Management API Reference for token-realm

A security realm definition capable of validating and extracting identities from security tokens.

Provided Capabilities (2)

Name	Dynamic	Other provider points
org.wildfly.security.security-realm	true	/subsystem=elytron/jaas-realm=* /subsystem=elytron/jdbc-realm=* /subsystem=elytron/filesystem-realm=* /subsystem=elytron/ldap-realm=* /subsystem=elytron/distributed-realm=* /subsystem=elytron/key-store-realm=* /subsystem=elytron/failover-realm=* /subsystem=security/elytron-realm=* /subsystem=elytron/custom-modifiable-realm=* /subsystem=elytron/identity-realm=* /subsystem=elytron/aggregate-realm=* /subsystem=elytron/properties-realm=* /subsystem=elytron/caching-realm=* /subsystem=elytron/custom-realm=*
org.wildfly.security.modifiable-security-realm	true	/subsystem=elytron/filesystem-realm=* /subsystem=elytron/custom-modifiable-realm=* /subsystem=elytron/ldap-realm=*

Attributes (3)

jwt - A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard.

Type	OBJECT
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "OBJECT" }, "description" : "A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard.", "expressions-allowed" : false, "required" : false, "nillable" : true, "stability" : "default", "value-type" : { "issuer" : { "type" : { "TYPE_MODEL_VALUE" : "LIST" }, "description" : "A list of strings representing the issuers supported by this configuration. During validation JWT tokens must have an 'iss' claim that contains one of the values defined here.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "value-type" : { "TYPE_MODEL_VALUE" : "STRING" } }, "audience" : { "type" : { "TYPE_MODEL_VALUE" : "LIST" }, "description" : "A list of strings representing the audiences supported by this configuration. During validation JWT tokens must have an 'aud' claim that contains one of the values defined here.", "expressions-allowed" : true, "required" : false, "nillable" : true, "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "value-type" : { "TYPE_MODEL_VALUE" : "STRING" } }, "public-key" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "A public key in PEM Format. During validation, if a public key is provided, signature will be verified based on the key you provided here.", "expressions-allowed" : true, "required" : false, "nillable" : true, "alternatives" : [ "key-store", "certificate" ], "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "key-store" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "A key store from where the certificate with a public key should be loaded from.", "expressions-allowed" : false, "required" : false, "nillable" : true, "alternatives" : ["public-key"], "requires" : ["certificate"], "capability-reference" : "org.wildfly.security.key-store", "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "certificate" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The name of the certificate with a public key to load from the key store.", "expressions-allowed" : true, "required" : false, "nillable" : true, "alternatives" : ["public-key"], "requires" : ["key-store"], "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "client-ssl-context" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The SSL context to be used for fetching jku keys using HTTPS.", "expressions-allowed" : false, "required" : false, "nillable" : true, "capability-reference" : "org.wildfly.security.ssl-context", "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "host-name-verification-policy" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "A policy that defines how host names should be verified when using HTTPS.", "expressions-allowed" : true, "required" : false, "nillable" : true, "allowed" : [ "ANY", "DEFAULT" ], "stability" : "default" }, "key-map" : { "type" : { "TYPE_MODEL_VALUE" : "OBJECT" }, "description" : "A map of named public keys for token verification.", "expressions-allowed" : true, "required" : false, "nillable" : true, "stability" : "default", "value-type" : { "TYPE_MODEL_VALUE" : "STRING" } } }, "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

oauth2-introspection - A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validates them using an endpoint compliant with OAuth2 Token Introspection specification(RFC-7662).

Type	OBJECT
Is the attribute nillable?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	{ "type" : { "TYPE_MODEL_VALUE" : "OBJECT" }, "description" : "A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validates them using an endpoint compliant with OAuth2 Token Introspection specification(RFC-7662).", "expressions-allowed" : false, "required" : false, "nillable" : true, "stability" : "default", "value-type" : { "client-id" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The identifier of the client on the OAuth2 Authorization Server.", "expressions-allowed" : true, "required" : true, "nillable" : false, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "client-secret" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The secret of the client.", "expressions-allowed" : true, "required" : true, "nillable" : false, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "introspection-url" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The URL of token introspection endpoint.", "expressions-allowed" : true, "required" : true, "nillable" : false, "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "client-ssl-context" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The SSL context to be used if the introspection endpoint is using HTTPS.", "expressions-allowed" : false, "required" : false, "nillable" : true, "capability-reference" : "org.wildfly.security.ssl-context", "min-length" : 1, "max-length" : 2147483647, "stability" : "default" }, "host-name-verification-policy" : { "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "A policy that defines how host names should be verified when using HTTPS. Allowed values: 'ANY'.", "expressions-allowed" : true, "required" : false, "nillable" : true, "allowed" : [ "ANY", "DEFAULT" ], "stability" : "default" } }, "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }

principal-claim - The name of the claim that should be used to obtain the principal's name.

Type	STRING
Default Value	username
Is the attribute nillable?	true
Does the attribute allow expression?	true
Where is the attribute stored?	configuration
Access Type	read-write
Is restarted required?	all-services
Stability Level	default
Raw DMR model	`{ "type" : { "TYPE_MODEL_VALUE" : "STRING" }, "description" : "The name of the claim that should be used to obtain the principal's name.", "expressions-allowed" : true, "required" : false, "nillable" : true, "default" : "username", "min-length" : 1, "max-length" : 2147483647, "stability" : "default", "access-type" : "read-write", "storage" : "configuration", "restart-required" : "all-services", "capability-reference" : null }`

Operations (2)

add - The add operation for the security realm.

Request Parameter	Type	Required	Expressions Allowed	Default value	Description
jwt	OBJECT	false	false		A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard.
oauth2-introspection	OBJECT	false	false		A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validates them using an endpoint compliant with OAuth2 Token Introspection specification(RFC-7662).
principal-claim	STRING	false	true	username	The name of the claim that should be used to obtain the principal's name.

Raw DMR model


{
    "operation-name" : "add",
    "description" : "The add operation for the security realm.",
    "request-properties" : {
        "jwt" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "OBJECT"
            },
            "description" : "A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard.",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "stability" : "default",
            "value-type" : {
                "issuer" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "LIST"
                    },
                    "description" : "A list of strings representing the issuers supported by this configuration. During validation JWT tokens must have an 'iss' claim that contains one of the values defined here.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default",
                    "value-type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    }
                },
                "audience" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "LIST"
                    },
                    "description" : "A list of strings representing the audiences supported by this configuration. During validation JWT tokens must have an 'aud' claim that contains one of the values defined here.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default",
                    "value-type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    }
                },
                "public-key" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "A public key in PEM Format. During validation, if a public key is provided, signature will be verified based on the key you provided here.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "alternatives" : [
                        "key-store",
                        "certificate"
                    ],
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "key-store" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "A key store from where the certificate with a public key should be loaded from.",
                    "expressions-allowed" : false,
                    "required" : false,
                    "nillable" : true,
                    "alternatives" : ["public-key"],
                    "requires" : ["certificate"],
                    "capability-reference" : "org.wildfly.security.key-store",
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "certificate" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The name of the certificate with a public key to load from the key store.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "alternatives" : ["public-key"],
                    "requires" : ["key-store"],
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "client-ssl-context" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The SSL context to be used for fetching jku keys using HTTPS.",
                    "expressions-allowed" : false,
                    "required" : false,
                    "nillable" : true,
                    "capability-reference" : "org.wildfly.security.ssl-context",
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "host-name-verification-policy" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "A policy that defines how host names should be verified when using HTTPS.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "allowed" : [
                        "ANY",
                        "DEFAULT"
                    ],
                    "stability" : "default"
                },
                "key-map" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "OBJECT"
                    },
                    "description" : "A map of named public keys for token verification.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "stability" : "default",
                    "value-type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    }
                }
            }
        },
        "oauth2-introspection" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "OBJECT"
            },
            "description" : "A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validates them using an endpoint compliant with OAuth2 Token Introspection specification(RFC-7662).",
            "expressions-allowed" : false,
            "required" : false,
            "nillable" : true,
            "stability" : "default",
            "value-type" : {
                "client-id" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The identifier of the client on the OAuth2 Authorization Server.",
                    "expressions-allowed" : true,
                    "required" : true,
                    "nillable" : false,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "client-secret" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The secret of the client.",
                    "expressions-allowed" : true,
                    "required" : true,
                    "nillable" : false,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "introspection-url" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The URL of token introspection endpoint.",
                    "expressions-allowed" : true,
                    "required" : true,
                    "nillable" : false,
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "client-ssl-context" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "The SSL context to be used if the introspection endpoint is using HTTPS.",
                    "expressions-allowed" : false,
                    "required" : false,
                    "nillable" : true,
                    "capability-reference" : "org.wildfly.security.ssl-context",
                    "min-length" : 1,
                    "max-length" : 2147483647,
                    "stability" : "default"
                },
                "host-name-verification-policy" : {
                    "type" : {
                        "TYPE_MODEL_VALUE" : "STRING"
                    },
                    "description" : "A policy that defines how host names should be verified when using HTTPS. Allowed values: 'ANY'.",
                    "expressions-allowed" : true,
                    "required" : false,
                    "nillable" : true,
                    "allowed" : [
                        "ANY",
                        "DEFAULT"
                    ],
                    "stability" : "default"
                }
            }
        },
        "principal-claim" : {
            "type" : {
                "TYPE_MODEL_VALUE" : "STRING"
            },
            "description" : "The name of the claim that should be used to obtain the principal's name.",
            "expressions-allowed" : true,
            "required" : false,
            "nillable" : true,
            "default" : "username",
            "min-length" : 1,
            "max-length" : 2147483647,
            "stability" : "default"
        }
    },
    "reply-properties" : {},
    "stability" : "default",
    "read-only" : false,
    "restart-required" : "resource-services",
    "runtime-only" : false
}

remove - The remove operation for the security realm.

Raw DMR model


{
    "operation-name" : "remove",
    "description" : "The remove operation for the security realm.",
    "request-properties" : {},
    "reply-properties" : {},
    "stability" : "default",
    "read-only" : false,
    "restart-required" : "resource-services",
    "runtime-only" : false
}

Galleon Features

Galleon features are to be used when creating Galleon feature-packs.

subsystem.elytron.token-realm

        
<feature spec="subsystem.elytron.token-realm">
  <param name="token-realm" value="{resource name}"/>
  <param name="jwt" value="{value}"/>
  <param name="oauth2-introspection" value="{value}"/>
  <param name="principal-claim" value="{value}"/>
<feature/>