WildFly 34 Model Reference

Configuration used to secure the management console using Keycloak.

Children (2)

  • credential The credential used to communicate with the OpenID Connect provider.
  • redirect-rewrite-rule The rewrite rule for the redirect URI. The rewrite rule is an object notation, where the key is a regular expression with which the redirect URI is matched and the value is the replacement String.

Attributes (57)

  • adapter-state-cookie-path If set, this defines the path used in cookies set by the subsystem. This is useful when deploying an application in the root context path.
  • allow-any-hostname If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • always-refresh-token If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • auth-server-url The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use 'provider-url' instead.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • 🅿 authentication-request-format The format to use for specifying query parameters in authentication request.
    • Attribute Value
    Default Value oauth2
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values oauth2
    request
    request_uri
    Stability preview
  • autodetect-bearer-only Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • bearer-only Enable Bearer-Token only authentication. Set this to 'true' if your application serves only web services and does not authenticate users.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-id The unique identifier for a client application registered in the OpenID provider.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-key-password The password for the client key. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-keystore The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-keystore-password The password for the client keystore. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • confidential-port The confidential port used by the OpenID provider when communicating securely over SSL/TLS.
    • Attribute Value
    Default Value 8443
    Type INT
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • connection-pool-size The connection pool size to use when communicating with the OpenID provider.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min 0
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • connection-timeout-millis The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • connection-ttl-millis The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-allowed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-allowed-methods If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-exposed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-max-age If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • credential The credential used to communicate with the OpenID Connect provider.
    • Attribute Value
    Type OBJECT
    Nillable true
    Expressions Allowed false
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • disable-trust-manager Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • enable-basic-auth Enable Basic authentication. This is not supported in the current release.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • enable-cors Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • expose-token If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • ignore-oauth-query-parameter Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • min-time-between-jwks-requests If the subsystem recognizes a token signed by an unknown public key, it will try to download a new public key from the server. The subsystem won't try to download a public key if it already tried last in less than 'min-time-between-jwks-requests' seconds.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • principal-attribute Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • provider The OpenID Connect provider to use for authentication.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • provider-url The OpenID provider URL.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • proxy-url The URL for the HTTP proxy if one is used.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • public-client If set to 'true', no client credentials are sent when communicating with the OpenID provider.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • public-key-cache-ttl The maximum interval between two requests to retrieve new public keys in seconds. New public keys are downloaded when the subsystem recognizes a token signed by an unknown public key. Even if the token's key is already known, new public keys are downloaded periodically as per the interval set here at least once.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • realm The Keycloak realm to use for authentication.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • realm-public-key The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • redirect-rewrite-rule The rewrite rule for the redirect URI. The rewrite rule is an object notation, where the key is a regular expression with which the redirect URI is matched and the value is the replacement String.
    • Attribute Value
    Type OBJECT
    Nillable true
    Expressions Allowed false
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • register-node-at-startup If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • register-node-period If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • 🅿 request-object-encryption-alg-value The encryption algorithm used to encrypt the request object.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-encryption-enc-value The content encryption algorithm used to encrypt the request object.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-algorithm The algorithm used to sign the request object. The default value fot this attribute is "none".
    • Attribute Value
    Default Value none
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-key-alias The key alias when a key pair is used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-key-password The key password when a key pair is used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-keystore-file The path to the keystore to use when signing a request object. This is required if an asymmetric signing algorithm for request object is indicated.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-keystore-password The keystore password when a key pair is used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-keystore-type The keystore type used to specify the client key pair used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • resource The unique, legacy identifier for a client application registered in the OpenID provider. It is recommended to use the 'client-id'.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • 🅿 scope A space separated list of scope values that should be used in the OIDC authentication request. Scopes can be used to request that specific sets of information be made available as Claim Values.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • socket-timeout-millis The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • ssl-required Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    • Attribute Value
    Default Value external
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values ALL
    EXTERNAL
    NONE
    Stability default
  • token-minimum-time-to-live The subsystem will refresh the token if it will expire within the duration specified in 'token-minimum-time-to-live' seconds. This value should never exceed the access token lifespan. If the value is set to 0 seconds, the subsystem will refresh the token only if the token has expired.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • token-signature-algorithm The token signature algorithm used by the OpenID provider.
    • Attribute Value
    Default Value RS256
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • token-store Defines whether to store account information in an HTTP session or in a cookie.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • truststore The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • truststore-password The password for the truststore.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • turn-off-change-session-id-on-login The Session ID is changed by default on a successful login. Set this to 'true' if you want to turn this off.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • use-resource-role-mappings If set to 'true', the subsystem will look inside the token for application-level role mappings for a user. If set to 'false', the subsystem will look at the realm-level for user-role mappings. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • verify-token-audience If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default

Operations (2)

  • add Add configuration to be used to secure the management console using the Keycloak OpenID provider.
    Request Parameter Type Required Expressions Allowed Default value Description
    adapter-state-cookie-path STRING false true If set, this defines the path used in cookies set by the subsystem. This is useful when deploying an application in the root context path.
    allow-any-hostname BOOLEAN false true false If set to 'true', hostname verification is skipped when communicating with the OpenID provider over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    always-refresh-token BOOLEAN false true false If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to the OpenID provider to obtain a new access token. This can result in a higher load on the OpenID provider and may impact the performance of the application.
    auth-server-url STRING false true The base URL of the Keycloak authorization server. This is Keycloak-specific. It is recommended to use 'provider-url' instead.
    authentication-request-format STRING false true oauth2 The format to use for specifying query parameters in authentication request.
    autodetect-bearer-only BOOLEAN false true false Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the OpenID provider login page. Set the value to 'true' if your application serves both applications and web services.
    bearer-only BOOLEAN false true false Enable Bearer-Token only authentication. Set this to 'true' if your application serves only web services and does not authenticate users.
    client-id STRING false true The unique identifier for a client application registered in the OpenID provider.
    client-key-password STRING false true The password for the client key. This is required if 'client-keystore' has been specified.
    client-keystore STRING false true The path to the client keystore to use when communicating with the OpenID provider over HTTPS. This is optional.
    client-keystore-password STRING false true The password for the client keystore. This is required if 'client-keystore' has been specified.
    confidential-port INT false true 8443 The confidential port used by the OpenID provider when communicating securely over SSL/TLS.
    connection-pool-size INT false true The connection pool size to use when communicating with the OpenID provider.
    connection-timeout-millis LONG false true The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    connection-ttl-millis LONG false true The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    cors-allowed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-allowed-methods STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-exposed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-max-age INT false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    credential OBJECT false false The credential used to communicate with the OpenID Connect provider.
    disable-trust-manager BOOLEAN false true false Whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    enable-basic-auth BOOLEAN false true false Enable Basic authentication. This is not supported in the current release.
    enable-cors BOOLEAN false true false Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional. This is Keycloak-specific.
    expose-token BOOLEAN false true false If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    ignore-oauth-query-parameter BOOLEAN false true false Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    min-time-between-jwks-requests INT false true If the subsystem recognizes a token signed by an unknown public key, it will try to download a new public key from the server. The subsystem won't try to download a public key if it already tried last in less than 'min-time-between-jwks-requests' seconds.
    principal-attribute STRING false true Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    provider STRING false true The OpenID Connect provider to use for authentication.
    provider-url STRING false true The OpenID provider URL.
    proxy-url STRING false true The URL for the HTTP proxy if one is used.
    public-client BOOLEAN false true false If set to 'true', no client credentials are sent when communicating with the OpenID provider.
    public-key-cache-ttl INT false true The maximum interval between two requests to retrieve new public keys in seconds. New public keys are downloaded when the subsystem recognizes a token signed by an unknown public key. Even if the token's key is already known, new public keys are downloaded periodically as per the interval set here at least once.
    realm STRING false true The Keycloak realm to use for authentication.
    realm-public-key STRING false true The public key of the OpenID provider in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from the OpenID provider when needed. If the public key is set, the subsystem never downloads new keys from the OpenID provider, breaking the subsystem when the OpenID provider rotates its keys.
    redirect-rewrite-rule OBJECT false false The rewrite rule for the redirect URI. The rewrite rule is an object notation, where the key is a regular expression with which the redirect URI is matched and the value is the replacement String.
    register-node-at-startup BOOLEAN false true false If set to 'true', the subsystem sends a registration request to the OpenID provider. This attribute is useful only when your application is clustered.
    register-node-period INT false true If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    request-object-encryption-alg-value STRING false true The encryption algorithm used to encrypt the request object.
    request-object-encryption-enc-value STRING false true The content encryption algorithm used to encrypt the request object.
    request-object-signing-algorithm STRING false true none The algorithm used to sign the request object. The default value fot this attribute is "none".
    request-object-signing-key-alias STRING false true The key alias when a key pair is used to sign request objects.
    request-object-signing-key-password STRING false true The key password when a key pair is used to sign request objects.
    request-object-signing-keystore-file STRING false true The path to the keystore to use when signing a request object. This is required if an asymmetric signing algorithm for request object is indicated.
    request-object-signing-keystore-password STRING false true The keystore password when a key pair is used to sign request objects.
    request-object-signing-keystore-type STRING false true The keystore type used to specify the client key pair used to sign request objects.
    resource STRING false true The unique, legacy identifier for a client application registered in the OpenID provider. It is recommended to use the 'client-id'.
    scope STRING false true A space separated list of scope values that should be used in the OIDC authentication request. Scopes can be used to request that specific sets of information be made available as Claim Values.
    socket-timeout-millis LONG false true The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    ssl-required STRING false true external Whether the communication with the OpenID provider should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    token-minimum-time-to-live INT false true The subsystem will refresh the token if it will expire within the duration specified in 'token-minimum-time-to-live' seconds. This value should never exceed the access token lifespan. If the value is set to 0 seconds, the subsystem will refresh the token only if the token has expired.
    token-signature-algorithm STRING false true RS256 The token signature algorithm used by the OpenID provider.
    token-store STRING false true Defines whether to store account information in an HTTP session or in a cookie.
    truststore STRING false true The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    truststore-password STRING false true The password for the truststore.
    turn-off-change-session-id-on-login BOOLEAN false true false The Session ID is changed by default on a successful login. Set this to 'true' if you want to turn this off.
    use-resource-role-mappings BOOLEAN false true false If set to 'true', the subsystem will look inside the token for application-level role mappings for a user. If set to 'false', the subsystem will look at the realm-level for user-role mappings. This is optional.
    verify-token-audience BOOLEAN false true false If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set the value to 'true' for improved security.
  • remove Remove configuration used to secure the management console using the Keycloak OpenID provider.