WildFly Full 29 Model Reference

  1. home
  2. subsystem=elytron-oidc-client
  3. secure-server

Configuration used to secure the management console using Keycloak.

Children (2)

  • credential The credential used to communicate with the OpenID Connect provider.
  • redirect-rewrite-rule The rewrite rule for the redirect URI. The rewrite rule is an object notation, where the key is a regular expression with which the redirect URI is matched and the value is the replacement String.

Attributes (47)

  • adapter-state-cookie-path If set, this defines the path used in cookies set by the subsystem. This is useful when deploying an application in the root context path.
  • allow-any-hostname If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • always-refresh-token If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • auth-server-url The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use 'provider-url' instead.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • autodetect-bearer-only Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • bearer-only Enable Bearer-Token only authentication. Set this to 'true' if your application serves only web services and does not authenticate users.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-id The unique identifier for a client application registered in the OpenID provider.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-key-password The password for the client key. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-keystore The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • client-keystore-password The password for the client keystore. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • confidential-port The confidential port used by the OpenID provider when communicating securely over SSL/TLS.
    • Attribute Value
    Default Value 8443
    Type INT
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-pool-size The connection pool size to use when communicating with the OpenID provider.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min 0
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-timeout-millis The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • connection-ttl-millis The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-allowed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-allowed-methods If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-exposed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • cors-max-age If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • credential The credential used to communicate with the OpenID Connect provider.
    • Attribute Value
    Type OBJECT
    Nillable true
    Expressions Allowed false
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • disable-trust-manager Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • enable-basic-auth Enable Basic authentication. This is not supported in the current release.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • enable-cors Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • expose-token If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • ignore-oauth-query-parameter Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • min-time-between-jwks-requests If the subsystem recognizes a token signed by an unknown public key, it will try to download a new public key from the server. The subsystem won't try to download a public key if it already tried last in less than 'min-time-between-jwks-requests' seconds.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • principal-attribute Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • provider The OpenID Connect provider to use for authentication.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • provider-url The OpenID provider URL.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • proxy-url The URL for the HTTP proxy if one is used.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • public-client If set to 'true', no client credentials are sent when communicating with the OpenID provider.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • public-key-cache-ttl The maximum interval between two requests to retrieve new public keys in seconds. New public keys are downloaded when the subsystem recognizes a token signed by an unknown public key. Even if the token's key is already known, new public keys are downloaded periodically as per the interval set here at least once.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • realm The Keycloak realm to use for authentication.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • realm-public-key The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • redirect-rewrite-rule The rewrite rule for the redirect URI. The rewrite rule is an object notation, where the key is a regular expression with which the redirect URI is matched and the value is the replacement String.
    • Attribute Value
    Type OBJECT
    Nillable true
    Expressions Allowed false
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • register-node-at-startup If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • register-node-period If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • resource The unique, legacy identifier for a client application registered in the OpenID provider. It is recommended to use the 'client-id'.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • socket-timeout-millis The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • ssl-required Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    • Attribute Value
    Default Value external
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values ALL
    EXTERNAL
    NONE
  • token-minimum-time-to-live The subsystem will refresh the token if it will expire within the duration specified in 'token-minimum-time-to-live' seconds. This value should never exceed the access token lifespan. If the value is set to 0 seconds, the subsystem will refresh the token only if the token has expired.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • token-signature-algorithm The token signature algorithm used by the OpenID provider.
    • Attribute Value
    Default Value RS256
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • token-store Defines whether to store account information in an HTTP session or in a cookie.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • truststore The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • truststore-password The password for the truststore.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • turn-off-change-session-id-on-login The Session ID is changed by default on a successful login. Set this to 'true' if you want to turn this off.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • use-resource-role-mappings If set to 'true', the subsystem will look inside the token for application-level role mappings for a user. If set to 'false', the subsystem will look at the realm-level for user-role mappings. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
  • verify-token-audience If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services

Operations (2)

  • add Add configuration to be used to secure the management console using the Keycloak OpenID provider.
    Request Parameter Type Required Expressions Allowed Default value Description
    adapter-state-cookie-path STRING false true If set, this defines the path used in cookies set by the subsystem. This is useful when deploying an application in the root context path.
    allow-any-hostname BOOLEAN false true false If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    always-refresh-token BOOLEAN false true false If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application.
    auth-server-url STRING false true The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use 'provider-url' instead.
    autodetect-bearer-only BOOLEAN false true false Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services.
    bearer-only BOOLEAN false true false Enable Bearer-Token only authentication. Set this to 'true' if your application serves only web services and does not authenticate users.
    client-id STRING false true The unique identifier for a client application registered in the OpenID provider.
    client-key-password STRING false true The password for the client key. This is required if 'client-keystore' has been specified.
    client-keystore STRING false true The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional.
    client-keystore-password STRING false true The password for the client keystore. This is required if 'client-keystore' has been specified.
    confidential-port INT false true 8443 The confidential port used by the OpenID provider when communicating securely over SSL/TLS.
    connection-pool-size INT false true The connection pool size to use when communicating with the OpenID provider.
    connection-timeout-millis LONG false true The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    connection-ttl-millis LONG false true The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    cors-allowed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-allowed-methods STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-exposed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-max-age INT false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    credential OBJECT false false The credential used to communicate with the OpenID Connect provider.
    disable-trust-manager BOOLEAN false true false Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    enable-basic-auth BOOLEAN false true false Enable Basic authentication. This is not supported in the current release.
    enable-cors BOOLEAN false true false Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific.
    expose-token BOOLEAN false true false If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    ignore-oauth-query-parameter BOOLEAN false true false Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    min-time-between-jwks-requests INT false true If the subsystem recognizes a token signed by an unknown public key, it will try to download a new public key from the server. The subsystem won't try to download a public key if it already tried last in less than 'min-time-between-jwks-requests' seconds.
    principal-attribute STRING false true Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    provider STRING false true The OpenID Connect provider to use for authentication.
    provider-url STRING false true The OpenID provider URL.
    proxy-url STRING false true The URL for the HTTP proxy if one is used.
    public-client BOOLEAN false true false If set to 'true', no client credentials are sent when communicating with the OpenID provider.
    public-key-cache-ttl INT false true The maximum interval between two requests to retrieve new public keys in seconds. New public keys are downloaded when the subsystem recognizes a token signed by an unknown public key. Even if the token's key is already known, new public keys are downloaded periodically as per the interval set here at least once.
    realm STRING false true The Keycloak realm to use for authentication.
    realm-public-key STRING false true The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys.
    redirect-rewrite-rule OBJECT false false The rewrite rule for the redirect URI. The rewrite rule is an object notation, where the key is a regular expression with which the redirect URI is matched and the value is the replacement String.
    register-node-at-startup BOOLEAN false true false If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered.
    register-node-period INT false true If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    resource STRING false true The unique, legacy identifier for a client application registered in the OpenID provider. It is recommended to use the 'client-id'.
    socket-timeout-millis LONG false true The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    ssl-required STRING false true external Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    token-minimum-time-to-live INT false true The subsystem will refresh the token if it will expire within the duration specified in 'token-minimum-time-to-live' seconds. This value should never exceed the access token lifespan. If the value is set to 0 seconds, the subsystem will refresh the token only if the token has expired.
    token-signature-algorithm STRING false true RS256 The token signature algorithm used by the OpenID provider.
    token-store STRING false true Defines whether to store account information in an HTTP session or in a cookie.
    truststore STRING false true The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    truststore-password STRING false true The password for the truststore.
    turn-off-change-session-id-on-login BOOLEAN false true false The Session ID is changed by default on a successful login. Set this to 'true' if you want to turn this off.
    use-resource-role-mappings BOOLEAN false true false If set to 'true', the subsystem will look inside the token for application-level role mappings for a user. If set to 'false', the subsystem will look at the realm-level for user-role mappings. This is optional.
    verify-token-audience BOOLEAN false true false If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security.
  • remove Remove configuration used to secure the management console using the Keycloak OpenID provider.