WildFly Full 27 Model Reference

  1. home
  2. subsystem=elytron-oidc-client
  3. secure-deployment

A deployment secured by an OpenID Connect provider

Children (2)

Attributes (47)

  • adapter-state-cookie-path If set, defines the path used in cookies set by the adapter. Useful when deploying the application in the root context path.
  • allow-any-hostname If true, hostname verification will be skipped when communicating with the OpenID provider over HTTPS. The default value is false. This can be useful in testing environments. This should never be set to true in production environments.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • always-refresh-token Refresh token on every single web request
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • auth-server-url Base URL of the Realm Auth Server
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • autodetect-bearer-only autodetect bearer-only requests
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • bearer-only Bearer Token Auth only
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-id Client ID
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-key-password Password for the client key. This is required if client-keystore has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-keystore Path to the client keystore to be used when communicating with the OpenID provider over HTTPS. This is optional.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-keystore-password Password for the client keystore. This is required if client-keystore has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • confidential-port Specify the confidential port (SSL/TLS) used by the Realm Auth Server
    • Attribute Value
    Default Value 8443
    Type INT
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-pool-size Connection pool size for the client used by the adapter
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min 0
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-timeout-millis Timeout for establishing the connection with the remote host in milliseconds
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-ttl-millis Connection time to live in milliseconds
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-allowed-headers CORS allowed headers
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-allowed-methods CORS allowed methods
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-exposed-headers CORS exposed headers
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-max-age CORS max-age header
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • credential Credential used to communicate with the OpenID Connect provider
    • Attribute Value
    Type OBJECT
    Nillable true
    Expressions Allowed false
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • disable-trust-manager Adapter will not use a trust manager when making adapter HTTPS requests
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • enable-basic-auth Enable Basic Authentication
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • enable-cors Enable Keycloak CORS support
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • expose-token Enable secure URL that exposes access token
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • ignore-oauth-query-parameter disable query parameter parsing for access_token
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • min-time-between-jwks-requests If adapter recognize token signed by unknown public key, it will try to download new public key from elytron-oidc-client server. However it won't try to download if already tried it in less than 'min-time-between-jwks-requests' seconds
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • principal-attribute Indicates which claim value from the ID token to use as the principal for the identity
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • provider OpenID provider
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • provider-url The provider URL
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • proxy-url The URL for the HTTP proxy if one is used.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • public-client Public client
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • public-key-cache-ttl Maximum time the downloaded public keys are considered valid. When this time reach, the adapter is forced to download public keys from elytron-oidc-client server
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • realm Keycloak realm
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • realm-public-key Public key of the realm
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • redirect-rewrite-rule Apply a rewrite rule for the redirect URI
    • Attribute Value
    Type OBJECT
    Nillable true
    Expressions Allowed false
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • register-node-at-startup Cluster setting
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • register-node-period how often to re-register node
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • resource Application name
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • socket-timeout-millis Timeout for socket waiting for data in milliseconds
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • ssl-required Whether communication with the OpenID provider should be over HTTPS. Valid values are: "all" - to always require HTTPS, "external" - to only require HTTPS for external requests, "none" - if HTTPS is not required. The default value is "external". This should be set to "all" in production environments.
    • Attribute Value
    Default Value external
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values external
    all
    none
  • token-minimum-time-to-live The adapter will refresh the token if the current token is expired OR will expire in 'token-minimum-time-to-live' seconds or less
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • token-signature-algorithm The token signature algorithm used by the OpenID provider
    • Attribute Value
    Default Value RS256
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • token-store cookie or session storage for auth session data
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • truststore Truststore used for adapter client HTTPS requests
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • truststore-password Password of the Truststore
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • turn-off-change-session-id-on-login The session id is changed by default on a successful login. Change this to true if you want to turn this off
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • use-resource-role-mappings Use resource level permissions from token
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • verify-token-audience If true, then during bearer-only authentication, the adapter will verify if token contains this client name (resource) as an audience
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services

Operations (2)

  • add Add a deployment to be secured by an OpenID Connect provider
    Request Parameter Type Required Expressions Allowed Default value Description
    adapter-state-cookie-path STRING false true If set, defines the path used in cookies set by the adapter. Useful when deploying the application in the root context path.
    allow-any-hostname BOOLEAN false true false If true, hostname verification will be skipped when communicating with the OpenID provider over HTTPS. The default value is false. This can be useful in testing environments. This should never be set to true in production environments.
    always-refresh-token BOOLEAN false true false Refresh token on every single web request
    auth-server-url STRING false true Base URL of the Realm Auth Server
    autodetect-bearer-only BOOLEAN false true false autodetect bearer-only requests
    bearer-only BOOLEAN false true false Bearer Token Auth only
    client-id STRING false true Client ID
    client-key-password STRING false true Password for the client key. This is required if client-keystore has been specified.
    client-keystore STRING false true Path to the client keystore to be used when communicating with the OpenID provider over HTTPS. This is optional.
    client-keystore-password STRING false true Password for the client keystore. This is required if client-keystore has been specified.
    confidential-port INT false true 8443 Specify the confidential port (SSL/TLS) used by the Realm Auth Server
    connection-pool-size INT false true Connection pool size for the client used by the adapter
    connection-timeout-millis LONG false true Timeout for establishing the connection with the remote host in milliseconds
    connection-ttl-millis LONG false true Connection time to live in milliseconds
    cors-allowed-headers STRING false true CORS allowed headers
    cors-allowed-methods STRING false true CORS allowed methods
    cors-exposed-headers STRING false true CORS exposed headers
    cors-max-age INT false true CORS max-age header
    credential OBJECT false false Credential used to communicate with the OpenID Connect provider
    disable-trust-manager BOOLEAN false true false Adapter will not use a trust manager when making adapter HTTPS requests
    enable-basic-auth BOOLEAN false true false Enable Basic Authentication
    enable-cors BOOLEAN false true false Enable Keycloak CORS support
    expose-token BOOLEAN false true false Enable secure URL that exposes access token
    ignore-oauth-query-parameter BOOLEAN false true false disable query parameter parsing for access_token
    min-time-between-jwks-requests INT false true If adapter recognize token signed by unknown public key, it will try to download new public key from elytron-oidc-client server. However it won't try to download if already tried it in less than 'min-time-between-jwks-requests' seconds
    principal-attribute STRING false true Indicates which claim value from the ID token to use as the principal for the identity
    provider STRING false true OpenID provider
    provider-url STRING false true The provider URL
    proxy-url STRING false true The URL for the HTTP proxy if one is used.
    public-client BOOLEAN false true false Public client
    public-key-cache-ttl INT false true Maximum time the downloaded public keys are considered valid. When this time reach, the adapter is forced to download public keys from elytron-oidc-client server
    realm STRING false true Keycloak realm
    realm-public-key STRING false true Public key of the realm
    redirect-rewrite-rule OBJECT false false Apply a rewrite rule for the redirect URI
    register-node-at-startup BOOLEAN false true false Cluster setting
    register-node-period INT false true how often to re-register node
    resource STRING false true Application name
    socket-timeout-millis LONG false true Timeout for socket waiting for data in milliseconds
    ssl-required STRING false true external Whether communication with the OpenID provider should be over HTTPS. Valid values are: "all" - to always require HTTPS, "external" - to only require HTTPS for external requests, "none" - if HTTPS is not required. The default value is "external". This should be set to "all" in production environments.
    token-minimum-time-to-live INT false true The adapter will refresh the token if the current token is expired OR will expire in 'token-minimum-time-to-live' seconds or less
    token-signature-algorithm STRING false true RS256 The token signature algorithm used by the OpenID provider
    token-store STRING false true cookie or session storage for auth session data
    truststore STRING false true Truststore used for adapter client HTTPS requests
    truststore-password STRING false true Password of the Truststore
    turn-off-change-session-id-on-login BOOLEAN false true false The session id is changed by default on a successful login. Change this to true if you want to turn this off
    use-resource-role-mappings BOOLEAN false true false Use resource level permissions from token
    verify-token-audience BOOLEAN false true false If true, then during bearer-only authentication, the adapter will verify if token contains this client name (resource) as an audience
  • remove Remove a deployment to be secured by an OpenID Connect provider