WildFly Full 29 Model Reference

  1. home
  2. subsystem=elytron-oidc-client
  3. provider

Configuration for an OpenID Connect provider. If you have multiple deployments secured by the same OpenID provider you can share the provider configuration here.

Attributes (32)

  • allow-any-hostname If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • always-refresh-token If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • auth-server-url The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use the 'provider-url' instead.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • autodetect-bearer-only Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-key-password The password for the client key. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-keystore The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-keystore-password The password for the client keystore. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • confidential-port The confidential port used by the OpenID provider when communicating securely over SSL/TLS.
    • Attribute Value
    Default Value 8443
    Type INT
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-pool-size The connection pool size to use when communicating with the OpenID provider.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min 0
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-timeout-millis The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-ttl-millis The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-allowed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-allowed-methods If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-exposed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-max-age If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • disable-trust-manager Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • enable-cors Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • expose-token If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • ignore-oauth-query-parameter Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • principal-attribute Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • provider-url The OpenID provider URL.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • proxy-url The URL for the HTTP proxy if one is used.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • realm-public-key The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • register-node-at-startup If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • register-node-period If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • socket-timeout-millis The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • ssl-required Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    • Attribute Value
    Default Value external
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values ALL
    EXTERNAL
    NONE
  • token-signature-algorithm The token signature algorithm used by the OpenID provider.
    • Attribute Value
    Default Value RS256
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • token-store Defines whether to store account information in an HTTP session or in a cookie.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • truststore The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • truststore-password The password for the truststore.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • verify-token-audience If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services

Operations (2)

  • add Add an OpenID provider definition to the subsystem.
    Request Parameter Type Required Expressions Allowed Default value Description
    allow-any-hostname BOOLEAN false true false If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    always-refresh-token BOOLEAN false true false If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application.
    auth-server-url STRING false true The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use the 'provider-url' instead.
    autodetect-bearer-only BOOLEAN false true false Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services.
    client-key-password STRING false true The password for the client key. This is required if 'client-keystore' has been specified.
    client-keystore STRING false true The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional.
    client-keystore-password STRING false true The password for the client keystore. This is required if 'client-keystore' has been specified.
    confidential-port INT false true 8443 The confidential port used by the OpenID provider when communicating securely over SSL/TLS.
    connection-pool-size INT false true The connection pool size to use when communicating with the OpenID provider.
    connection-timeout-millis LONG false true The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    connection-ttl-millis LONG false true The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    cors-allowed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-allowed-methods STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-exposed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-max-age INT false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    disable-trust-manager BOOLEAN false true false Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    enable-cors BOOLEAN false true false Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific.
    expose-token BOOLEAN false true false If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    ignore-oauth-query-parameter BOOLEAN false true false Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    principal-attribute STRING false true Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    provider-url STRING false true The OpenID provider URL.
    proxy-url STRING false true The URL for the HTTP proxy if one is used.
    realm-public-key STRING false true The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys.
    register-node-at-startup BOOLEAN false true false If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered.
    register-node-period INT false true If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    socket-timeout-millis LONG false true The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    ssl-required STRING false true external Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    token-signature-algorithm STRING false true RS256 The token signature algorithm used by the OpenID provider.
    token-store STRING false true Defines whether to store account information in an HTTP session or in a cookie.
    truststore STRING false true The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    truststore-password STRING false true The password for the truststore.
    verify-token-audience BOOLEAN false true false If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security.
  • remove Remove an OpenID provider from the subsystem.