keycloak-scim/topics/oidc/java/java-adapter-config.adoc

193 lines
8.1 KiB
Text
Raw Normal View History

2016-04-18 19:10:32 +00:00
2016-06-01 11:02:44 +00:00
[[_java_adapter_config]]
=== Java Adapter Config
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
Each Java adapter supported by Keycloak can be configured by a simple JSON file.
2016-06-01 11:02:44 +00:00
This is what one might look like:
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
[source,json]
2016-04-18 19:10:32 +00:00
----
{
"realm" : "demo",
"resource" : "customer-portal",
"realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB",
"auth-server-url" : "https://localhost:8443/auth",
"ssl-required" : "external",
"use-resource-role-mappings" : false,
"enable-cors" : true,
"cors-max-age" : 1000,
"cors-allowed-methods" : "POST, PUT, DELETE, GET",
"bearer-only" : false,
"enable-basic-auth" : false,
"expose-token" : true,
"credentials" : {
"secret" : "234234-234234-234234"
},
"connection-pool-size" : 20,
"disable-trust-manager": false,
"allow-any-hostname" : false,
"truststore" : "path/to/truststore.jks",
"truststore-password" : "geheim",
"client-keystore" : "path/to/client-keystore.jks",
"client-keystore-password" : "geheim",
"client-key-password" : "geheim"
}
2016-06-01 11:02:44 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
You can use `${...}` enclosure for system property replacement. For example `${jboss.server.config.dir}` would be replaced by `/path/to/{{book.project.name}}`.
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
The initial config file can be ontained from the the admin console. This can be done by opening the admin console, select `Clients` from the menu and clicking
on the corresponding client. Once the page for the client is opened click on the `Installation` tab and select `Keycloak OIDC JSON`.
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
Here is a description of each configuration option:
2016-04-18 19:10:32 +00:00
realm::
Name of the realm representing the users of your distributed applications and services.
2016-06-01 11:02:44 +00:00
This is _REQUIRED._
2016-04-18 19:10:32 +00:00
resource::
2016-06-02 12:38:58 +00:00
The client-id of the application. Each application has a client-id that is used to identify the application.
This is _REQUIRED._
2016-04-18 19:10:32 +00:00
realm-public-key::
2016-06-02 12:38:58 +00:00
PEM format of the realm public key. You can obtain this from the administration console.
This is OPTION._
2016-04-18 19:10:32 +00:00
auth-server-url::
2016-06-02 12:38:58 +00:00
The base URL of the {{book.project.name}} server. All other {{book.project.name}} pages and REST service endpoints are derived from this. It is usually of the form `https://host:port/auth`.
This is _REQUIRED._
2016-04-18 19:10:32 +00:00
ssl-required::
2016-06-02 12:38:58 +00:00
Ensures that all communication to and from the {{book.project.name}} server is over HTTPS.
In production this should be set to `all`.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-02 12:38:58 +00:00
The default value is _external_ meaning that HTTPS is required by default for external requests.
2016-06-01 11:02:44 +00:00
Valid values are 'all', 'external' and 'none'.
2016-04-18 19:10:32 +00:00
use-resource-role-mappings::
2016-06-02 12:38:58 +00:00
If set to true, the adapter will look inside the token for application level role mappings for the user. If false, it will look at the realm level for user role mappings.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
public-client::
If set to true, the adapter will not send credentials for the client to Keycloak.
2016-06-02 12:38:58 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
enable-cors::
2016-06-02 12:38:58 +00:00
This enables CORS support. It will handle CORS preflight requests. It will also look into the access token to determine valid origins.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
cors-max-age::
2016-06-02 12:38:58 +00:00
If CORS is enabled, this sets the value of the `Access-Control-Max-Age` header.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
If not set, this header is not returned in CORS responses.
2016-04-18 19:10:32 +00:00
cors-allowed-methods::
2016-06-02 12:38:58 +00:00
If CORS is enabled, this sets the value of the `Access-Control-Allow-Methods` header.
2016-04-18 19:10:32 +00:00
This should be a comma-separated string.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
If not set, this header is not returned in CORS responses.
2016-04-18 19:10:32 +00:00
cors-allowed-headers::
2016-06-02 12:38:58 +00:00
If CORS is enabled, this sets the value of the `Access-Control-Allow-Headers` header.
2016-04-18 19:10:32 +00:00
This should be a comma-separated string.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
If not set, this header is not returned in CORS responses.
2016-04-18 19:10:32 +00:00
bearer-only::
2016-06-02 12:38:58 +00:00
This should be set to _true_ for services. If enabled the adapter will not attempt to authenticate users, but only verify bearer tokens.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
enable-basic-auth::
2016-06-02 12:38:58 +00:00
This tells the adapter to also support basic authentication. If this option is enabled, then _secret_ must also be provided.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
expose-token::
If `true`, an authenticated browser client (via a Javascript HTTP invocation) can obtain the signed access token via the URL `root/k_query_bearer_token`.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
credentials::
2016-06-02 12:38:58 +00:00
Specify the credentials of the application. This is an object notation where the key is the credential type and the value is the value of the credential type.
Currently `password` and `jwt` is supported.
2016-06-01 11:02:44 +00:00
This is _REQUIRED_.
2016-04-18 19:10:32 +00:00
connection-pool-size::
Adapters will make separate HTTP invocations to the Keycloak Server to turn an access code into an access token.
This config option defines how many connections to the Keycloak Server should be pooled.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is `20`.
2016-04-18 19:10:32 +00:00
disable-trust-manager::
2016-06-02 12:38:58 +00:00
If the {{book.project.name}} server requires HTTPS and this config option is set to `true` you do not have to specify a truststore.
This setting should only be used during development and *never* in production as it will disable verification of SSL certificates.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is `false`.
2016-04-18 19:10:32 +00:00
allow-any-hostname::
2016-06-02 12:38:58 +00:00
If the {{book.project.name}} server requires HTTPS and this config option is set to `true` the Keycloak Server's certificate is validated via the truststore,
but host name validation is not done.
This setting should only be used during development and *never* in production as it will disable verification of SSL certificates.
2016-04-18 19:10:32 +00:00
This seting may be useful in test environments This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is `false`.
2016-04-18 19:10:32 +00:00
truststore::
2016-06-02 12:38:58 +00:00
The value is the file path to a keystore file.
2016-04-18 19:10:32 +00:00
If you prefix the path with `classpath:`, then the truststore will be obtained from the deployment's classpath instead.
2016-06-02 12:38:58 +00:00
Used for outgoing HTTPS communications to the {{book.project.name}} server.
2016-04-18 19:10:32 +00:00
Client making HTTPS requests need a way to verify the host of the server they are talking to.
This is what the trustore does.
The keystore contains one or more trusted host certificates or certificate authorities.
You can create this truststore by extracting the public certificate of the Keycloak server's SSL keystore.
2016-06-02 12:38:58 +00:00
This is _OPTIONAL_ if `ssl-required` is `none` or `disable-trust-manager` is `true`.
2016-04-18 19:10:32 +00:00
truststore-password::
Password for the truststore keystore.
2016-06-02 12:38:58 +00:00
This is _REQUIRED_ if `truststore` is set and the truststore requires a password.
2016-04-18 19:10:32 +00:00
client-keystore::
2016-06-02 12:38:58 +00:00
This is the file path to a keystore file.
This keystore contains client certificate for two-way SSL when the adapter makes HTTPS requests to the {{book.project.name}} server.
2016-06-01 11:02:44 +00:00
This is _OPTIONAL_.
2016-04-18 19:10:32 +00:00
client-keystore-password::
2016-06-02 12:38:58 +00:00
Password for the client keystore.
This is _REQUIRED_ if `client-keystore` is set.
2016-04-18 19:10:32 +00:00
client-key-password::
2016-06-02 12:38:58 +00:00
Password for the client's key.
This is _REQUIRED_ if `client-keystore` is set.
2016-04-18 19:10:32 +00:00
always-refresh-token::
2016-06-02 12:38:58 +00:00
If _true_, the adapter will refresh token in every request.
2016-04-18 19:10:32 +00:00
register-node-at-startup::
If _true_, then adapter will send registration request to Keycloak.
2016-06-02 12:38:58 +00:00
It's _false_ by default and useful only when application is clustered.
See link:application-clustering.html[Application Clustering] for details
2016-04-18 19:10:32 +00:00
register-node-period::
Period for re-registration adapter to Keycloak.
2016-06-02 12:38:58 +00:00
Useful when application is clustered.
See link:application-clustering.html[Application Clustering] for details
2016-04-18 19:10:32 +00:00
token-store::
Possible values are _session_ and _cookie_.
Default is _session_, which means that adapter stores account info in HTTP Session.
Alternative _cookie_ means storage of info in cookie.
2016-06-02 12:38:58 +00:00
See link:application-clustering.html[Application Clustering] for details
2016-04-18 19:10:32 +00:00
principal-attribute::
OpenID Connection ID Token attribute to populate the UserPrincipal name with.
If token attribute is null, defaults to `sub`.
2016-06-01 11:02:44 +00:00
Possible values are `sub`, `preferred_username`, `email`, `name`, `nickname`, `given_name`, `family_name`.
2016-04-18 19:10:32 +00:00
turn-off-change-session-id-on-login::
2016-06-02 12:38:58 +00:00
The session id is changed by default on a successful login on some platforms to plug a security attack vector. Change this to true if you want to turn this off This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.