io.quarkus.oidc

Class OidcTenantConfig.Token

java.lang.Object

io.quarkus.oidc.OidcTenantConfig.Token

Enclosing class:

OidcTenantConfig

public static class OidcTenantConfig.Token
extends Object

Field Summary

Fields

Modifier and Type	Field and Description
boolean	allowJwtIntrospection Allow the remote introspection of JWT tokens when no matching JWK key is available.
Optional<List<String>>	audience Expected audience 'aud' claim value which may be a string or an array of strings.
Optional<Duration>	autoRefreshInterval Deprecated.
Duration	forcedJwkRefreshInterval Forced JWK set refresh interval in minutes.
Optional<String>	header Custom HTTP header that contains a bearer token.
Optional<String>	issuer Expected issuer 'iss' claim value.
OptionalInt	lifespanGrace Life span grace period in seconds.
Optional<String>	principalClaim Name of the claim which contains a principal name.
boolean	refreshExpired Refresh expired ID tokens.
Optional<Duration>	refreshTokenTimeSkew Refresh token time skew in seconds.
Optional<String>	tokenType Expected token type

Constructor Summary

Constructors

Constructor and Description
Token()

Method Summary

Modifier and Type	Method and Description
static OidcTenantConfig.Token	fromAudience(String... audience)
static OidcTenantConfig.Token	fromIssuer(String issuer)
Optional<List<String>>	getAudience()
Duration	getForcedJwkRefreshInterval()
Optional<String>	getHeader()
Optional<String>	getIssuer()
OptionalInt	getLifespanGrace()
Optional<String>	getPrincipalClaim()
Optional<Duration>	getRefreshTokenTimeSkew()
Optional<String>	getTokenType()
boolean	isAllowJwtIntrospection()
boolean	isRefreshExpired()
void	setAllowJwtIntrospection(boolean allowJwtIntrospection)
void	setAudience(List<String> audience)
void	setForcedJwkRefreshInterval(Duration forcedJwkRefreshInterval)
void	setHeader(String header)
void	setIssuer(String issuer)
void	setLifespanGrace(int lifespanGrace)
void	setPrincipalClaim(String principalClaim)
void	setRefreshExpired(boolean refreshExpired)
void	setRefreshTokenTimeSkew(Duration refreshTokenTimeSkew)
void	setTokenType(String tokenType)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

issuer

@ConfigItem
public Optional<String> issuer

Expected issuer 'iss' claim value. Note this property overrides the `issuer` property which may be set in OpenId Connect provider's well-known configuration. If the `iss` claim value varies depending on the host/IP address or tenant id of the provider then you may skip the issuer verification by setting this property to 'any' but it should be done only when other options (such as configuring the provider to use the fixed `iss` claim value) are not possible.

audience

@ConfigItem
public Optional<List<String>> audience

Expected audience 'aud' claim value which may be a string or an array of strings.

tokenType

@ConfigItem
public Optional<String> tokenType

Expected token type

lifespanGrace

@ConfigItem
public OptionalInt lifespanGrace

Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

principalClaim

@ConfigItem
public Optional<String> principalClaim

Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and `sub` claims are checked.

refreshExpired

@ConfigItem
public boolean refreshExpired

Refresh expired ID tokens. If this property is enabled then a refresh token request will be performed if the ID token has expired and, if successful, the local session will be updated with the new set of tokens. Otherwise, the local session will be invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case the user may not be challenged again if the OIDC provider session is still active. For this option be effective the `authentication.session-age-extension` property should also be set to a non-zero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type OidcTenantConfig.ApplicationType.WEB_APP}.

autoRefreshInterval

@ConfigItem
 @Deprecated
public Optional<Duration> autoRefreshInterval

Deprecated.

Token auto-refresh interval in seconds during the user re-authentication. If this option is set then the valid ID token will be refreshed if it will expire in less than a number of seconds set by this option. The user will still be authenticated if the ID token can no longer be refreshed but is still valid. This option will be ignored if the 'refresh-expired' property is not enabled. Note this property is deprecated and will be removed in one of the next releases. Please use 'quarkus.oidc.token.refresh-token-time-skew'

refreshTokenTimeSkew

@ConfigItem
public Optional<Duration> refreshTokenTimeSkew

Refresh token time skew in seconds. If this property is enabled then the configured number of seconds is added to the current time when checking whether the access token should be refreshed. If the sum is greater than this access token's expiration time then a refresh is going to happen. This property will be ignored if the 'refresh-expired' property is not enabled.

forcedJwkRefreshInterval

@ConfigItem(defaultValue="10M")
public Duration forcedJwkRefreshInterval

Forced JWK set refresh interval in minutes.

header

@ConfigItem
public Optional<String> header

Custom HTTP header that contains a bearer token. This option is valid only when the application is of type OidcTenantConfig.ApplicationType.SERVICE}.

allowJwtIntrospection

@ConfigItem(defaultValue="true")
public boolean allowJwtIntrospection

Allow the remote introspection of JWT tokens when no matching JWK key is available. Note this property is set to 'true' by default for backward-compatibility reasons and will be set to `false` instead in one of the next releases. Also note this property will be ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.

Constructor Detail

Token

public Token()

Method Detail

fromIssuer

public static OidcTenantConfig.Token fromIssuer(String issuer)

fromAudience

public static OidcTenantConfig.Token fromAudience(String... audience)

getIssuer

public Optional<String> getIssuer()

setIssuer

public void setIssuer(String issuer)

getHeader

public Optional<String> getHeader()

setHeader

public void setHeader(String header)

getAudience

public Optional<List<String>> getAudience()

setAudience

public void setAudience(List<String> audience)

getLifespanGrace

public OptionalInt getLifespanGrace()

setLifespanGrace

public void setLifespanGrace(int lifespanGrace)

getPrincipalClaim

public Optional<String> getPrincipalClaim()

setPrincipalClaim

public void setPrincipalClaim(String principalClaim)

isRefreshExpired

public boolean isRefreshExpired()

setRefreshExpired

public void setRefreshExpired(boolean refreshExpired)

getForcedJwkRefreshInterval

public Duration getForcedJwkRefreshInterval()

setForcedJwkRefreshInterval

public void setForcedJwkRefreshInterval(Duration forcedJwkRefreshInterval)

getTokenType

public Optional<String> getTokenType()

setTokenType

public void setTokenType(String tokenType)

getRefreshTokenTimeSkew

public Optional<Duration> getRefreshTokenTimeSkew()

setRefreshTokenTimeSkew

public void setRefreshTokenTimeSkew(Duration refreshTokenTimeSkew)

isAllowJwtIntrospection

public boolean isAllowJwtIntrospection()

setAllowJwtIntrospection

public void setAllowJwtIntrospection(boolean allowJwtIntrospection)