Package io.quarkus.oidc

Class OidcTenantConfig.Token

java.lang.Object
io.quarkus.oidc.OidcTenantConfig.Token
All Implemented Interfaces:
OidcTenantConfig.Token
Enclosing class:
OidcTenantConfig
@Deprecated(since="3.18", forRemoval=true) public static class OidcTenantConfig.Token extends Object implements OidcTenantConfig.Token
Deprecated, for removal: This API element is subject to removal in a future version.
use the TokenConfigBuilder builder

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    Optional<Duration>
    age
    Deprecated, for removal: This API element is subject to removal in a future version.
    Token age.
    boolean
    allowJwtIntrospection
    Deprecated, for removal: This API element is subject to removal in a future version.
    Allow the remote introspection of JWT tokens when no matching JWK key is available.
    boolean
    allowOpaqueTokenIntrospection
    Deprecated, for removal: This API element is subject to removal in a future version.
    Allow the remote introspection of the opaque tokens.
    Optional<List<String>>
    audience
    Deprecated, for removal: This API element is subject to removal in a future version.
    The expected audience `aud` claim value, which can be a string or an array of strings.
    String
    authorizationScheme
    Deprecated, for removal: This API element is subject to removal in a future version.
    HTTP Authorization header scheme.
    (package private) OidcTenantConfig.Binding
    binding
    Deprecated, for removal: This API element is subject to removal in a future version.
    Token binding options
    Optional<String>
    customizerName
    Deprecated, for removal: This API element is subject to removal in a future version.
    Token customizer name.
    (package private) boolean
    decryptAccessToken
    Deprecated, for removal: This API element is subject to removal in a future version.
    Decrypt access token.
    (package private) Optional<Boolean>
    decryptIdToken
    Deprecated, for removal: This API element is subject to removal in a future version.
    Decrypt ID token.
    Optional<String>
    decryptionKeyLocation
    Deprecated, for removal: This API element is subject to removal in a future version.
    Decryption key location.
    Duration
    forcedJwkRefreshInterval
    Deprecated, for removal: This API element is subject to removal in a future version.
    The forced JWK set refresh interval in minutes.
    Optional<String>
    header
    Deprecated, for removal: This API element is subject to removal in a future version.
    Custom HTTP header that contains a bearer token.
    boolean
    issuedAtRequired
    Deprecated, for removal: This API element is subject to removal in a future version.
    Require that the token includes a `iat` (issued at) claim Set this property to `false` if your JWT token does not contain an `iat` (issued at) claim.
    Optional<String>
    issuer
    Deprecated, for removal: This API element is subject to removal in a future version.
    The expected issuer `iss` claim value.
    OptionalInt
    lifespanGrace
    Deprecated, for removal: This API element is subject to removal in a future version.
    Life span grace period in seconds.
    Optional<String>
    principalClaim
    Deprecated, for removal: This API element is subject to removal in a future version.
    Name of the claim which contains a principal name.
    boolean
    refreshExpired
    Deprecated, for removal: This API element is subject to removal in a future version.
    Refresh expired authorization code flow ID or access tokens.
    Optional<Duration>
    refreshTokenTimeSkew
    Deprecated, for removal: This API element is subject to removal in a future version.
    The refresh token time skew, in seconds.
    Map<String,Set<String>>
    requiredClaims
    Deprecated, for removal: This API element is subject to removal in a future version.
    A map of required claims and their expected values.
    boolean
    requireJwtIntrospectionOnly
    Deprecated, for removal: This API element is subject to removal in a future version.
    Require that JWT tokens are only introspected remotely.
    Optional<OidcTenantConfig.SignatureAlgorithm>
    signatureAlgorithm
    Deprecated, for removal: This API element is subject to removal in a future version.
    Required signature algorithm.
    boolean
    subjectRequired
    Deprecated, for removal: This API element is subject to removal in a future version.
    Require that the token includes a `sub` (subject) claim which is a unique and never reassigned identifier for the current user.
    Optional<String>
    tokenType
    Deprecated, for removal: This API element is subject to removal in a future version.
    Expected token type
    Optional<Boolean>
    verifyAccessTokenWithUserInfo
    Deprecated, for removal: This API element is subject to removal in a future version.
    Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo.

  • Constructor Summary

    Constructors
    Constructor
    Description
    Token()
    Deprecated, for removal: This API element is subject to removal in a future version.
     

  • Method Summary

    Modifier and Type
    Method
    Description
    Optional<Duration>
    age()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Token age.
    boolean
    allowJwtIntrospection()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Allow the remote introspection of JWT tokens when no matching JWK key is available.
    boolean
    allowOpaqueTokenIntrospection()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Allow the remote introspection of the opaque tokens.
    Optional<List<String>>
    audience()
    Deprecated, for removal: This API element is subject to removal in a future version.
    The expected audience `aud` claim value, which can be a string or an array of strings.
    String
    authorizationScheme()
    Deprecated, for removal: This API element is subject to removal in a future version.
    HTTP Authorization header scheme.
    OidcTenantConfig.Binding
    binding()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Token certificate binding options.
    Optional<String>
    customizerName()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Token customizer name.
    boolean
    decryptAccessToken()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Decrypt access token.
    Optional<Boolean>
    decryptIdToken()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Decrypt ID token.
    Optional<String>
    decryptionKeyLocation()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Decryption key location for encrypted ID and access tokens.
    Duration
    forcedJwkRefreshInterval()
    Deprecated, for removal: This API element is subject to removal in a future version.
    The forced JWK set refresh interval in minutes.
    static OidcTenantConfig.Token
    fromAudience(String... audience)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    static OidcTenantConfig.Token
    fromIssuer(String issuer)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<Duration>
    getAge()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<List<String>>
    getAudience()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    String
    getAuthorizationScheme()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    OidcTenantConfig.Binding
    getBinding()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    getCustomizerName()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    getDecryptionKeyLocation()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Duration
    getForcedJwkRefreshInterval()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    getHeader()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    getIssuer()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    OptionalInt
    getLifespanGrace()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    getPrincipalClaim()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<Duration>
    getRefreshTokenTimeSkew()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Map<String,Set<String>>
    getRequiredClaims()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<OidcTenantConfig.SignatureAlgorithm>
    getSignatureAlgorithm()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    getTokenType()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<String>
    header()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Custom HTTP header that contains a bearer token.
    boolean
    isAllowJwtIntrospection()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    boolean
    isAllowOpaqueTokenIntrospection()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    boolean
    isIssuedAtRequired()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    boolean
    isRefreshExpired()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    boolean
    isRequireJwtIntrospectionOnly()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    boolean
    isSubjectRequired()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    boolean
    issuedAtRequired()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Require that the token includes a `iat` (issued at) claim Set this property to `false` if your JWT token does not contain an `iat` (issued at) claim.
    Optional<String>
    issuer()
    Deprecated, for removal: This API element is subject to removal in a future version.
    The expected issuer `iss` claim value.
    Optional<Boolean>
    isVerifyAccessTokenWithUserInfo()
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    OptionalInt
    lifespanGrace()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Life span grace period in seconds.
    Optional<String>
    principalClaim()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Name of the claim which contains a principal name.
    boolean
    refreshExpired()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Refresh expired authorization code flow ID or access tokens.
    Optional<Duration>
    refreshTokenTimeSkew()
    Deprecated, for removal: This API element is subject to removal in a future version.
    The refresh token time skew, in seconds.
    Map<String,Set<String>>
    requiredClaims()
    Deprecated, for removal: This API element is subject to removal in a future version.
    A map of required claims and their expected values.
    boolean
    requireJwtIntrospectionOnly()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Require that JWT tokens are only introspected remotely.
    void
    setAge(Duration age)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setAllowJwtIntrospection(boolean allowJwtIntrospection)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setAllowOpaqueTokenIntrospection(boolean allowOpaqueTokenIntrospection)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setAudience(List<String> audience)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setAuthorizationScheme(String authorizationScheme)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setCustomizerName(String customizerName)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setDecryptionKeyLocation(String decryptionKeyLocation)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setForcedJwkRefreshInterval(Duration forcedJwkRefreshInterval)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setHeader(String header)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setIssuedAtRequired(boolean issuedAtRequired)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setIssuer(String issuer)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setLifespanGrace(int lifespanGrace)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setPrincipalClaim(String principalClaim)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setRefreshExpired(boolean refreshExpired)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setRefreshTokenTimeSkew(Duration refreshTokenTimeSkew)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setRequiredClaims(Map<String,Set<String>> requiredClaims)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setRequireJwtIntrospectionOnly(boolean requireJwtIntrospectionOnly)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setSignatureAlgorithm(OidcTenantConfig.SignatureAlgorithm signatureAlgorithm)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setSubjectRequired(boolean subjectRequired)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setTokenType(String tokenType)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    void
    setVerifyAccessTokenWithUserInfo(boolean verify)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    Optional<OidcTenantConfig.SignatureAlgorithm>
    signatureAlgorithm()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Required signature algorithm.
    boolean
    subjectRequired()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Require that the token includes a `sub` (subject) claim which is a unique and never reassigned identifier for the current user.
    Optional<String>
    tokenType()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Expected token type
    Optional<Boolean>
    verifyAccessTokenWithUserInfo()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • issuer

      public Optional<String> issuer
      Deprecated, for removal: This API element is subject to removal in a future version.
      The expected issuer `iss` claim value. This property overrides the `issuer` property, which might be set in OpenId Connect provider's well-known configuration. If the `iss` claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the issuer verification by setting this property to `any`, but it should be done only when other options (such as configuring the provider to use the fixed `iss` claim value) are not possible.

    • audience

      public Optional<List<String>> audience
      Deprecated, for removal: This API element is subject to removal in a future version.
      The expected audience `aud` claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of `quarkus.oidc.client-id` property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to `any` if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured.

    • subjectRequired

      public boolean subjectRequired
      Deprecated, for removal: This API element is subject to removal in a future version.
      Require that the token includes a `sub` (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required, both the token and UserInfo `sub` claims must be present and match each other.

    • requiredClaims

      public Map<String,Set<String>> requiredClaims
      Deprecated, for removal: This API element is subject to removal in a future version.
      A map of required claims and their expected values. For example, `quarkus.oidc.token.required-claims.org_id = org_xyz` would require tokens to have the `org_id` claim to be present and set to `org_xyz`. Strings are the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.

    • tokenType

      public Optional<String> tokenType
      Deprecated, for removal: This API element is subject to removal in a future version.
      Expected token type

    • lifespanGrace

      public OptionalInt lifespanGrace
      Deprecated, for removal: This API element is subject to removal in a future version.
      Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.

    • age

      public Optional<Duration> age
      Deprecated, for removal: This API element is subject to removal in a future version.
      Token age. It allows for the number of seconds to be specified that must not elapse since the `iat` (issued at) time. A small leeway to account for clock skew which can be configured with `quarkus.oidc.token.lifespan-grace` to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid (`exp`) expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an `exp` claim. However, even if the current logout token is allowed to have no `exp` claim, the `exp` claim is still verified if the logout token contains it.

    • issuedAtRequired

      public boolean issuedAtRequired
      Deprecated, for removal: This API element is subject to removal in a future version.
      Require that the token includes a `iat` (issued at) claim Set this property to `false` if your JWT token does not contain an `iat` (issued at) claim. Note that ID token is always required to have an `iat` claim and therefore this property has no impact on the ID token verification process.

    • principalClaim

      public Optional<String> principalClaim
      Deprecated, for removal: This API element is subject to removal in a future version.
      Name of the claim which contains a principal name. By default, the `upn`, `preferred_username` and `sub` claims are checked.

    • refreshExpired

      public boolean refreshExpired
      Deprecated, for removal: This API element is subject to removal in a future version.
      Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the `authentication.session-age-extension` property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type OidcTenantConfig.ApplicationType.WEB_APP. This property is enabled if `quarkus.oidc.token.refresh-token-time-skew` is configured, you do not need to enable this property manually in this case.

    • refreshTokenTimeSkew

      public Optional<Duration> refreshTokenTimeSkew
      Deprecated, for removal: This API element is subject to removal in a future version.
      The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token's expiration time, a refresh is going to happen.

    • forcedJwkRefreshInterval

      public Duration forcedJwkRefreshInterval
      Deprecated, for removal: This API element is subject to removal in a future version.
      The forced JWK set refresh interval in minutes.

    • authorizationScheme

      public String authorizationScheme
      Deprecated, for removal: This API element is subject to removal in a future version.
      HTTP Authorization header scheme.

    • signatureAlgorithm

      public Optional<OidcTenantConfig.SignatureAlgorithm> signatureAlgorithm
      Deprecated, for removal: This API element is subject to removal in a future version.
      Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.

    • decryptionKeyLocation

      public Optional<String> decryptionKeyLocation
      Deprecated, for removal: This API element is subject to removal in a future version.
      Decryption key location. JWT tokens can be inner-signed and encrypted by OpenId Connect providers. However, it is not always possible to remotely introspect such tokens because the providers might not control the private decryption keys. In such cases set this property to point to the file containing the decryption private key in PEM or JSON Web Key (JWK) format. If this property is not set and the `private_key_jwt` client authentication method is used, the private key used to sign the client authentication JWT tokens are also used to decrypt the encrypted ID tokens.

    • decryptIdToken

      Optional<Boolean> decryptIdToken
      Deprecated, for removal: This API element is subject to removal in a future version.
      Decrypt ID token.

    • decryptAccessToken

      boolean decryptAccessToken
      Deprecated, for removal: This API element is subject to removal in a future version.
      Decrypt access token.

    • allowJwtIntrospection

      public boolean allowJwtIntrospection
      Deprecated, for removal: This API element is subject to removal in a future version.
      Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to `true` by default for backward-compatibility reasons. It is planned that this default value will be changed to `false` in an upcoming release. Also note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.

    • requireJwtIntrospectionOnly

      public boolean requireJwtIntrospectionOnly
      Deprecated, for removal: This API element is subject to removal in a future version.
      Require that JWT tokens are only introspected remotely.

    • allowOpaqueTokenIntrospection

      public boolean allowOpaqueTokenIntrospection
      Deprecated, for removal: This API element is subject to removal in a future version.
      Allow the remote introspection of the opaque tokens. Set this property to `false` if only JWT tokens are expected.

    • customizerName

      public Optional<String> customizerName
      Deprecated, for removal: This API element is subject to removal in a future version.
      Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to `TokenCustomizer` implementations provided by this extension.

    • verifyAccessTokenWithUserInfo

      public Optional<Boolean> verifyAccessTokenWithUserInfo
      Deprecated, for removal: This API element is subject to removal in a future version.
      Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.

    • binding

      OidcTenantConfig.Binding binding
      Deprecated, for removal: This API element is subject to removal in a future version.
      Token binding options

  • Constructor Details

    • Token

      public Token()
      Deprecated, for removal: This API element is subject to removal in a future version.

  • Method Details

    • fromIssuer

      public static OidcTenantConfig.Token fromIssuer(String issuer)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • fromAudience

      public static OidcTenantConfig.Token fromAudience(String... audience)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isVerifyAccessTokenWithUserInfo

      public Optional<Boolean> isVerifyAccessTokenWithUserInfo()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setVerifyAccessTokenWithUserInfo

      public void setVerifyAccessTokenWithUserInfo(boolean verify)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getIssuer

      public Optional<String> getIssuer()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setIssuer

      public void setIssuer(String issuer)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getHeader

      public Optional<String> getHeader()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setHeader

      public void setHeader(String header)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getAudience

      public Optional<List<String>> getAudience()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setAudience

      public void setAudience(List<String> audience)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getLifespanGrace

      public OptionalInt getLifespanGrace()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setLifespanGrace

      public void setLifespanGrace(int lifespanGrace)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getPrincipalClaim

      public Optional<String> getPrincipalClaim()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setPrincipalClaim

      public void setPrincipalClaim(String principalClaim)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isRefreshExpired

      public boolean isRefreshExpired()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setRefreshExpired

      public void setRefreshExpired(boolean refreshExpired)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getForcedJwkRefreshInterval

      public Duration getForcedJwkRefreshInterval()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setForcedJwkRefreshInterval

      public void setForcedJwkRefreshInterval(Duration forcedJwkRefreshInterval)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getTokenType

      public Optional<String> getTokenType()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setTokenType

      public void setTokenType(String tokenType)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getRefreshTokenTimeSkew

      public Optional<Duration> getRefreshTokenTimeSkew()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setRefreshTokenTimeSkew

      public void setRefreshTokenTimeSkew(Duration refreshTokenTimeSkew)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isAllowJwtIntrospection

      public boolean isAllowJwtIntrospection()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setAllowJwtIntrospection

      public void setAllowJwtIntrospection(boolean allowJwtIntrospection)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isAllowOpaqueTokenIntrospection

      public boolean isAllowOpaqueTokenIntrospection()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setAllowOpaqueTokenIntrospection

      public void setAllowOpaqueTokenIntrospection(boolean allowOpaqueTokenIntrospection)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getBinding

      public OidcTenantConfig.Binding getBinding()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • binding

      public OidcTenantConfig.Binding binding()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Token certificate binding options.
      Specified by:
      binding in interface OidcTenantConfig.Token

    • getAge

      public Optional<Duration> getAge()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setAge

      public void setAge(Duration age)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isIssuedAtRequired

      public boolean isIssuedAtRequired()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setIssuedAtRequired

      public void setIssuedAtRequired(boolean issuedAtRequired)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getDecryptionKeyLocation

      public Optional<String> getDecryptionKeyLocation()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setDecryptionKeyLocation

      public void setDecryptionKeyLocation(String decryptionKeyLocation)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getRequiredClaims

      public Map<String,Set<String>> getRequiredClaims()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setRequiredClaims

      public void setRequiredClaims(Map<String,Set<String>> requiredClaims)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isRequireJwtIntrospectionOnly

      public boolean isRequireJwtIntrospectionOnly()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setRequireJwtIntrospectionOnly

      public void setRequireJwtIntrospectionOnly(boolean requireJwtIntrospectionOnly)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getSignatureAlgorithm

      public Optional<OidcTenantConfig.SignatureAlgorithm> getSignatureAlgorithm()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setSignatureAlgorithm

      public void setSignatureAlgorithm(OidcTenantConfig.SignatureAlgorithm signatureAlgorithm)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getCustomizerName

      public Optional<String> getCustomizerName()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setCustomizerName

      public void setCustomizerName(String customizerName)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • isSubjectRequired

      public boolean isSubjectRequired()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setSubjectRequired

      public void setSubjectRequired(boolean subjectRequired)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • getAuthorizationScheme

      public String getAuthorizationScheme()
      Deprecated, for removal: This API element is subject to removal in a future version.

    • setAuthorizationScheme

      public void setAuthorizationScheme(String authorizationScheme)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • issuer

      public Optional<String> issuer()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      The expected issuer `iss` claim value. This property overrides the `issuer` property, which might be set in OpenId Connect provider's well-known configuration. If the `iss` claim value varies depending on the host, IP address, or tenant id of the provider, you can skip the issuer verification by setting this property to `any`, but it should be done only when other options (such as configuring the provider to use the fixed `iss` claim value) are not possible.
      Specified by:
      issuer in interface OidcTenantConfig.Token

    • audience

      public Optional<List<String>> audience()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      The expected audience `aud` claim value, which can be a string or an array of strings. Note the audience claim is verified for ID tokens by default. ID token audience must be equal to the value of `quarkus.oidc.client-id` property. Use this property to override the expected value if your OpenID Connect provider sets a different audience claim value in ID tokens. Set it to `any` if your provider does not set ID token audience` claim. Audience verification for access tokens is only done if this property is configured.
      Specified by:
      audience in interface OidcTenantConfig.Token

    • subjectRequired

      public boolean subjectRequired()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Require that the token includes a `sub` (subject) claim which is a unique and never reassigned identifier for the current user. Note that if you enable this property and if UserInfo is also required, both the token and UserInfo `sub` claims must be present and match each other.
      Specified by:
      subjectRequired in interface OidcTenantConfig.Token

    • requiredClaims

      public Map<String,Set<String>> requiredClaims()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      A map of required claims and their expected values. For example, `quarkus.oidc.token.required-claims.org_id = org_xyz` would require tokens to have the `org_id` claim to be present and set to `org_xyz`. On the other hand, if it was set to `org_xyz,org_abc`, the `org_id` claim would need to have both `org_xyz` and `org_abc` values. Strings and arrays of strings are currently the only supported types. Use SecurityIdentityAugmentor to verify claims of other types or complex claims.
      Specified by:
      requiredClaims in interface OidcTenantConfig.Token

    • tokenType

      public Optional<String> tokenType()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Expected token type
      Specified by:
      tokenType in interface OidcTenantConfig.Token

    • lifespanGrace

      public OptionalInt lifespanGrace()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.
      Specified by:
      lifespanGrace in interface OidcTenantConfig.Token

    • age

      public Optional<Duration> age()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Token age. It allows for the number of seconds to be specified that must not elapse since the `iat` (issued at) time. A small leeway to account for clock skew which can be configured with `quarkus.oidc.token.lifespan-grace` to verify the token expiry time can also be used to verify the token age property. Note that setting this property does not relax the requirement that Bearer and Code Flow JWT tokens must have a valid (`exp`) expiry claim value. The only exception where setting this property relaxes the requirement is when a logout token is sent with a back-channel logout request since the current OpenId Connect Back-Channel specification does not explicitly require the logout tokens to contain an `exp` claim. However, even if the current logout token is allowed to have no `exp` claim, the `exp` claim is still verified if the logout token contains it.
      Specified by:
      age in interface OidcTenantConfig.Token

    • issuedAtRequired

      public boolean issuedAtRequired()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Require that the token includes a `iat` (issued at) claim Set this property to `false` if your JWT token does not contain an `iat` (issued at) claim. Note that ID token is always required to have an `iat` claim and therefore this property has no impact on the ID token verification process.
      Specified by:
      issuedAtRequired in interface OidcTenantConfig.Token

    • principalClaim

      public Optional<String> principalClaim()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Name of the claim which contains a principal name. By default, the `upn`, `preferred_username` and `sub` claims are checked.
      Specified by:
      principalClaim in interface OidcTenantConfig.Token

    • refreshExpired

      public boolean refreshExpired()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Refresh expired authorization code flow ID or access tokens. If this property is enabled, a refresh token request is performed if the authorization code ID or access token has expired and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated and the user redirected to the OpenID Provider to re-authenticate. In this case, the user might not be challenged again if the OIDC provider session is still active. For this option be effective the `authentication.session-age-extension` property should also be set to a nonzero value since the refresh token is currently kept in the user session. This option is valid only when the application is of type OidcTenantConfig.ApplicationType.WEB_APP. This property is enabled if `quarkus.oidc.token.refresh-token-time-skew` is configured, you do not need to enable this property manually in this case.
      Specified by:
      refreshExpired in interface OidcTenantConfig.Token

    • refreshTokenTimeSkew

      public Optional<Duration> refreshTokenTimeSkew()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      The refresh token time skew, in seconds. If this property is enabled, the configured number of seconds is added to the current time when checking if the authorization code ID or access token should be refreshed. If the sum is greater than the authorization code ID or access token's expiration time, a refresh is going to happen.
      Specified by:
      refreshTokenTimeSkew in interface OidcTenantConfig.Token

    • forcedJwkRefreshInterval

      public Duration forcedJwkRefreshInterval()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      The forced JWK set refresh interval in minutes.
      Specified by:
      forcedJwkRefreshInterval in interface OidcTenantConfig.Token

    • header

      public Optional<String> header()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Custom HTTP header that contains a bearer token. This option is valid only when the application is of type OidcTenantConfig.ApplicationType.SERVICE.
      Specified by:
      header in interface OidcTenantConfig.Token

    • authorizationScheme

      public String authorizationScheme()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      HTTP Authorization header scheme.
      Specified by:
      authorizationScheme in interface OidcTenantConfig.Token

    • signatureAlgorithm

      public Optional<OidcTenantConfig.SignatureAlgorithm> signatureAlgorithm()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Required signature algorithm. OIDC providers support many signature algorithms but if necessary you can restrict Quarkus application to accept tokens signed only using an algorithm configured with this property.
      Specified by:
      signatureAlgorithm in interface OidcTenantConfig.Token

    • decryptionKeyLocation

      public Optional<String> decryptionKeyLocation()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Decryption key location for encrypted ID and access tokens.
      Specified by:
      decryptionKeyLocation in interface OidcTenantConfig.Token

    • decryptIdToken

      public Optional<Boolean> decryptIdToken()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Decrypt ID token. If the OidcTenantConfig.Token.decryptionKeyLocation() property is configured then the decryption key will be loaded from this location. Otherwise, if the JWT authentication token key is available, then it will be used to decrypt the token. Finally, if a client secret is configured, it will be used as a secret key to decrypt the token.
      Specified by:
      decryptIdToken in interface OidcTenantConfig.Token

    • decryptAccessToken

      public boolean decryptAccessToken()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Decrypt access token. If the OidcTenantConfig.Token.decryptionKeyLocation() property is configured then the decryption key will be loaded from this location. Otherwise, if the JWT authentication token key is available, then it will be used to decrypt the token. Finally, if a client secret is configured, it will be used as a secret key to decrypt the token.
      Specified by:
      decryptAccessToken in interface OidcTenantConfig.Token

    • allowJwtIntrospection

      public boolean allowJwtIntrospection()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Allow the remote introspection of JWT tokens when no matching JWK key is available. This property is set to `true` by default for backward-compatibility reasons. It is planned that this default value will be changed to `false` in an upcoming release. Also note this property is ignored if JWK endpoint URI is not available and introspecting the tokens is the only verification option.
      Specified by:
      allowJwtIntrospection in interface OidcTenantConfig.Token

    • requireJwtIntrospectionOnly

      public boolean requireJwtIntrospectionOnly()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Require that JWT tokens are only introspected remotely.
      Specified by:
      requireJwtIntrospectionOnly in interface OidcTenantConfig.Token

    • allowOpaqueTokenIntrospection

      public boolean allowOpaqueTokenIntrospection()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Allow the remote introspection of the opaque tokens. Set this property to `false` if only JWT tokens are expected.
      Specified by:
      allowOpaqueTokenIntrospection in interface OidcTenantConfig.Token

    • customizerName

      public Optional<String> customizerName()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Token customizer name. Allows to select a tenant specific token customizer as a named bean. Prefer using TenantFeature qualifier when registering custom TokenCustomizer. Use this property only to refer to `TokenCustomizer` implementations provided by this extension.
      Specified by:
      customizerName in interface OidcTenantConfig.Token

    • verifyAccessTokenWithUserInfo

      public Optional<Boolean> verifyAccessTokenWithUserInfo()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Description copied from interface: OidcTenantConfig.Token
      Indirectly verify that the opaque (binary) access token is valid by using it to request UserInfo. Opaque access token is considered valid if the provider accepted this token and returned a valid UserInfo. You should only enable this option if the opaque access tokens must be accepted but OpenId Connect provider does not have a token introspection endpoint. This property has no effect when JWT tokens must be verified.
      Specified by:
      verifyAccessTokenWithUserInfo in interface OidcTenantConfig.Token