environment variable: QUARKUS_OIDC__TENANT__PUBLIC_KEY

Secret

Environment variable: QUARKUS_OIDC__TENANT__INTROSPECTION_CREDENTIALS_SECRET

List of paths to claims containing an array of groups. Each path starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in one or more different claims.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_ROLE_CLAIM_PATH

Source of the principal roles.

Environment variable: QUARKUS_OIDC__TENANT__ROLES_SOURCE

Expected audience 'aud' claim value which may be a string or an array of strings. Note the audience claim will be verified for ID tokens by default. ID token audience must be equal to the value of quarkus.oidc.client-id property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to any if your provider does not set ID token audience` claim. Audience verification for access tokens will only be done if this property is configured.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_AUDIENCE

A map of required claims and their expected values. For example, quarkus.oidc.token.required-claims.org_id = org_xyz would require tokens to have the org_id claim to be present and set to org_xyz. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REQUIRED_CLAIMS

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_LIFESPAN_GRACE

Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and sub claims are checked.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_PRINCIPAL_CLAIM

Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token’s expiration time then a refresh is going to happen.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REFRESH_TOKEN_TIME_SKEW

Custom HTTP header that contains a bearer token. This option is valid only when the application is of type ApplicationType#SERVICE}.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_HEADER

Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers may not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. Note that if a 'private_key_jwt' client authentication method is used then the private key which is used to sign client authentication JWT tokens will be used to try to decrypt an encrypted ID token if this property is not set.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_DECRYPTION_KEY_LOCATION

Require that JWT tokens are only introspected remotely.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_REQUIRE_JWT_INTROSPECTION_ONLY

Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to TokenCustomizer implementations provided by this extension.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_CUSTOMIZER_NAME

The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_PATH

Name of the post logout URI parameter which will be added as a query parameter to the logout redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_POST_LOGOUT_URI_PARAM

The relative path of the Back-Channel Logout endpoint at the application.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_PATH

Number of minutes a logout token can be cached for.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_TOKEN_CACHE_TIME_TO_LIVE

Logout token claim whose value will be used as a key for caching the tokens. Only sub (subject) and sid (session id) claims can be used as keys. Set it to sid only if ID tokens issued by the OIDC provider have no sub but have sid claim.

Environment variable: QUARKUS_OIDC__TENANT__LOGOUT_BACKCHANNEL_LOGOUT_TOKEN_KEY

Authorization code flow response mode

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_RESPONSE_MODE

If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application. Note if redirectPath property is not set, the original request URI will be restored even if this property is disabled.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_RESTORE_PATH_AFTER_REDIRECT

Relative path to the public endpoint which will process the error response from the OIDC authorization endpoint. If the user authentication has failed then the OIDC provider will return an 'error' and an optional 'error_description' parameters, instead of the expected authorization 'code'. If this property is set then the user will be redirected to the endpoint which can return a user-friendly error description page. It has to start from a forward slash and will be appended to the request URI’s host and port. For example, if it is set as '/error' and the current request URI is 'https://localhost:8080/callback?error=invalid_scope' then a redirect will be made to 'https://localhost:8080/error?error=invalid_scope'. If this property is not set then HTTP 401 status will be returned in case of the user authentication failure.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_ERROR_PATH

Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout post_logout_redirect_uri and the local redirect requests.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_FORCE_REDIRECT_HTTPS_SCHEME

Require that ID token includes a nonce claim which must match nonce authentication request query parameter. Enabling this property can help mitigate replay attacks. Do not enable this property if your OpenId Connect provider does not support setting nonce in ID token or if you work with OAuth2 provider such as GitHub which does not issue ID tokens.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_NONCE_REQUIRED

Additional properties which will be added as the query parameters to the authentication redirect URI.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_EXTRA_PARAMS

If enabled the state, session and post logout cookies will have their 'secure' parameter set to 'true' when HTTP is used. It may be necessary when running behind an SSL terminating reverse proxy. The cookies will always be secure if HTTPS is used even if this property is set to false.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_FORCE_SECURE

Cookie path parameter value which, if set, will be used to set a path parameter for the session, state and post logout cookies. The cookie-path-header property, if set, will be checked first.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_PATH

Cookie domain parameter value which, if set, will be used for the session, state and post logout cookies.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_COOKIE_DOMAIN

If a state cookie is present then a state query parameter must also be present and both the state cookie name suffix and state cookie value have to match the value of the state query parameter when the redirect path matches the current path. However, if multiple authentications are attempted from the same browser, for example, from the different browser tabs, then the currently available state cookie may represent the authentication flow initiated from another tab and not related to the current request. Disable this property if you would like to avoid supporting multiple authorization code flows running in the same browser.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_ALLOW_MULTIPLE_CODE_FLOWS

If this property is set to 'true' then an OIDC UserInfo endpoint will be called. This property will be enabled if quarkus.oidc.roles.source is userinfo or quarkus.oidc.token.verify-access-token-with-user-info is true or quarkus.oidc.authentication.id-token-required is set to false, you do not have to enable this property manually in these cases.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_USER_INFO_REQUIRED

If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via JavaScript API such as XMLHttpRequest or Fetch and the current user needs to be (re)authenticated which may not be desirable for Single-page applications (SPA) since it automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS.

If this property is set to 'false' then a status code of '499' will be returned to allow SPA to handle the redirect manually if a request header identifying current request as a JavaScript request is found. 'X-Requested-With' request header with its value set to either JavaScript or XMLHttpRequest is expected by default if this property is enabled. You can register a custom JavaScriptRequestChecker to do a custom JavaScript request check instead.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_JAVA_SCRIPT_AUTO_REDIRECT

Internal ID token lifespan. This property is only checked when an internal IdToken is generated when Oauth2 providers do not return IdToken.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_INTERNAL_ID_TOKEN_LIFESPAN

Secret which will be used to encrypt Proof Key for Code Exchange (PKCE) code verifier and/or nonce in the code flow state. This secret should be at least 32 characters long.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value will be checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication will be checked. Client secret will not be used as a state encryption secret if it is less than 32 characters long.

The secret will be auto-generated if it remains uninitialized after checking all of these properties.

Error will be reported if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC__TENANT__AUTHENTICATION_STATE_SECRET

Custom HTTP headers which have to be sent to complete the authorization code grant request.

Environment variable: QUARKUS_OIDC__TENANT__CODE_GRANT_HEADERS

Default TokenStateManager keeps all tokens (ID, access and refresh) returned in the authorization code grant response in a single session cookie by default. Enable this property to minimize a session cookie size

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_SPLIT_TOKENS

Secret which will be used to encrypt the session cookie storing the tokens when encryption-required property is enabled.

If this secret is not set, the client secret configured with either quarkus.oidc.credentials.secret or quarkus.oidc.credentials.client-secret.value will be checked. Finally, quarkus.oidc.credentials.jwt.secret which can be used for client_jwt_secret authentication will be checked. The secret will be auto-generated if it remains uninitialized after checking all of these properties.

The length of the secret which will be used to encrypt the tokens should be at least 32 characters long. Warning will be logged if the secret length is less than 16 characters.

Environment variable: QUARKUS_OIDC__TENANT__TOKEN_STATE_MANAGER_ENCRYPTION_SECRET

Allow caching the user info data. Note enabling this property does not enable the cache itself but only permits to cache the user info data for a given tenant. If the default token cache can be used then please see OidcConfig.TokenCache how to enable it.

Environment variable: QUARKUS_OIDC__TENANT__ALLOW_USER_INFO_CACHE

Well known OpenId Connect provider identifier

Environment variable: QUARKUS_OIDC__TENANT__PROVIDER