keycloak-scim/topics/oidc/java/java-adapter-config.adoc

211 lines
9.8 KiB
Text
Raw Normal View History

2016-04-18 19:10:32 +00:00
2016-06-01 11:02:44 +00:00
[[_java_adapter_config]]
2016-06-09 13:12:10 +00:00
==== Java Adapter Config
2016-04-18 19:10:32 +00:00
2016-06-03 07:10:01 +00:00
Each Java adapter supported by {{book.project.name}} can be configured by a simple JSON file.
2016-06-01 11:02:44 +00:00
This is what one might look like:
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
[source,json]
2016-04-18 19:10:32 +00:00
----
{
"realm" : "demo",
"resource" : "customer-portal",
"realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB",
"auth-server-url" : "https://localhost:8443/auth",
"ssl-required" : "external",
"use-resource-role-mappings" : false,
"enable-cors" : true,
"cors-max-age" : 1000,
"cors-allowed-methods" : "POST, PUT, DELETE, GET",
"bearer-only" : false,
"enable-basic-auth" : false,
"expose-token" : true,
"credentials" : {
"secret" : "234234-234234-234234"
},
"connection-pool-size" : 20,
"disable-trust-manager": false,
"allow-any-hostname" : false,
"truststore" : "path/to/truststore.jks",
"truststore-password" : "geheim",
"client-keystore" : "path/to/client-keystore.jks",
"client-keystore-password" : "geheim",
"client-key-password" : "geheim",
"token-minimum-time-to-live" : 10,
"min-time-between-jwks-requests" : 10
2016-04-18 19:10:32 +00:00
}
2016-06-01 11:02:44 +00:00
----
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
You can use `${...}` enclosure for system property replacement. For example `${jboss.server.config.dir}` would be replaced by `/path/to/{{book.project.name}}`.
Replacement of environment variables is also supported via the `env` prefix, e.g. `${env.MY_ENVIRONMENT_VARIABLE}`.
2016-04-18 19:10:32 +00:00
The initial config file can be obtained from the the admin console. This can be done by opening the admin console, select `Clients` from the menu and clicking
2016-06-02 12:38:58 +00:00
on the corresponding client. Once the page for the client is opened click on the `Installation` tab and select `Keycloak OIDC JSON`.
2016-04-18 19:10:32 +00:00
2016-06-02 12:38:58 +00:00
Here is a description of each configuration option:
2016-04-18 19:10:32 +00:00
realm::
Name of the realm.
2016-06-01 11:02:44 +00:00
This is _REQUIRED._
2016-04-18 19:10:32 +00:00
resource::
2016-06-02 12:38:58 +00:00
The client-id of the application. Each application has a client-id that is used to identify the application.
This is _REQUIRED._
2016-04-18 19:10:32 +00:00
realm-public-key::
2016-06-02 12:38:58 +00:00
PEM format of the realm public key. You can obtain this from the administration console.
This is _OPTIONAL_ and it's not recommended to set it. If not set, the adapter will download this from {{book.project.name}} and
it will always re-download it when needed (eg. {{book.project.name}} rotate it's keys). However if realm-public-key is set, then adapter
will never download new keys from {{book.project.name}}, so when {{book.project.name}} rotate it's keys, adapter will break.
2016-04-18 19:10:32 +00:00
auth-server-url::
2016-06-10 05:37:09 +00:00
The base URL of the {{book.project.name}} server. All other {{book.project.name}} pages and REST service endpoints are derived from this. It is usually of the form `$$https://host:port/auth$$`.
2016-06-02 12:38:58 +00:00
This is _REQUIRED._
2016-04-18 19:10:32 +00:00
ssl-required::
2016-06-02 12:38:58 +00:00
Ensures that all communication to and from the {{book.project.name}} server is over HTTPS.
In production this should be set to `all`.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-02 12:38:58 +00:00
The default value is _external_ meaning that HTTPS is required by default for external requests.
2016-06-01 11:02:44 +00:00
Valid values are 'all', 'external' and 'none'.
2016-04-18 19:10:32 +00:00
use-resource-role-mappings::
2016-06-02 12:38:58 +00:00
If set to true, the adapter will look inside the token for application level role mappings for the user. If false, it will look at the realm level for user role mappings.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
public-client::
2016-06-03 07:10:01 +00:00
If set to true, the adapter will not send credentials for the client to {{book.project.name}}.
2016-06-02 12:38:58 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
enable-cors::
2016-06-02 12:38:58 +00:00
This enables CORS support. It will handle CORS preflight requests. It will also look into the access token to determine valid origins.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
cors-max-age::
2016-06-02 12:38:58 +00:00
If CORS is enabled, this sets the value of the `Access-Control-Max-Age` header.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
If not set, this header is not returned in CORS responses.
2016-04-18 19:10:32 +00:00
cors-allowed-methods::
2016-06-02 12:38:58 +00:00
If CORS is enabled, this sets the value of the `Access-Control-Allow-Methods` header.
2016-04-18 19:10:32 +00:00
This should be a comma-separated string.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
If not set, this header is not returned in CORS responses.
2016-04-18 19:10:32 +00:00
cors-allowed-headers::
2016-06-02 12:38:58 +00:00
If CORS is enabled, this sets the value of the `Access-Control-Allow-Headers` header.
2016-04-18 19:10:32 +00:00
This should be a comma-separated string.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
If not set, this header is not returned in CORS responses.
2016-04-18 19:10:32 +00:00
bearer-only::
2016-06-02 12:38:58 +00:00
This should be set to _true_ for services. If enabled the adapter will not attempt to authenticate users, but only verify bearer tokens.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
enable-basic-auth::
2016-06-02 12:38:58 +00:00
This tells the adapter to also support basic authentication. If this option is enabled, then _secret_ must also be provided.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
expose-token::
If `true`, an authenticated browser client (via a Javascript HTTP invocation) can obtain the signed access token via the URL `root/k_query_bearer_token`.
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
2016-04-18 19:10:32 +00:00
credentials::
2016-06-02 12:38:58 +00:00
Specify the credentials of the application. This is an object notation where the key is the credential type and the value is the value of the credential type.
Currently `password` and `jwt` is supported.
2016-06-01 11:02:44 +00:00
This is _REQUIRED_.
2016-04-18 19:10:32 +00:00
connection-pool-size::
2016-06-03 07:10:01 +00:00
Adapters will make separate HTTP invocations to the {{book.project.name}} server to turn an access code into an access token.
This config option defines how many connections to the {{book.project.name}} server should be pooled.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is `20`.
2016-04-18 19:10:32 +00:00
disable-trust-manager::
2016-06-02 12:38:58 +00:00
If the {{book.project.name}} server requires HTTPS and this config option is set to `true` you do not have to specify a truststore.
This setting should only be used during development and *never* in production as it will disable verification of SSL certificates.
2016-04-18 19:10:32 +00:00
This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is `false`.
2016-04-18 19:10:32 +00:00
allow-any-hostname::
2016-06-03 07:10:01 +00:00
If the {{book.project.name}} server requires HTTPS and this config option is set to `true` the {{book.project.name}} server's certificate is validated via the truststore,
2016-06-02 12:38:58 +00:00
but host name validation is not done.
This setting should only be used during development and *never* in production as it will disable verification of SSL certificates.
2016-04-18 19:10:32 +00:00
This seting may be useful in test environments This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is `false`.
2016-04-18 19:10:32 +00:00
truststore::
2016-06-02 12:38:58 +00:00
The value is the file path to a keystore file.
2016-04-18 19:10:32 +00:00
If you prefix the path with `classpath:`, then the truststore will be obtained from the deployment's classpath instead.
2016-06-02 12:38:58 +00:00
Used for outgoing HTTPS communications to the {{book.project.name}} server.
2016-04-18 19:10:32 +00:00
Client making HTTPS requests need a way to verify the host of the server they are talking to.
This is what the trustore does.
The keystore contains one or more trusted host certificates or certificate authorities.
You can create this truststore by extracting the public certificate of the {{book.project.name}} server's SSL keystore.
This is _REQUIRED_ unless `ssl-required` is `none` or `disable-trust-manager` is `true`.
2016-04-18 19:10:32 +00:00
truststore-password::
Password for the truststore keystore.
2016-06-02 12:38:58 +00:00
This is _REQUIRED_ if `truststore` is set and the truststore requires a password.
2016-04-18 19:10:32 +00:00
client-keystore::
2016-06-02 12:38:58 +00:00
This is the file path to a keystore file.
This keystore contains client certificate for two-way SSL when the adapter makes HTTPS requests to the {{book.project.name}} server.
2016-06-01 11:02:44 +00:00
This is _OPTIONAL_.
2016-04-18 19:10:32 +00:00
client-keystore-password::
2016-06-02 12:38:58 +00:00
Password for the client keystore.
This is _REQUIRED_ if `client-keystore` is set.
2016-04-18 19:10:32 +00:00
client-key-password::
2016-06-02 12:38:58 +00:00
Password for the client's key.
This is _REQUIRED_ if `client-keystore` is set.
2016-04-18 19:10:32 +00:00
always-refresh-token::
2016-06-02 12:38:58 +00:00
If _true_, the adapter will refresh token in every request.
2016-04-18 19:10:32 +00:00
register-node-at-startup::
2016-06-03 07:10:01 +00:00
If _true_, then adapter will send registration request to {{book.project.name}}.
2016-06-02 12:38:58 +00:00
It's _false_ by default and useful only when application is clustered.
2016-06-03 07:05:27 +00:00
See <<fake/../../oid/java/application-clustering.adoc#_applicationclustering,Application Clustering>> for details
2016-04-18 19:10:32 +00:00
register-node-period::
2016-06-03 07:10:01 +00:00
Period for re-registration adapter to {{book.project.name}}.
2016-06-02 12:38:58 +00:00
Useful when application is clustered.
2016-06-03 07:05:27 +00:00
See <<fake/../../oid/java/application-clustering.adoc#_applicationclustering,Application Clustering>> for details
2016-04-18 19:10:32 +00:00
token-store::
Possible values are _session_ and _cookie_.
Default is _session_, which means that adapter stores account info in HTTP Session.
Alternative _cookie_ means storage of info in cookie.
2016-06-03 07:05:27 +00:00
See <<fake/../../oid/java/application-clustering.adoc#_applicationclustering,Application Clustering>> for details
2016-04-18 19:10:32 +00:00
principal-attribute::
OpenID Connection ID Token attribute to populate the UserPrincipal name with.
If token attribute is null, defaults to `sub`.
2016-06-01 11:02:44 +00:00
Possible values are `sub`, `preferred_username`, `email`, `name`, `nickname`, `given_name`, `family_name`.
2016-04-18 19:10:32 +00:00
turn-off-change-session-id-on-login::
2016-06-02 12:38:58 +00:00
The session id is changed by default on a successful login on some platforms to plug a security attack vector. Change this to true if you want to turn this off This is _OPTIONAL_.
2016-06-01 11:02:44 +00:00
The default value is _false_.
token-minimum-time-to-live::
Amount of time, in seconds, to preemptively refresh an active access token with the {{book.project.name}} server before it expires.
This is especially useful when the access token is sent to another REST client where it could expire before being evaluated.
This value should never exceed the realm's access token lifespan.
This is _OPTIONAL_. The default value is `0` seconds, so adapter will refresh access token just if it's expired.
min-time-between-jwks-requests::
Amount of time, in seconds, specifying minimum interval between two requests to {{book.project.name}} to retrieve new public keys.
It is 10 seconds by default.
Adapter will always try to download new public key when it recognize token with unknown `kid` . However it won't try it more
than once per 10 seconds (by default). This is to avoid DoS when attacker sends lots of tokens with bad `kid` forcing adapter
to send lots of requests to {{book.project.name}}.