EXTERNAL
NONE
Attribute | Value |
---|---|
Default Value | RS256 |
Type | STRING |
Nillable | true |
Expressions Allowed | true |
Storage | configuration |
Access Type | read-write |
Restart Required | no-services |
Attribute | Value |
---|---|
Type | STRING |
Nillable | true |
Expressions Allowed | true |
Storage | configuration |
Access Type | read-write |
Restart Required | no-services |
Attribute | Value |
---|---|
Type | STRING |
Nillable | true |
Expressions Allowed | true |
Storage | configuration |
Access Type | read-write |
Restart Required | no-services |
Attribute | Value |
---|---|
Type | STRING |
Nillable | true |
Expressions Allowed | true |
Storage | configuration |
Access Type | read-write |
Restart Required | no-services |
Attribute | Value |
---|---|
Default Value | false |
Type | BOOLEAN |
Nillable | true |
Expressions Allowed | true |
Storage | configuration |
Access Type | read-write |
Restart Required | no-services |
Request Parameter | Type | Required | Expressions Allowed | Default value | Description |
---|---|---|---|---|---|
allow-any-hostname | BOOLEAN | false | true | false | If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates. |
always-refresh-token | BOOLEAN | false | true | false | If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application. |
auth-server-url | STRING | false | true | The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use the 'provider-url' instead. | |
autodetect-bearer-only | BOOLEAN | false | true | false | Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services. |
client-key-password | STRING | false | true | The password for the client key. This is required if 'client-keystore' has been specified. | |
client-keystore | STRING | false | true | The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional. | |
client-keystore-password | STRING | false | true | The password for the client keystore. This is required if 'client-keystore' has been specified. | |
confidential-port | INT | false | true | 8443 | The confidential port used by the OpenID provider when communicating securely over SSL/TLS. |
connection-pool-size | INT | false | true | The connection pool size to use when communicating with the OpenID provider. | |
connection-timeout-millis | LONG | false | true | The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined. | |
connection-ttl-millis | LONG | false | true | The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value. | |
cors-allowed-headers | STRING | false | true | If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses. | |
cors-allowed-methods | STRING | false | true | If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses. | |
cors-exposed-headers | STRING | false | true | If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses. | |
cors-max-age | INT | false | true | If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses. | |
disable-trust-manager | BOOLEAN | false | true | false | Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates. |
enable-cors | BOOLEAN | false | true | false | Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific. |
expose-token | BOOLEAN | false | true | false | If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional. |
ignore-oauth-query-parameter | BOOLEAN | false | true | false | Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'. |
principal-attribute | STRING | false | true | Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null. | |
provider-url | STRING | false | true | The OpenID provider URL. | |
proxy-url | STRING | false | true | The URL for the HTTP proxy if one is used. | |
realm-public-key | STRING | false | true | The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys. | |
register-node-at-startup | BOOLEAN | false | true | false | If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered. |
register-node-period | INT | false | true | If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered. | |
socket-timeout-millis | LONG | false | true | The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined. | |
ssl-required | STRING | false | true | external | Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments. |
token-signature-algorithm | STRING | false | true | RS256 | The token signature algorithm used by the OpenID provider. |
token-store | STRING | false | true | Defines whether to store account information in an HTTP session or in a cookie. | |
truststore | STRING | false | true | The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath. | |
truststore-password | STRING | false | true | The password for the truststore. | |
verify-token-audience | BOOLEAN | false | true | false | If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security. |