From f75ff2fdf4505f508a82d5bc6f1caebb636ae152 Mon Sep 17 00:00:00 2001 From: quarkusbot Date: Wed, 11 Sep 2024 15:21:42 +0000 Subject: [PATCH] Sync web site with Quarkus documentation --- _data/versioned/latest/index/quarkus.yaml | 13 + .../latest/config/quarkus-all-config.adoc | 513 +++++++++++++++++- .../quarkus-core_quarkus.bootstrap.adoc | 2 +- .../quarkus-core_quarkus.class-loading.adoc | 2 +- .../config/quarkus-core_quarkus.native.adoc | 2 +- .../latest/config/quarkus-cyclonedx.adoc | 82 +++ .../quarkus-cyclonedx_quarkus.cyclonedx.adoc | 82 +++ .../latest/config/quarkus-oidc-client.adoc | 210 +++++++ ...arkus-oidc-client_quarkus.oidc-client.adoc | 210 +++++++ .../config/quarkus-oidc_quarkus.keycloak.adoc | 2 +- ...kus-oidc_quarkus.keycloak.devservices.adoc | 2 +- .../config/quarkus-oidc_quarkus.oidc.adoc | 210 +++++++ .../quarkus-vertx-http_quarkus.http.adoc | 6 +- .../quarkus-vertx-http_quarkus.http.auth.adoc | 6 +- ...quarkus-vertx-http_quarkus.management.adoc | 6 +- .../latest/infra/quarkus-all-build-items.adoc | 23 + .../infra/quarkus-maven-plugin-goals.adoc | 115 ++++ _guides/_attributes.adoc | 2 +- _guides/cdi-integration.adoc | 18 + _guides/cyclonedx.adoc | 198 +++++++ _guides/gradle-tooling.adoc | 30 +- _guides/ide-tooling.adoc | 8 +- _guides/images/eclipseche.svg | 1 + _guides/images/eclipseide.svg | 1 + _guides/images/intellijidea.svg | 1 + _guides/images/visualstudiocode.svg | 4 + _guides/qute-reference.adoc | 75 ++- _guides/rest-data-panache.adoc | 6 +- _guides/rest.adoc | 23 +- _guides/security-jwt.adoc | 2 +- _guides/security-oidc-auth0-tutorial.adoc | 2 +- ...rity-oidc-bearer-token-authentication.adoc | 2 +- ...ecurity-oidc-code-flow-authentication.adoc | 2 +- ...urity-openid-connect-client-reference.adoc | 30 +- .../security-openid-connect-multitenancy.adoc | 8 +- .../security-openid-connect-providers.adoc | 2 +- _guides/tls-registry-reference.adoc | 493 +++++++++-------- _guides/update-quarkus.adoc | 1 + 38 files changed, 2115 insertions(+), 280 deletions(-) create mode 100644 _generated-doc/latest/config/quarkus-cyclonedx.adoc create mode 100644 _generated-doc/latest/config/quarkus-cyclonedx_quarkus.cyclonedx.adoc create mode 100644 _guides/cyclonedx.adoc create mode 100644 _guides/images/eclipseche.svg create mode 100644 _guides/images/eclipseide.svg create mode 100644 _guides/images/intellijidea.svg create mode 100644 _guides/images/visualstudiocode.svg diff --git a/_data/versioned/latest/index/quarkus.yaml b/_data/versioned/latest/index/quarkus.yaml index 9a9c609007..abba685e02 100644 --- a/_data/versioned/latest/index/quarkus.yaml +++ b/_data/versioned/latest/index/quarkus.yaml @@ -326,6 +326,7 @@ types: - title: TLS registry reference filename: tls-registry-reference.adoc summary: TLS registry configuration and usage + categories: web topics: - TLS - http @@ -335,6 +336,7 @@ types: - network extensions: - io.quarkus:quarkus-tls-registry + id: tls-registry-reference type: reference url: /guides/tls-registry-reference - title: Using OpenTelemetry @@ -1634,6 +1636,17 @@ types: - io.quarkus:quarkus-funqy-knative-events type: guide url: /guides/funqy-knative-events + - title: Generating CycloneDX BOMs + filename: cyclonedx.adoc + summary: This guide explains how to generate SBOMs for Quarkus applications in the CycloneDX format. + categories: tooling + topics: + - sbom + extensions: + - io.quarkus:quarkus-cyclonedx + id: cyclonedx + type: guide + url: /guides/cyclonedx - title: Generating Jakarta REST resources with Panache filename: rest-data-panache.adoc summary: Hibernate ORM REST Data with Panache simplifies the creation of CRUD applications based on Jakarta REST and Hibernate ORM. diff --git a/_generated-doc/latest/config/quarkus-all-config.adoc b/_generated-doc/latest/config/quarkus-all-config.adoc index 91cb047a59..34409003cb 100644 --- a/_generated-doc/latest/config/quarkus-all-config.adoc +++ b/_generated-doc/latest/config/quarkus-all-config.adoc @@ -3819,7 +3819,7 @@ a|icon:lock[title=Fixed at build time] [[quarkus-core_quarkus-native-report-erro [.description] -- -If errors should be reported at runtime. This is a more relaxed setting, however it is not recommended as it means your application may fail at runtime if an unsupported feature is used by accident. +If errors should be reported at runtime. This is a more relaxed setting, however it is not recommended as it means your application may fail at runtime if an unsupported feature is used by accident. Note that the use of this flag may result in build time failures due to `ClassNotFoundException`s. Reason most likely being that the Quarkus extension already optimized it away or do not actually need it. In such cases you should explicitly add the corresponding dependency providing the missing classes as a dependency to your project. ifdef::add-copy-button-to-env-var[] @@ -4098,7 +4098,7 @@ a|icon:lock[title=Fixed at build time] [[quarkus-core_quarkus-bootstrap-incubati [.description] -- -A temporary option introduced to avoid a logging warning when ``-Dquarkus.bootstrap.incubating-model-resolver++}++ is added to the build command line. This option enables an incubating implementation of the Quarkus Application Model resolver. This option will be removed as soon as the incubating implementation becomes the default one. +A temporary option introduced to avoid a logging warning when `-Dquarkus.bootstrap.incubating-model-resolver` is added to the build command line. This option enables an incubating implementation of the Quarkus Application Model resolver. This option will be removed as soon as the incubating implementation becomes the default one. ifdef::add-copy-button-to-env-var[] @@ -7685,7 +7685,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_CLASS_LOADING_REMOVED_RESOURCES__GROUP_ID_ARTIFACT_ID_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-core_quarkus-profile]] [.property-path]##`quarkus.profile`## @@ -8071,6 +8071,79 @@ endif::add-copy-button-to-env-var[] |`false` +h|[.extension-name]##CycloneDX## +h|Type +h|Default + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-skip]] [.property-path]##`quarkus.cyclonedx.skip`## + +[.description] +-- +Whether to skip SBOM generation + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_SKIP+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_SKIP+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-format]] [.property-path]##`quarkus.cyclonedx.format`## + +[.description] +-- +SBOM file format. Supported formats are ++{++code json++}++ and ++{++code xml++}++. The default format is JSON. If both are desired then `all` could be used as the value of this option. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_FORMAT+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_FORMAT+++` +endif::add-copy-button-to-env-var[] +-- +|string +|`json` + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-schema-version]] [.property-path]##`quarkus.cyclonedx.schema-version`## + +[.description] +-- +CycloneDX specification version. The default value be the latest supported by the integrated CycloneDX library. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_SCHEMA_VERSION+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_SCHEMA_VERSION+++` +endif::add-copy-button-to-env-var[] +-- +|string +| + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-include-license-text]] [.property-path]##`quarkus.cyclonedx.include-license-text`## + +[.description] +-- +Whether to include the license text into generated SBOMs. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_INCLUDE_LICENSE_TEXT+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_INCLUDE_LICENSE_TEXT+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + + h|[.extension-name]##Datasources## h|Type h|Default @@ -10098,7 +10171,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_POLICY__ROLE_POLICY__ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth-policy-role-policy-permissions-role-name]] [.property-path]##`quarkus.http.auth.policy."role-policy".permissions."role-name"`## @@ -10115,7 +10188,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_POLICY__ROLE_POLICY__PERMISSIONS__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth-policy-role-policy-permission-class]] [.property-path]##`quarkus.http.auth.policy."role-policy".permission-class`## @@ -10151,7 +10224,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_ROLES_MAPPING__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth-certificate-role-attribute]] [.property-path]##`quarkus.http.auth.certificate-role-attribute`## @@ -11755,7 +11828,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_MANAGEMENT_AUTH_ROLES_MAPPING__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-management-port]] [.property-path]##`quarkus.management.port`## @@ -13038,7 +13111,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_MANAGEMENT_AUTH_POLICY__ROLE_POLICY__ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-management-auth-policy-role-policy-permissions-role-name]] [.property-path]##`quarkus.management.auth.policy."role-policy".permissions."role-name"`## @@ -13055,7 +13128,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_MANAGEMENT_AUTH_POLICY__ROLE_POLICY__PERMISSIONS__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-management-auth-policy-role-policy-permission-class]] [.property-path]##`quarkus.management.auth.policy."role-policy".permission-class`## @@ -51692,7 +51765,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_KEYCLOAK_DEVSERVICES_ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a|icon:lock[title=Fixed at build time] [[quarkus-oidc_quarkus-keycloak-devservices-port]] [.property-path]##`quarkus.keycloak.devservices.port`## @@ -51821,6 +51894,8 @@ a| [[quarkus-oidc_quarkus-oidc-auth-server-url]] [.property-path]##`quarkus.oidc [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_AUTH_SERVER_URL+++[] @@ -51836,6 +51911,8 @@ a| [[quarkus-oidc_quarkus-oidc-discovery-enabled]] [.property-path]##`quarkus.oi [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_DISCOVERY_ENABLED+++[] @@ -51851,6 +51928,8 @@ a| [[quarkus-oidc_quarkus-oidc-token-path]] [.property-path]##`quarkus.oidc.toke [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TOKEN_PATH+++[] @@ -51866,6 +51945,8 @@ a| [[quarkus-oidc_quarkus-oidc-revoke-path]] [.property-path]##`quarkus.oidc.rev [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_REVOKE_PATH+++[] @@ -51881,6 +51962,8 @@ a| [[quarkus-oidc_quarkus-oidc-client-id]] [.property-path]##`quarkus.oidc.clien [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_ID+++[] @@ -51896,6 +51979,8 @@ a| [[quarkus-oidc_quarkus-oidc-client-name]] [.property-path]##`quarkus.oidc.cli [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_NAME+++[] @@ -51911,6 +51996,8 @@ a| [[quarkus-oidc_quarkus-oidc-connection-delay]] [.property-path]##`quarkus.oid [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CONNECTION_DELAY+++[] @@ -51926,6 +52013,8 @@ a| [[quarkus-oidc_quarkus-oidc-connection-retry-count]] [.property-path]##`quark [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CONNECTION_RETRY_COUNT+++[] @@ -51941,6 +52030,8 @@ a| [[quarkus-oidc_quarkus-oidc-connection-timeout]] [.property-path]##`quarkus.o [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CONNECTION_TIMEOUT+++[] @@ -51956,6 +52047,8 @@ a| [[quarkus-oidc_quarkus-oidc-use-blocking-dns-lookup]] [.property-path]##`quar [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_USE_BLOCKING_DNS_LOOKUP+++[] @@ -51971,6 +52064,8 @@ a| [[quarkus-oidc_quarkus-oidc-max-pool-size]] [.property-path]##`quarkus.oidc.m [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_MAX_POOL_SIZE+++[] @@ -51986,6 +52081,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-secret]] [.property-path]##`quarkus.o [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_SECRET+++[] @@ -52001,6 +52098,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-value]] [.property-path [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -52016,6 +52115,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-provider-name]] [.prope [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -52031,6 +52132,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-provider-keyring-name]] [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -52046,6 +52149,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-provider-key]] [.proper [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -52061,6 +52166,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-method]] [.property-pat [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -52076,6 +52183,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-source]] [.property-path]##`quark [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SOURCE+++[] @@ -52091,6 +52200,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret]] [.property-path]##`quark [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET+++[] @@ -52106,6 +52217,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret-provider-name]] [.property [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -52121,6 +52234,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret-provider-keyring-name]] [. [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -52136,6 +52251,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret-provider-key]] [.property- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -52151,6 +52268,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key]] [.property-path]##`quarkus. [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY+++[] @@ -52166,6 +52285,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-file]] [.property-path]##`qua [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_FILE+++[] @@ -52181,6 +52302,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-store-file]] [.property-path] [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -52196,6 +52319,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-store-password]] [.property-p [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -52211,6 +52336,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-id]] [.property-path]##`quark [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_ID+++[] @@ -52226,6 +52353,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-password]] [.property-path]## [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -52241,6 +52370,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-audience]] [.property-path]##`qua [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_AUDIENCE+++[] @@ -52256,6 +52387,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-token-key-id]] [.property-path]## [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -52271,6 +52404,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-issuer]] [.property-path]##`quark [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_ISSUER+++[] @@ -52286,6 +52421,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-subject]] [.property-path]##`quar [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SUBJECT+++[] @@ -52301,6 +52438,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-claims-claim-name]] [.property-pa [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -52316,6 +52455,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-signature-algorithm]] [.property- [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -52331,6 +52472,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-lifespan]] [.property-path]##`qua [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_LIFESPAN+++[] @@ -52346,6 +52489,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-assertion]] [.property-path]##`qu [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_ASSERTION+++[] @@ -52361,6 +52506,9 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-host]] [.property-path]##`quarkus.oidc.prox [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_HOST+++[] @@ -52376,6 +52524,8 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-port]] [.property-path]##`quarkus.oidc.prox [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_PORT+++[] @@ -52391,6 +52541,8 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-username]] [.property-path]##`quarkus.oidc. [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_USERNAME+++[] @@ -52406,6 +52558,8 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-password]] [.property-path]##`quarkus.oidc. [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_PASSWORD+++[] @@ -52421,6 +52575,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-verification]] [.property-path]##`quarkus.oid [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_VERIFICATION+++[] @@ -52436,6 +52592,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-file]] [.property-path]##`quarkus.o [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_FILE+++[] @@ -52451,6 +52609,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-file-type]] [.property-path]##`quar [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_FILE_TYPE+++[] @@ -52466,6 +52626,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-provider]] [.property-path]##`quark [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_PROVIDER+++[] @@ -52481,6 +52643,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-password]] [.property-path]##`quark [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_PASSWORD+++[] @@ -52496,6 +52660,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-key-alias]] [.property-path]##`quar [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_KEY_ALIAS+++[] @@ -52511,6 +52677,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-key-password]] [.property-path]##`q [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -52526,6 +52694,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-file]] [.property-path]##`quarkus [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_FILE+++[] @@ -52541,6 +52711,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-password]] [.property-path]##`qua [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD+++[] @@ -52556,6 +52728,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-cert-alias]] [.property-path]##`q [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -52571,6 +52745,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-file-type]] [.property-path]##`qu [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_FILE_TYPE+++[] @@ -52586,6 +52762,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-provider]] [.property-path]##`qua [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_PROVIDER+++[] @@ -54379,6 +54557,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-auth-server-url]] [.property-path]##`quark [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__AUTH_SERVER_URL+++[] @@ -54394,6 +54574,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-discovery-enabled]] [.property-path]##`qua [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__DISCOVERY_ENABLED+++[] @@ -54409,6 +54591,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-token-path]] [.property-path]##`quarkus.oi [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TOKEN_PATH+++[] @@ -54424,6 +54608,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-revoke-path]] [.property-path]##`quarkus.o [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__REVOKE_PATH+++[] @@ -54439,6 +54625,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-client-id]] [.property-path]##`quarkus.oid [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CLIENT_ID+++[] @@ -54454,6 +54642,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-client-name]] [.property-path]##`quarkus.o [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CLIENT_NAME+++[] @@ -54469,6 +54659,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-connection-delay]] [.property-path]##`quar [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CONNECTION_DELAY+++[] @@ -54484,6 +54676,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-connection-retry-count]] [.property-path]# [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CONNECTION_RETRY_COUNT+++[] @@ -54499,6 +54693,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-connection-timeout]] [.property-path]##`qu [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CONNECTION_TIMEOUT+++[] @@ -54514,6 +54710,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-use-blocking-dns-lookup]] [.property-path] [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__USE_BLOCKING_DNS_LOOKUP+++[] @@ -54529,6 +54727,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-max-pool-size]] [.property-path]##`quarkus [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__MAX_POOL_SIZE+++[] @@ -54544,6 +54744,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-secret]] [.property-path]##`qu [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_SECRET+++[] @@ -54559,6 +54761,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-value]] [.proper [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -54574,6 +54778,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-provider-name]] [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -54589,6 +54795,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-provider-keyring [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -54604,6 +54812,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-provider-key]] [ [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -54619,6 +54829,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-method]] [.prope [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -54634,6 +54846,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-source]] [.property-path]# [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SOURCE+++[] @@ -54649,6 +54863,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret]] [.property-path]# [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET+++[] @@ -54664,6 +54880,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret-provider-name]] [.p [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -54679,6 +54897,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret-provider-keyring-na [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -54694,6 +54914,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret-provider-key]] [.pr [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -54709,6 +54931,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key]] [.property-path]##`q [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY+++[] @@ -54724,6 +54948,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-file]] [.property-path [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_FILE+++[] @@ -54739,6 +54965,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-store-file]] [.propert [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -54754,6 +54982,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-store-password]] [.pro [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -54769,6 +54999,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-id]] [.property-path]# [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_ID+++[] @@ -54784,6 +55016,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-password]] [.property- [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -54799,6 +55033,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-audience]] [.property-path [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_AUDIENCE+++[] @@ -54814,6 +55050,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-token-key-id]] [.property- [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -54829,6 +55067,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-issuer]] [.property-path]# [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_ISSUER+++[] @@ -54844,6 +55084,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-subject]] [.property-path] [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SUBJECT+++[] @@ -54859,6 +55101,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-claims-claim-name]] [.prop [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -54874,6 +55118,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-signature-algorithm]] [.pr [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -54889,6 +55135,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-lifespan]] [.property-path [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_LIFESPAN+++[] @@ -54904,6 +55152,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-assertion]] [.property-pat [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_ASSERTION+++[] @@ -54919,6 +55169,9 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-host]] [.property-path]##`quarkus.oi [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_HOST+++[] @@ -54934,6 +55187,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-port]] [.property-path]##`quarkus.oi [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_PORT+++[] @@ -54949,6 +55204,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-username]] [.property-path]##`quarku [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_USERNAME+++[] @@ -54964,6 +55221,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-password]] [.property-path]##`quarku [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_PASSWORD+++[] @@ -54979,6 +55238,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-verification]] [.property-path]##`quar [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_VERIFICATION+++[] @@ -54994,6 +55255,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-file]] [.property-path]##`qu [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE+++[] @@ -55009,6 +55272,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-file-type]] [.property-path] [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE_TYPE+++[] @@ -55024,6 +55289,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-provider]] [.property-path]# [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PROVIDER+++[] @@ -55039,6 +55306,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-password]] [.property-path]# [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PASSWORD+++[] @@ -55054,6 +55323,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-key-alias]] [.property-path] [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_ALIAS+++[] @@ -55069,6 +55340,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-key-password]] [.property-pa [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -55084,6 +55357,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-file]] [.property-path]##` [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE+++[] @@ -55099,6 +55374,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-password]] [.property-path [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PASSWORD+++[] @@ -55114,6 +55391,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-cert-alias]] [.property-pa [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -55129,6 +55408,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-file-type]] [.property-pat [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE_TYPE+++[] @@ -55144,6 +55425,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-provider]] [.property-path [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PROVIDER+++[] @@ -56888,6 +57171,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-auth-server-url]] [.property-path]# [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_AUTH_SERVER_URL+++[] @@ -56903,6 +57188,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-discovery-enabled]] [.property-path [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_DISCOVERY_ENABLED+++[] @@ -56918,6 +57205,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-token-path]] [.property-path]##`qua [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TOKEN_PATH+++[] @@ -56933,6 +57222,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-revoke-path]] [.property-path]##`qu [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_REVOKE_PATH+++[] @@ -56948,6 +57239,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-client-id]] [.property-path]##`quar [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CLIENT_ID+++[] @@ -56963,6 +57256,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-client-name]] [.property-path]##`qu [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CLIENT_NAME+++[] @@ -56978,6 +57273,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-delay]] [.property-path] [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_DELAY+++[] @@ -56993,6 +57290,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-retry-count]] [.property [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_RETRY_COUNT+++[] @@ -57008,6 +57307,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-timeout]] [.property-pat [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_TIMEOUT+++[] @@ -57023,6 +57324,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-use-blocking-dns-lookup]] [.propert [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_USE_BLOCKING_DNS_LOOKUP+++[] @@ -57038,6 +57341,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-max-pool-size]] [.property-path]##` [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_MAX_POOL_SIZE+++[] @@ -57053,6 +57358,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-secret]] [.property-pat [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET+++[] @@ -57068,6 +57375,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-value]] [ [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -57083,6 +57392,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -57098,6 +57409,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -57113,6 +57426,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -57128,6 +57443,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-method]] [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -57143,6 +57460,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-source]] [.property [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SOURCE+++[] @@ -57158,6 +57477,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret]] [.property [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET+++[] @@ -57173,6 +57494,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-nam [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -57188,6 +57511,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-key [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -57203,6 +57528,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-key [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -57218,6 +57545,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key]] [.property-pa [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY+++[] @@ -57233,6 +57562,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-file]] [.proper [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_FILE+++[] @@ -57248,6 +57579,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-store-file]] [. [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -57263,6 +57596,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-store-password] [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -57278,6 +57613,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-id]] [.property [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_ID+++[] @@ -57293,6 +57630,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-password]] [.pr [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -57308,6 +57647,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-audience]] [.proper [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_AUDIENCE+++[] @@ -57323,6 +57664,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-token-key-id]] [.pr [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -57338,6 +57681,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-issuer]] [.property [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_ISSUER+++[] @@ -57353,6 +57698,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-subject]] [.propert [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SUBJECT+++[] @@ -57368,6 +57715,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-claims-claim-name]] [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -57383,6 +57732,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-signature-algorithm [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -57398,6 +57749,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-lifespan]] [.proper [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_LIFESPAN+++[] @@ -57413,6 +57766,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-assertion]] [.prope [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_ASSERTION+++[] @@ -57428,6 +57783,9 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-host]] [.property-path]##`qua [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_HOST+++[] @@ -57443,6 +57801,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-port]] [.property-path]##`qua [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_PORT+++[] @@ -57458,6 +57818,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-username]] [.property-path]## [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_USERNAME+++[] @@ -57473,6 +57835,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-password]] [.property-path]## [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_PASSWORD+++[] @@ -57488,6 +57852,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-verification]] [.property-path] [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_VERIFICATION+++[] @@ -57503,6 +57869,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-file]] [.property-pat [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_FILE+++[] @@ -57518,6 +57886,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-file-type]] [.propert [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_FILE_TYPE+++[] @@ -57533,6 +57903,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-provider]] [.property [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_PROVIDER+++[] @@ -57548,6 +57920,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-password]] [.property [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_PASSWORD+++[] @@ -57563,6 +57937,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-key-alias]] [.propert [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_KEY_ALIAS+++[] @@ -57578,6 +57954,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-key-password]] [.prop [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -57593,6 +57971,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-file]] [.property-p [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_FILE+++[] @@ -57608,6 +57988,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-password]] [.proper [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_PASSWORD+++[] @@ -57623,6 +58005,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-cert-alias]] [.prop [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -57638,6 +58022,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-file-type]] [.prope [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_FILE_TYPE+++[] @@ -57653,6 +58039,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-provider]] [.proper [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_PROVIDER+++[] @@ -57893,6 +58281,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-auth-server-url]] [.property-pat [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__AUTH_SERVER_URL+++[] @@ -57908,6 +58298,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-discovery-enabled]] [.property-p [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__DISCOVERY_ENABLED+++[] @@ -57923,6 +58315,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-token-path]] [.property-path]##` [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TOKEN_PATH+++[] @@ -57938,6 +58332,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-revoke-path]] [.property-path]## [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__REVOKE_PATH+++[] @@ -57953,6 +58349,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-client-id]] [.property-path]##`q [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CLIENT_ID+++[] @@ -57968,6 +58366,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-client-name]] [.property-path]## [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CLIENT_NAME+++[] @@ -57983,6 +58383,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-delay]] [.property-pa [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_DELAY+++[] @@ -57998,6 +58400,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-retry-count]] [.prope [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_RETRY_COUNT+++[] @@ -58013,6 +58417,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-timeout]] [.property- [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_TIMEOUT+++[] @@ -58028,6 +58434,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-use-blocking-dns-lookup]] [.prop [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__USE_BLOCKING_DNS_LOOKUP+++[] @@ -58043,6 +58451,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-max-pool-size]] [.property-path] [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__MAX_POOL_SIZE+++[] @@ -58058,6 +58468,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-secret]] [.property- [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_SECRET+++[] @@ -58073,6 +58485,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-value] [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -58088,6 +58502,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -58103,6 +58519,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -58118,6 +58536,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -58133,6 +58553,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-method [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -58148,6 +58570,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-source]] [.prope [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SOURCE+++[] @@ -58163,6 +58587,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret]] [.prope [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET+++[] @@ -58178,6 +58604,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -58193,6 +58621,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -58208,6 +58638,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -58223,6 +58655,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key]] [.property [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY+++[] @@ -58238,6 +58672,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-file]] [.pro [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_FILE+++[] @@ -58253,6 +58689,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-store-file]] [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -58268,6 +58706,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-store-passwo [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -58283,6 +58723,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-id]] [.prope [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_ID+++[] @@ -58298,6 +58740,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-password]] [ [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -58313,6 +58757,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-audience]] [.pro [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_AUDIENCE+++[] @@ -58328,6 +58774,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-token-key-id]] [ [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -58343,6 +58791,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-issuer]] [.prope [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_ISSUER+++[] @@ -58358,6 +58808,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-subject]] [.prop [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SUBJECT+++[] @@ -58373,6 +58825,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-claims-claim-nam [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -58388,6 +58842,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-signature-algori [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -58403,6 +58859,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-lifespan]] [.pro [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_LIFESPAN+++[] @@ -58418,6 +58876,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-assertion]] [.pr [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_ASSERTION+++[] @@ -58433,6 +58893,9 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-host]] [.property-path]##` [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_HOST+++[] @@ -58448,6 +58911,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-port]] [.property-path]##` [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_PORT+++[] @@ -58463,6 +58928,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-username]] [.property-path [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_USERNAME+++[] @@ -58478,6 +58945,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-password]] [.property-path [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_PASSWORD+++[] @@ -58493,6 +58962,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-verification]] [.property-pa [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_VERIFICATION+++[] @@ -58508,6 +58979,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-file]] [.property- [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_FILE+++[] @@ -58523,6 +58996,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-file-type]] [.prop [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_FILE_TYPE+++[] @@ -58538,6 +59013,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-provider]] [.prope [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_PROVIDER+++[] @@ -58553,6 +59030,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-password]] [.prope [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_PASSWORD+++[] @@ -58568,6 +59047,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-key-alias]] [.prop [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_KEY_ALIAS+++[] @@ -58583,6 +59064,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-key-password]] [.p [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -58598,6 +59081,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-file]] [.propert [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_FILE+++[] @@ -58613,6 +59098,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-password]] [.pro [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_PASSWORD+++[] @@ -58628,6 +59115,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-cert-alias]] [.p [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -58643,6 +59132,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-file-type]] [.pr [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_FILE_TYPE+++[] @@ -58658,6 +59149,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-provider]] [.pro [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_PROVIDER+++[] diff --git a/_generated-doc/latest/config/quarkus-core_quarkus.bootstrap.adoc b/_generated-doc/latest/config/quarkus-core_quarkus.bootstrap.adoc index 214dc88705..0c93b9aaef 100644 --- a/_generated-doc/latest/config/quarkus-core_quarkus.bootstrap.adoc +++ b/_generated-doc/latest/config/quarkus-core_quarkus.bootstrap.adoc @@ -80,7 +80,7 @@ a|icon:lock[title=Fixed at build time] [[quarkus-core_quarkus-bootstrap-incubati [.description] -- -A temporary option introduced to avoid a logging warning when ``-Dquarkus.bootstrap.incubating-model-resolver++}++ is added to the build command line. This option enables an incubating implementation of the Quarkus Application Model resolver. This option will be removed as soon as the incubating implementation becomes the default one. +A temporary option introduced to avoid a logging warning when `-Dquarkus.bootstrap.incubating-model-resolver` is added to the build command line. This option enables an incubating implementation of the Quarkus Application Model resolver. This option will be removed as soon as the incubating implementation becomes the default one. ifdef::add-copy-button-to-env-var[] diff --git a/_generated-doc/latest/config/quarkus-core_quarkus.class-loading.adoc b/_generated-doc/latest/config/quarkus-core_quarkus.class-loading.adoc index 07b7c018ec..afe6cb6d88 100644 --- a/_generated-doc/latest/config/quarkus-core_quarkus.class-loading.adoc +++ b/_generated-doc/latest/config/quarkus-core_quarkus.class-loading.adoc @@ -93,7 +93,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_CLASS_LOADING_REMOVED_RESOURCES__GROUP_ID_ARTIFACT_ID_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | |=== diff --git a/_generated-doc/latest/config/quarkus-core_quarkus.native.adoc b/_generated-doc/latest/config/quarkus-core_quarkus.native.adoc index 5d1e1fec1d..10d4af2777 100644 --- a/_generated-doc/latest/config/quarkus-core_quarkus.native.adoc +++ b/_generated-doc/latest/config/quarkus-core_quarkus.native.adoc @@ -505,7 +505,7 @@ a|icon:lock[title=Fixed at build time] [[quarkus-core_quarkus-native-report-erro [.description] -- -If errors should be reported at runtime. This is a more relaxed setting, however it is not recommended as it means your application may fail at runtime if an unsupported feature is used by accident. +If errors should be reported at runtime. This is a more relaxed setting, however it is not recommended as it means your application may fail at runtime if an unsupported feature is used by accident. Note that the use of this flag may result in build time failures due to `ClassNotFoundException`s. Reason most likely being that the Quarkus extension already optimized it away or do not actually need it. In such cases you should explicitly add the corresponding dependency providing the missing classes as a dependency to your project. ifdef::add-copy-button-to-env-var[] diff --git a/_generated-doc/latest/config/quarkus-cyclonedx.adoc b/_generated-doc/latest/config/quarkus-cyclonedx.adoc new file mode 100644 index 0000000000..925499bd8a --- /dev/null +++ b/_generated-doc/latest/config/quarkus-cyclonedx.adoc @@ -0,0 +1,82 @@ +:summaryTableId: quarkus-cyclonedx_quarkus-cyclonedx +[.configuration-legend] +icon:lock[title=Fixed at build time] Configuration property fixed at build time - All other configuration properties are overridable at runtime +[.configuration-reference.searchable, cols="80,.^10,.^10"] +|=== + +h|[.header-title]##Configuration property## +h|Type +h|Default + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-skip]] [.property-path]##`quarkus.cyclonedx.skip`## + +[.description] +-- +Whether to skip SBOM generation + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_SKIP+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_SKIP+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-format]] [.property-path]##`quarkus.cyclonedx.format`## + +[.description] +-- +SBOM file format. Supported formats are ++{++code json++}++ and ++{++code xml++}++. The default format is JSON. If both are desired then `all` could be used as the value of this option. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_FORMAT+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_FORMAT+++` +endif::add-copy-button-to-env-var[] +-- +|string +|`json` + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-schema-version]] [.property-path]##`quarkus.cyclonedx.schema-version`## + +[.description] +-- +CycloneDX specification version. The default value be the latest supported by the integrated CycloneDX library. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_SCHEMA_VERSION+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_SCHEMA_VERSION+++` +endif::add-copy-button-to-env-var[] +-- +|string +| + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-include-license-text]] [.property-path]##`quarkus.cyclonedx.include-license-text`## + +[.description] +-- +Whether to include the license text into generated SBOMs. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_INCLUDE_LICENSE_TEXT+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_INCLUDE_LICENSE_TEXT+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + +|=== + + +:!summaryTableId: \ No newline at end of file diff --git a/_generated-doc/latest/config/quarkus-cyclonedx_quarkus.cyclonedx.adoc b/_generated-doc/latest/config/quarkus-cyclonedx_quarkus.cyclonedx.adoc new file mode 100644 index 0000000000..925499bd8a --- /dev/null +++ b/_generated-doc/latest/config/quarkus-cyclonedx_quarkus.cyclonedx.adoc @@ -0,0 +1,82 @@ +:summaryTableId: quarkus-cyclonedx_quarkus-cyclonedx +[.configuration-legend] +icon:lock[title=Fixed at build time] Configuration property fixed at build time - All other configuration properties are overridable at runtime +[.configuration-reference.searchable, cols="80,.^10,.^10"] +|=== + +h|[.header-title]##Configuration property## +h|Type +h|Default + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-skip]] [.property-path]##`quarkus.cyclonedx.skip`## + +[.description] +-- +Whether to skip SBOM generation + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_SKIP+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_SKIP+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-format]] [.property-path]##`quarkus.cyclonedx.format`## + +[.description] +-- +SBOM file format. Supported formats are ++{++code json++}++ and ++{++code xml++}++. The default format is JSON. If both are desired then `all` could be used as the value of this option. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_FORMAT+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_FORMAT+++` +endif::add-copy-button-to-env-var[] +-- +|string +|`json` + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-schema-version]] [.property-path]##`quarkus.cyclonedx.schema-version`## + +[.description] +-- +CycloneDX specification version. The default value be the latest supported by the integrated CycloneDX library. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_SCHEMA_VERSION+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_SCHEMA_VERSION+++` +endif::add-copy-button-to-env-var[] +-- +|string +| + +a|icon:lock[title=Fixed at build time] [[quarkus-cyclonedx_quarkus-cyclonedx-include-license-text]] [.property-path]##`quarkus.cyclonedx.include-license-text`## + +[.description] +-- +Whether to include the license text into generated SBOMs. + + +ifdef::add-copy-button-to-env-var[] +Environment variable: env_var_with_copy_button:+++QUARKUS_CYCLONEDX_INCLUDE_LICENSE_TEXT+++[] +endif::add-copy-button-to-env-var[] +ifndef::add-copy-button-to-env-var[] +Environment variable: `+++QUARKUS_CYCLONEDX_INCLUDE_LICENSE_TEXT+++` +endif::add-copy-button-to-env-var[] +-- +|boolean +|`false` + +|=== + + +:!summaryTableId: \ No newline at end of file diff --git a/_generated-doc/latest/config/quarkus-oidc-client.adoc b/_generated-doc/latest/config/quarkus-oidc-client.adoc index 3a0e626e5a..31526c664d 100644 --- a/_generated-doc/latest/config/quarkus-oidc-client.adoc +++ b/_generated-doc/latest/config/quarkus-oidc-client.adoc @@ -29,6 +29,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-auth-server-url]] [.property-path]# [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_AUTH_SERVER_URL+++[] @@ -44,6 +46,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-discovery-enabled]] [.property-path [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_DISCOVERY_ENABLED+++[] @@ -59,6 +63,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-token-path]] [.property-path]##`qua [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TOKEN_PATH+++[] @@ -74,6 +80,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-revoke-path]] [.property-path]##`qu [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_REVOKE_PATH+++[] @@ -89,6 +97,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-client-id]] [.property-path]##`quar [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CLIENT_ID+++[] @@ -104,6 +114,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-client-name]] [.property-path]##`qu [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CLIENT_NAME+++[] @@ -119,6 +131,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-delay]] [.property-path] [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_DELAY+++[] @@ -134,6 +148,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-retry-count]] [.property [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_RETRY_COUNT+++[] @@ -149,6 +165,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-timeout]] [.property-pat [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_TIMEOUT+++[] @@ -164,6 +182,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-use-blocking-dns-lookup]] [.propert [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_USE_BLOCKING_DNS_LOOKUP+++[] @@ -179,6 +199,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-max-pool-size]] [.property-path]##` [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_MAX_POOL_SIZE+++[] @@ -194,6 +216,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-secret]] [.property-pat [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET+++[] @@ -209,6 +233,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-value]] [ [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -224,6 +250,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -239,6 +267,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -254,6 +284,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -269,6 +301,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-method]] [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -284,6 +318,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-source]] [.property [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SOURCE+++[] @@ -299,6 +335,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret]] [.property [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET+++[] @@ -314,6 +352,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-nam [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -329,6 +369,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-key [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -344,6 +386,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-key [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -359,6 +403,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key]] [.property-pa [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY+++[] @@ -374,6 +420,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-file]] [.proper [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_FILE+++[] @@ -389,6 +437,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-store-file]] [. [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -404,6 +454,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-store-password] [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -419,6 +471,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-id]] [.property [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_ID+++[] @@ -434,6 +488,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-password]] [.pr [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -449,6 +505,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-audience]] [.proper [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_AUDIENCE+++[] @@ -464,6 +522,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-token-key-id]] [.pr [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -479,6 +539,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-issuer]] [.property [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_ISSUER+++[] @@ -494,6 +556,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-subject]] [.propert [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SUBJECT+++[] @@ -509,6 +573,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-claims-claim-name]] [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -524,6 +590,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-signature-algorithm [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -539,6 +607,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-lifespan]] [.proper [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_LIFESPAN+++[] @@ -554,6 +624,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-assertion]] [.prope [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_ASSERTION+++[] @@ -569,6 +641,9 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-host]] [.property-path]##`qua [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_HOST+++[] @@ -584,6 +659,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-port]] [.property-path]##`qua [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_PORT+++[] @@ -599,6 +676,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-username]] [.property-path]## [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_USERNAME+++[] @@ -614,6 +693,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-password]] [.property-path]## [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_PASSWORD+++[] @@ -629,6 +710,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-verification]] [.property-path] [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_VERIFICATION+++[] @@ -644,6 +727,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-file]] [.property-pat [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_FILE+++[] @@ -659,6 +744,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-file-type]] [.propert [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_FILE_TYPE+++[] @@ -674,6 +761,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-provider]] [.property [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_PROVIDER+++[] @@ -689,6 +778,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-password]] [.property [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_PASSWORD+++[] @@ -704,6 +795,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-key-alias]] [.propert [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_KEY_ALIAS+++[] @@ -719,6 +812,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-key-password]] [.prop [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -734,6 +829,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-file]] [.property-p [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_FILE+++[] @@ -749,6 +846,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-password]] [.proper [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_PASSWORD+++[] @@ -764,6 +863,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-cert-alias]] [.prop [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -779,6 +880,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-file-type]] [.prope [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_FILE_TYPE+++[] @@ -794,6 +897,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-provider]] [.proper [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_PROVIDER+++[] @@ -1034,6 +1139,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-auth-server-url]] [.property-pat [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__AUTH_SERVER_URL+++[] @@ -1049,6 +1156,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-discovery-enabled]] [.property-p [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__DISCOVERY_ENABLED+++[] @@ -1064,6 +1173,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-token-path]] [.property-path]##` [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TOKEN_PATH+++[] @@ -1079,6 +1190,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-revoke-path]] [.property-path]## [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__REVOKE_PATH+++[] @@ -1094,6 +1207,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-client-id]] [.property-path]##`q [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CLIENT_ID+++[] @@ -1109,6 +1224,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-client-name]] [.property-path]## [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CLIENT_NAME+++[] @@ -1124,6 +1241,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-delay]] [.property-pa [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_DELAY+++[] @@ -1139,6 +1258,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-retry-count]] [.prope [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_RETRY_COUNT+++[] @@ -1154,6 +1275,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-timeout]] [.property- [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_TIMEOUT+++[] @@ -1169,6 +1292,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-use-blocking-dns-lookup]] [.prop [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__USE_BLOCKING_DNS_LOOKUP+++[] @@ -1184,6 +1309,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-max-pool-size]] [.property-path] [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__MAX_POOL_SIZE+++[] @@ -1199,6 +1326,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-secret]] [.property- [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_SECRET+++[] @@ -1214,6 +1343,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-value] [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -1229,6 +1360,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -1244,6 +1377,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -1259,6 +1394,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -1274,6 +1411,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-method [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -1289,6 +1428,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-source]] [.prope [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SOURCE+++[] @@ -1304,6 +1445,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret]] [.prope [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET+++[] @@ -1319,6 +1462,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -1334,6 +1479,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -1349,6 +1496,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -1364,6 +1513,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key]] [.property [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY+++[] @@ -1379,6 +1530,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-file]] [.pro [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_FILE+++[] @@ -1394,6 +1547,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-store-file]] [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -1409,6 +1564,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-store-passwo [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -1424,6 +1581,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-id]] [.prope [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_ID+++[] @@ -1439,6 +1598,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-password]] [ [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -1454,6 +1615,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-audience]] [.pro [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_AUDIENCE+++[] @@ -1469,6 +1632,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-token-key-id]] [ [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -1484,6 +1649,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-issuer]] [.prope [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_ISSUER+++[] @@ -1499,6 +1666,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-subject]] [.prop [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SUBJECT+++[] @@ -1514,6 +1683,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-claims-claim-nam [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -1529,6 +1700,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-signature-algori [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -1544,6 +1717,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-lifespan]] [.pro [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_LIFESPAN+++[] @@ -1559,6 +1734,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-assertion]] [.pr [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_ASSERTION+++[] @@ -1574,6 +1751,9 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-host]] [.property-path]##` [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_HOST+++[] @@ -1589,6 +1769,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-port]] [.property-path]##` [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_PORT+++[] @@ -1604,6 +1786,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-username]] [.property-path [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_USERNAME+++[] @@ -1619,6 +1803,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-password]] [.property-path [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_PASSWORD+++[] @@ -1634,6 +1820,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-verification]] [.property-pa [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_VERIFICATION+++[] @@ -1649,6 +1837,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-file]] [.property- [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_FILE+++[] @@ -1664,6 +1854,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-file-type]] [.prop [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_FILE_TYPE+++[] @@ -1679,6 +1871,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-provider]] [.prope [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_PROVIDER+++[] @@ -1694,6 +1888,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-password]] [.prope [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_PASSWORD+++[] @@ -1709,6 +1905,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-key-alias]] [.prop [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_KEY_ALIAS+++[] @@ -1724,6 +1922,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-key-password]] [.p [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -1739,6 +1939,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-file]] [.propert [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_FILE+++[] @@ -1754,6 +1956,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-password]] [.pro [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_PASSWORD+++[] @@ -1769,6 +1973,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-cert-alias]] [.p [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -1784,6 +1990,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-file-type]] [.pr [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_FILE_TYPE+++[] @@ -1799,6 +2007,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-provider]] [.pro [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_PROVIDER+++[] diff --git a/_generated-doc/latest/config/quarkus-oidc-client_quarkus.oidc-client.adoc b/_generated-doc/latest/config/quarkus-oidc-client_quarkus.oidc-client.adoc index 3a0e626e5a..31526c664d 100644 --- a/_generated-doc/latest/config/quarkus-oidc-client_quarkus.oidc-client.adoc +++ b/_generated-doc/latest/config/quarkus-oidc-client_quarkus.oidc-client.adoc @@ -29,6 +29,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-auth-server-url]] [.property-path]# [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_AUTH_SERVER_URL+++[] @@ -44,6 +46,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-discovery-enabled]] [.property-path [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_DISCOVERY_ENABLED+++[] @@ -59,6 +63,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-token-path]] [.property-path]##`qua [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TOKEN_PATH+++[] @@ -74,6 +80,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-revoke-path]] [.property-path]##`qu [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_REVOKE_PATH+++[] @@ -89,6 +97,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-client-id]] [.property-path]##`quar [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CLIENT_ID+++[] @@ -104,6 +114,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-client-name]] [.property-path]##`qu [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CLIENT_NAME+++[] @@ -119,6 +131,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-delay]] [.property-path] [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_DELAY+++[] @@ -134,6 +148,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-retry-count]] [.property [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_RETRY_COUNT+++[] @@ -149,6 +165,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-connection-timeout]] [.property-pat [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CONNECTION_TIMEOUT+++[] @@ -164,6 +182,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-use-blocking-dns-lookup]] [.propert [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_USE_BLOCKING_DNS_LOOKUP+++[] @@ -179,6 +199,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-max-pool-size]] [.property-path]##` [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_MAX_POOL_SIZE+++[] @@ -194,6 +216,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-secret]] [.property-pat [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET+++[] @@ -209,6 +233,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-value]] [ [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -224,6 +250,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -239,6 +267,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -254,6 +284,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-provider- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -269,6 +301,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-client-secret-method]] [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -284,6 +318,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-source]] [.property [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SOURCE+++[] @@ -299,6 +335,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret]] [.property [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET+++[] @@ -314,6 +352,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-nam [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -329,6 +369,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-key [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -344,6 +386,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-secret-provider-key [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -359,6 +403,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key]] [.property-pa [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY+++[] @@ -374,6 +420,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-file]] [.proper [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_FILE+++[] @@ -389,6 +437,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-store-file]] [. [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -404,6 +454,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-store-password] [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -419,6 +471,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-id]] [.property [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_ID+++[] @@ -434,6 +488,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-key-password]] [.pr [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -449,6 +505,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-audience]] [.proper [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_AUDIENCE+++[] @@ -464,6 +522,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-token-key-id]] [.pr [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -479,6 +539,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-issuer]] [.property [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_ISSUER+++[] @@ -494,6 +556,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-subject]] [.propert [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SUBJECT+++[] @@ -509,6 +573,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-claims-claim-name]] [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -524,6 +590,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-signature-algorithm [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -539,6 +607,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-lifespan]] [.proper [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_LIFESPAN+++[] @@ -554,6 +624,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-credentials-jwt-assertion]] [.prope [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_CREDENTIALS_JWT_ASSERTION+++[] @@ -569,6 +641,9 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-host]] [.property-path]##`qua [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_HOST+++[] @@ -584,6 +659,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-port]] [.property-path]##`qua [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_PORT+++[] @@ -599,6 +676,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-username]] [.property-path]## [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_USERNAME+++[] @@ -614,6 +693,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-proxy-password]] [.property-path]## [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_PROXY_PASSWORD+++[] @@ -629,6 +710,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-verification]] [.property-path] [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_VERIFICATION+++[] @@ -644,6 +727,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-file]] [.property-pat [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_FILE+++[] @@ -659,6 +744,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-file-type]] [.propert [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_FILE_TYPE+++[] @@ -674,6 +761,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-provider]] [.property [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_PROVIDER+++[] @@ -689,6 +778,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-password]] [.property [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_PASSWORD+++[] @@ -704,6 +795,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-key-alias]] [.propert [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_KEY_ALIAS+++[] @@ -719,6 +812,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-key-store-key-password]] [.prop [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -734,6 +829,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-file]] [.property-p [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_FILE+++[] @@ -749,6 +846,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-password]] [.proper [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_PASSWORD+++[] @@ -764,6 +863,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-cert-alias]] [.prop [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -779,6 +880,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-file-type]] [.prope [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_FILE_TYPE+++[] @@ -794,6 +897,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-tls-trust-store-provider]] [.proper [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_TLS_TRUST_STORE_PROVIDER+++[] @@ -1034,6 +1139,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-auth-server-url]] [.property-pat [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__AUTH_SERVER_URL+++[] @@ -1049,6 +1156,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-discovery-enabled]] [.property-p [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__DISCOVERY_ENABLED+++[] @@ -1064,6 +1173,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-token-path]] [.property-path]##` [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TOKEN_PATH+++[] @@ -1079,6 +1190,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-revoke-path]] [.property-path]## [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__REVOKE_PATH+++[] @@ -1094,6 +1207,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-client-id]] [.property-path]##`q [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CLIENT_ID+++[] @@ -1109,6 +1224,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-client-name]] [.property-path]## [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CLIENT_NAME+++[] @@ -1124,6 +1241,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-delay]] [.property-pa [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_DELAY+++[] @@ -1139,6 +1258,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-retry-count]] [.prope [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_RETRY_COUNT+++[] @@ -1154,6 +1275,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-connection-timeout]] [.property- [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CONNECTION_TIMEOUT+++[] @@ -1169,6 +1292,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-use-blocking-dns-lookup]] [.prop [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__USE_BLOCKING_DNS_LOOKUP+++[] @@ -1184,6 +1309,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-max-pool-size]] [.property-path] [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__MAX_POOL_SIZE+++[] @@ -1199,6 +1326,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-secret]] [.property- [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_SECRET+++[] @@ -1214,6 +1343,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-value] [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -1229,6 +1360,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -1244,6 +1377,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -1259,6 +1394,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-provid [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -1274,6 +1411,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-client-secret-method [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -1289,6 +1428,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-source]] [.prope [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SOURCE+++[] @@ -1304,6 +1445,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret]] [.prope [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET+++[] @@ -1319,6 +1462,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -1334,6 +1479,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -1349,6 +1496,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-secret-provider- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -1364,6 +1513,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key]] [.property [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY+++[] @@ -1379,6 +1530,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-file]] [.pro [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_FILE+++[] @@ -1394,6 +1547,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-store-file]] [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -1409,6 +1564,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-store-passwo [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -1424,6 +1581,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-id]] [.prope [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_ID+++[] @@ -1439,6 +1598,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-key-password]] [ [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -1454,6 +1615,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-audience]] [.pro [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_AUDIENCE+++[] @@ -1469,6 +1632,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-token-key-id]] [ [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -1484,6 +1649,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-issuer]] [.prope [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_ISSUER+++[] @@ -1499,6 +1666,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-subject]] [.prop [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SUBJECT+++[] @@ -1514,6 +1683,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-claims-claim-nam [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -1529,6 +1700,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-signature-algori [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -1544,6 +1717,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-lifespan]] [.pro [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_LIFESPAN+++[] @@ -1559,6 +1734,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-credentials-jwt-assertion]] [.pr [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__CREDENTIALS_JWT_ASSERTION+++[] @@ -1574,6 +1751,9 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-host]] [.property-path]##` [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_HOST+++[] @@ -1589,6 +1769,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-port]] [.property-path]##` [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_PORT+++[] @@ -1604,6 +1786,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-username]] [.property-path [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_USERNAME+++[] @@ -1619,6 +1803,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-proxy-password]] [.property-path [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__PROXY_PASSWORD+++[] @@ -1634,6 +1820,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-verification]] [.property-pa [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_VERIFICATION+++[] @@ -1649,6 +1837,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-file]] [.property- [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_FILE+++[] @@ -1664,6 +1854,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-file-type]] [.prop [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_FILE_TYPE+++[] @@ -1679,6 +1871,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-provider]] [.prope [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_PROVIDER+++[] @@ -1694,6 +1888,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-password]] [.prope [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_PASSWORD+++[] @@ -1709,6 +1905,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-key-alias]] [.prop [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_KEY_ALIAS+++[] @@ -1724,6 +1922,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-key-store-key-password]] [.p [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -1739,6 +1939,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-file]] [.propert [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_FILE+++[] @@ -1754,6 +1956,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-password]] [.pro [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_PASSWORD+++[] @@ -1769,6 +1973,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-cert-alias]] [.p [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -1784,6 +1990,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-file-type]] [.pr [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_FILE_TYPE+++[] @@ -1799,6 +2007,8 @@ a| [[quarkus-oidc-client_quarkus-oidc-client-id-tls-trust-store-provider]] [.pro [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT__ID__TLS_TRUST_STORE_PROVIDER+++[] diff --git a/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.adoc b/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.adoc index 6c5d8259ac..de4eed8e31 100644 --- a/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.adoc +++ b/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.adoc @@ -264,7 +264,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_KEYCLOAK_DEVSERVICES_ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a|icon:lock[title=Fixed at build time] [[quarkus-oidc_quarkus-keycloak-devservices-port]] [.property-path]##`quarkus.keycloak.devservices.port`## diff --git a/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.devservices.adoc b/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.devservices.adoc index 9060015cbe..b14e2e6c08 100644 --- a/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.devservices.adoc +++ b/_generated-doc/latest/config/quarkus-oidc_quarkus.keycloak.devservices.adoc @@ -260,7 +260,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_KEYCLOAK_DEVSERVICES_ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a|icon:lock[title=Fixed at build time] [[quarkus-oidc_quarkus-keycloak-devservices_quarkus-keycloak-devservices-port]] [.property-path]##`quarkus.keycloak.devservices.port`## diff --git a/_generated-doc/latest/config/quarkus-oidc_quarkus.oidc.adoc b/_generated-doc/latest/config/quarkus-oidc_quarkus.oidc.adoc index a553d0dbdf..a4641ddba9 100644 --- a/_generated-doc/latest/config/quarkus-oidc_quarkus.oidc.adoc +++ b/_generated-doc/latest/config/quarkus-oidc_quarkus.oidc.adoc @@ -97,6 +97,8 @@ a| [[quarkus-oidc_quarkus-oidc-auth-server-url]] [.property-path]##`quarkus.oidc [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_AUTH_SERVER_URL+++[] @@ -112,6 +114,8 @@ a| [[quarkus-oidc_quarkus-oidc-discovery-enabled]] [.property-path]##`quarkus.oi [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_DISCOVERY_ENABLED+++[] @@ -127,6 +131,8 @@ a| [[quarkus-oidc_quarkus-oidc-token-path]] [.property-path]##`quarkus.oidc.toke [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TOKEN_PATH+++[] @@ -142,6 +148,8 @@ a| [[quarkus-oidc_quarkus-oidc-revoke-path]] [.property-path]##`quarkus.oidc.rev [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_REVOKE_PATH+++[] @@ -157,6 +165,8 @@ a| [[quarkus-oidc_quarkus-oidc-client-id]] [.property-path]##`quarkus.oidc.clien [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_ID+++[] @@ -172,6 +182,8 @@ a| [[quarkus-oidc_quarkus-oidc-client-name]] [.property-path]##`quarkus.oidc.cli [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CLIENT_NAME+++[] @@ -187,6 +199,8 @@ a| [[quarkus-oidc_quarkus-oidc-connection-delay]] [.property-path]##`quarkus.oid [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CONNECTION_DELAY+++[] @@ -202,6 +216,8 @@ a| [[quarkus-oidc_quarkus-oidc-connection-retry-count]] [.property-path]##`quark [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CONNECTION_RETRY_COUNT+++[] @@ -217,6 +233,8 @@ a| [[quarkus-oidc_quarkus-oidc-connection-timeout]] [.property-path]##`quarkus.o [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CONNECTION_TIMEOUT+++[] @@ -232,6 +250,8 @@ a| [[quarkus-oidc_quarkus-oidc-use-blocking-dns-lookup]] [.property-path]##`quar [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_USE_BLOCKING_DNS_LOOKUP+++[] @@ -247,6 +267,8 @@ a| [[quarkus-oidc_quarkus-oidc-max-pool-size]] [.property-path]##`quarkus.oidc.m [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_MAX_POOL_SIZE+++[] @@ -262,6 +284,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-secret]] [.property-path]##`quarkus.o [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_SECRET+++[] @@ -277,6 +301,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-value]] [.property-path [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -292,6 +318,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-provider-name]] [.prope [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -307,6 +335,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-provider-keyring-name]] [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -322,6 +352,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-provider-key]] [.proper [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -337,6 +369,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-client-secret-method]] [.property-pat [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -352,6 +386,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-source]] [.property-path]##`quark [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SOURCE+++[] @@ -367,6 +403,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret]] [.property-path]##`quark [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET+++[] @@ -382,6 +420,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret-provider-name]] [.property [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -397,6 +437,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret-provider-keyring-name]] [. [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -412,6 +454,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-secret-provider-key]] [.property- [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -427,6 +471,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key]] [.property-path]##`quarkus. [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY+++[] @@ -442,6 +488,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-file]] [.property-path]##`qua [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_FILE+++[] @@ -457,6 +505,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-store-file]] [.property-path] [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -472,6 +522,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-store-password]] [.property-p [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -487,6 +539,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-id]] [.property-path]##`quark [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_ID+++[] @@ -502,6 +556,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-key-password]] [.property-path]## [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -517,6 +573,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-audience]] [.property-path]##`qua [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_AUDIENCE+++[] @@ -532,6 +590,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-token-key-id]] [.property-path]## [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -547,6 +607,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-issuer]] [.property-path]##`quark [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_ISSUER+++[] @@ -562,6 +624,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-subject]] [.property-path]##`quar [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SUBJECT+++[] @@ -577,6 +641,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-claims-claim-name]] [.property-pa [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -592,6 +658,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-signature-algorithm]] [.property- [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -607,6 +675,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-lifespan]] [.property-path]##`qua [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_LIFESPAN+++[] @@ -622,6 +692,8 @@ a| [[quarkus-oidc_quarkus-oidc-credentials-jwt-assertion]] [.property-path]##`qu [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_CREDENTIALS_JWT_ASSERTION+++[] @@ -637,6 +709,9 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-host]] [.property-path]##`quarkus.oidc.prox [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_HOST+++[] @@ -652,6 +727,8 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-port]] [.property-path]##`quarkus.oidc.prox [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_PORT+++[] @@ -667,6 +744,8 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-username]] [.property-path]##`quarkus.oidc. [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_USERNAME+++[] @@ -682,6 +761,8 @@ a| [[quarkus-oidc_quarkus-oidc-proxy-password]] [.property-path]##`quarkus.oidc. [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_PROXY_PASSWORD+++[] @@ -697,6 +778,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-verification]] [.property-path]##`quarkus.oid [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_VERIFICATION+++[] @@ -712,6 +795,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-file]] [.property-path]##`quarkus.o [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_FILE+++[] @@ -727,6 +812,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-file-type]] [.property-path]##`quar [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_FILE_TYPE+++[] @@ -742,6 +829,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-provider]] [.property-path]##`quark [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_PROVIDER+++[] @@ -757,6 +846,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-password]] [.property-path]##`quark [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_PASSWORD+++[] @@ -772,6 +863,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-key-alias]] [.property-path]##`quar [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_KEY_ALIAS+++[] @@ -787,6 +880,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-key-store-key-password]] [.property-path]##`q [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -802,6 +897,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-file]] [.property-path]##`quarkus [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_FILE+++[] @@ -817,6 +914,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-password]] [.property-path]##`qua [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD+++[] @@ -832,6 +931,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-cert-alias]] [.property-path]##`q [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -847,6 +948,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-file-type]] [.property-path]##`qu [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_FILE_TYPE+++[] @@ -862,6 +965,8 @@ a| [[quarkus-oidc_quarkus-oidc-tls-trust-store-provider]] [.property-path]##`qua [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC_TLS_TRUST_STORE_PROVIDER+++[] @@ -2655,6 +2760,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-auth-server-url]] [.property-path]##`quark [.description] -- +The base URL of the OpenID Connect (OIDC) server, for example, `https://host:port/auth`. Do not set this property if the public key verification (`public-key`) or certificate chain verification only (`certificate-chain`) is required. The OIDC discovery endpoint is called by default by appending a `.well-known/openid-configuration` path to this URL. For Keycloak, use `https://host:port/realms/++{++realm++}++`, replacing `++{++realm++}++` with the Keycloak realm name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__AUTH_SERVER_URL+++[] @@ -2670,6 +2777,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-discovery-enabled]] [.property-path]##`qua [.description] -- +Discovery of the OIDC endpoints. If not enabled, you must configure the OIDC endpoint URLs individually. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__DISCOVERY_ENABLED+++[] @@ -2685,6 +2794,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-token-path]] [.property-path]##`quarkus.oi [.description] -- +The OIDC token endpoint that issues access and refresh tokens; specified as a relative path or absolute URL. Set if `discovery-enabled` is `false` or a discovered token endpoint path must be customized. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TOKEN_PATH+++[] @@ -2700,6 +2811,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-revoke-path]] [.property-path]##`quarkus.o [.description] -- +The relative path or absolute URL of the OIDC token revocation endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__REVOKE_PATH+++[] @@ -2715,6 +2828,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-client-id]] [.property-path]##`quarkus.oid [.description] -- +The client id of the application. Each application has a client id that is used to identify the application. Setting the client id is not required if `application-type` is `service` and no token introspection is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CLIENT_ID+++[] @@ -2730,6 +2845,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-client-name]] [.property-path]##`quarkus.o [.description] -- +The client name of the application. It is meant to represent a human readable description of the application which you may provide when an application (client) is registered in an OpenId Connect provider's dashboard. For example, you can set this property to have more informative log messages which record an activity of the given client. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CLIENT_NAME+++[] @@ -2745,6 +2862,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-connection-delay]] [.property-path]##`quar [.description] -- +The duration to attempt the initial connection to an OIDC server. For example, setting the duration to `20S` allows 10 retries, each 2 seconds apart. This property is only effective when the initial OIDC connection is created. For dropped connections, use the `connection-retry-count` property instead. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CONNECTION_DELAY+++[] @@ -2760,6 +2879,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-connection-retry-count]] [.property-path]# [.description] -- +The number of times to retry re-establishing an existing OIDC connection if it is temporarily lost. Different from `connection-delay`, which applies only to initial connection attempts. For instance, if a request to the OIDC token endpoint fails due to a connection issue, it will be retried as per this setting. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CONNECTION_RETRY_COUNT+++[] @@ -2775,6 +2896,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-connection-timeout]] [.property-path]##`qu [.description] -- +The number of seconds after which the current OIDC connection request times out. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CONNECTION_TIMEOUT+++[] @@ -2790,6 +2913,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-use-blocking-dns-lookup]] [.property-path] [.description] -- +Whether DNS lookup should be performed on the worker thread. Use this option when you can see logged warnings about blocked Vert.x event loop by HTTP requests to OIDC server. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__USE_BLOCKING_DNS_LOOKUP+++[] @@ -2805,6 +2930,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-max-pool-size]] [.property-path]##`quarkus [.description] -- +The maximum size of the connection pool used by the WebClient. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__MAX_POOL_SIZE+++[] @@ -2820,6 +2947,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-secret]] [.property-path]##`qu [.description] -- +The client secret used by the `client_secret_basic` authentication method. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. You can use `client-secret.value` instead, but both properties are mutually exclusive. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_SECRET+++[] @@ -2835,6 +2964,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-value]] [.proper [.description] -- +The client secret value. This value is ignored if `credentials.secret` is set. Must be set unless a secret is set in `client-secret` or `jwt` client authentication is required. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_VALUE+++[] @@ -2850,6 +2981,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-provider-name]] [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_NAME+++[] @@ -2865,6 +2998,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-provider-keyring [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -2880,6 +3015,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-provider-key]] [ [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_PROVIDER_KEY+++[] @@ -2895,6 +3032,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-client-secret-method]] [.prope [.description] -- +The authentication method. If the `clientSecret.value` secret is set, this method is `basic` by default. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_CLIENT_SECRET_METHOD+++[] @@ -2910,6 +3049,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-source]] [.property-path]# [.description] -- +JWT token source: OIDC provider client or an existing JWT bearer token. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SOURCE+++[] @@ -2925,6 +3066,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret]] [.property-path]# [.description] -- +If provided, indicates that JWT is signed using a secret key. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET+++[] @@ -2940,6 +3083,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret-provider-name]] [.p [.description] -- +The CredentialsProvider bean name, which should only be set if more than one CredentialsProvider is registered + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_NAME+++[] @@ -2955,6 +3100,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret-provider-keyring-na [.description] -- +The CredentialsProvider keyring name. The keyring name is only required when the CredentialsProvider being used requires the keyring name to look up the secret, which is often the case when a CredentialsProvider is shared by multiple extensions to retrieve credentials from a more dynamic source like a vault instance or secret manager + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_KEYRING_NAME+++[] @@ -2970,6 +3117,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-secret-provider-key]] [.pr [.description] -- +The CredentialsProvider client secret key + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SECRET_PROVIDER_KEY+++[] @@ -2985,6 +3134,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key]] [.property-path]##`q [.description] -- +String representation of a private key. If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY+++[] @@ -3000,6 +3151,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-file]] [.property-path [.description] -- +If provided, indicates that JWT is signed using a private key in PEM or JWK format. You can use the `signature-algorithm` property to override the default key algorithm, `RS256`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_FILE+++[] @@ -3015,6 +3168,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-store-file]] [.propert [.description] -- +If provided, indicates that JWT is signed using a private key from a keystore. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_FILE+++[] @@ -3030,6 +3185,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-store-password]] [.pro [.description] -- +A parameter to specify the password of the keystore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_STORE_PASSWORD+++[] @@ -3045,6 +3202,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-id]] [.property-path]# [.description] -- +The private key id or alias. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_ID+++[] @@ -3060,6 +3219,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-key-password]] [.property- [.description] -- +The private key password. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_KEY_PASSWORD+++[] @@ -3075,6 +3236,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-audience]] [.property-path [.description] -- +The JWT audience (`aud`) claim value. By default, the audience is set to the address of the OpenId Connect Provider's token endpoint. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_AUDIENCE+++[] @@ -3090,6 +3253,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-token-key-id]] [.property- [.description] -- +The key identifier of the signing key added as a JWT `kid` header. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_TOKEN_KEY_ID+++[] @@ -3105,6 +3270,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-issuer]] [.property-path]# [.description] -- +The issuer of the signing key added as a JWT `iss` claim. The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_ISSUER+++[] @@ -3120,6 +3287,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-subject]] [.property-path] [.description] -- +Subject of the signing key added as a JWT `sub` claim The default value is the client id. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SUBJECT+++[] @@ -3135,6 +3304,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-claims-claim-name]] [.prop [.description] -- +Additional claims. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_CLAIMS__CLAIM_NAME_+++[] @@ -3150,6 +3321,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-signature-algorithm]] [.pr [.description] -- +The signature algorithm used for the `key-file` property. Supported values: `RS256` (default), `RS384`, `RS512`, `PS256`, `PS384`, `PS512`, `ES256`, `ES384`, `ES512`, `HS256`, `HS384`, `HS512`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_SIGNATURE_ALGORITHM+++[] @@ -3165,6 +3338,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-lifespan]] [.property-path [.description] -- +The JWT lifespan in seconds. This value is added to the time at which the JWT was issued to calculate the expiration time. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_LIFESPAN+++[] @@ -3180,6 +3355,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-credentials-jwt-assertion]] [.property-pat [.description] -- +If true then the client authentication token is a JWT bearer grant assertion. Instead of producing 'client_assertion' and 'client_assertion_type' form properties, only 'assertion' is produced. This option is only supported by the OIDC client extension. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__CREDENTIALS_JWT_ASSERTION+++[] @@ -3195,6 +3372,9 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-host]] [.property-path]##`quarkus.oi [.description] -- +The host name or IP address of the Proxy. + +Note: If the OIDC adapter requires a Proxy to talk with the OIDC server (Provider), set this value to enable the usage of a Proxy. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_HOST+++[] @@ -3210,6 +3390,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-port]] [.property-path]##`quarkus.oi [.description] -- +The port number of the Proxy. The default value is `80`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_PORT+++[] @@ -3225,6 +3407,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-username]] [.property-path]##`quarku [.description] -- +The username, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_USERNAME+++[] @@ -3240,6 +3424,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-proxy-password]] [.property-path]##`quarku [.description] -- +The password, if the Proxy needs authentication. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__PROXY_PASSWORD+++[] @@ -3255,6 +3441,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-verification]] [.property-path]##`quar [.description] -- +Certificate validation and hostname verification, which can be one of the following `Verification` values. Default is `required`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_VERIFICATION+++[] @@ -3270,6 +3458,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-file]] [.property-path]##`qu [.description] -- +An optional keystore that holds the certificate information instead of specifying separate files. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE+++[] @@ -3285,6 +3475,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-file-type]] [.property-path] [.description] -- +The type of the keystore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_FILE_TYPE+++[] @@ -3300,6 +3492,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-provider]] [.property-path]# [.description] -- +The provider of the keystore file. If not given, the provider is automatically detected based on the keystore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PROVIDER+++[] @@ -3315,6 +3509,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-password]] [.property-path]# [.description] -- +The password of the keystore file. If not given, the default value, `password`, is used. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_PASSWORD+++[] @@ -3330,6 +3526,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-key-alias]] [.property-path] [.description] -- +The alias of a specific key in the keystore. When SNI is disabled, if the keystore contains multiple keys and no alias is specified, the behavior is undefined. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_ALIAS+++[] @@ -3345,6 +3543,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-key-store-key-password]] [.property-pa [.description] -- +The password of the key, if it is different from the `key-store-password`. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_KEY_STORE_KEY_PASSWORD+++[] @@ -3360,6 +3560,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-file]] [.property-path]##` [.description] -- +The truststore that holds the certificate information of the certificates to trust. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE+++[] @@ -3375,6 +3577,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-password]] [.property-path [.description] -- +The password of the truststore file. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PASSWORD+++[] @@ -3390,6 +3594,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-cert-alias]] [.property-pa [.description] -- +The alias of the truststore certificate. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_CERT_ALIAS+++[] @@ -3405,6 +3611,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-file-type]] [.property-pat [.description] -- +The type of the truststore file. If not given, the type is automatically detected based on the file name. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_FILE_TYPE+++[] @@ -3420,6 +3628,8 @@ a| [[quarkus-oidc_quarkus-oidc-tenant-tls-trust-store-provider]] [.property-path [.description] -- +The provider of the truststore file. If not given, the provider is automatically detected based on the truststore file type. + ifdef::add-copy-button-to-env-var[] Environment variable: env_var_with_copy_button:+++QUARKUS_OIDC__TENANT__TLS_TRUST_STORE_PROVIDER+++[] diff --git a/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.adoc b/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.adoc index dcc15fa770..a0b8afd981 100644 --- a/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.adoc +++ b/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.adoc @@ -1509,7 +1509,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_POLICY__ROLE_POLICY__ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth-policy-role-policy-permissions-role-name]] [.property-path]##`quarkus.http.auth.policy."role-policy".permissions."role-name"`## @@ -1526,7 +1526,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_POLICY__ROLE_POLICY__PERMISSIONS__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth-policy-role-policy-permission-class]] [.property-path]##`quarkus.http.auth.policy."role-policy".permission-class`## @@ -1562,7 +1562,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_ROLES_MAPPING__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth-certificate-role-attribute]] [.property-path]##`quarkus.http.auth.certificate-role-attribute`## diff --git a/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.auth.adoc b/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.auth.adoc index 573a01762d..ee42d89166 100644 --- a/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.auth.adoc +++ b/_generated-doc/latest/config/quarkus-vertx-http_quarkus.http.auth.adoc @@ -158,7 +158,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_POLICY__ROLE_POLICY__ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth_quarkus-http-auth-policy-role-policy-permissions-role-name]] [.property-path]##`quarkus.http.auth.policy."role-policy".permissions."role-name"`## @@ -175,7 +175,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_POLICY__ROLE_POLICY__PERMISSIONS__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth_quarkus-http-auth-policy-role-policy-permission-class]] [.property-path]##`quarkus.http.auth.policy."role-policy".permission-class`## @@ -211,7 +211,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_HTTP_AUTH_ROLES_MAPPING__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-http-auth_quarkus-http-auth-certificate-role-attribute]] [.property-path]##`quarkus.http.auth.certificate-role-attribute`## diff --git a/_generated-doc/latest/config/quarkus-vertx-http_quarkus.management.adoc b/_generated-doc/latest/config/quarkus-vertx-http_quarkus.management.adoc index dae7de5552..b603d234a8 100644 --- a/_generated-doc/latest/config/quarkus-vertx-http_quarkus.management.adoc +++ b/_generated-doc/latest/config/quarkus-vertx-http_quarkus.management.adoc @@ -168,7 +168,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_MANAGEMENT_AUTH_ROLES_MAPPING__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-management-port]] [.property-path]##`quarkus.management.port`## @@ -1451,7 +1451,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_MANAGEMENT_AUTH_POLICY__ROLE_POLICY__ROLES__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-management-auth-policy-role-policy-permissions-role-name]] [.property-path]##`quarkus.management.auth.policy."role-policy".permissions."role-name"`## @@ -1468,7 +1468,7 @@ ifndef::add-copy-button-to-env-var[] Environment variable: `+++QUARKUS_MANAGEMENT_AUTH_POLICY__ROLE_POLICY__PERMISSIONS__ROLE_NAME_+++` endif::add-copy-button-to-env-var[] -- -|list of Map> +|Map> | a| [[quarkus-vertx-http_quarkus-management-auth-policy-role-policy-permission-class]] [.property-path]##`quarkus.management.auth.policy."role-policy".permission-class`## diff --git a/_generated-doc/latest/infra/quarkus-all-build-items.adoc b/_generated-doc/latest/infra/quarkus-all-build-items.adoc index cc77605791..df302b652d 100644 --- a/_generated-doc/latest/infra/quarkus-all-build-items.adoc +++ b/_generated-doc/latest/infra/quarkus-all-build-items.adoc @@ -118,6 +118,10 @@ _No Javadoc found_ _No Javadoc found_ +`java.util.function.Supplier depInfoProvider` + +_No Javadoc found_ + @@ -234,6 +238,10 @@ _No Javadoc found_ _No Javadoc found_ +`io.quarkus.sbom.ApplicationManifestConfig manifestConfig` + +_No Javadoc found_ + @@ -1181,6 +1189,10 @@ _No Javadoc found_ _No Javadoc found_ +`io.quarkus.sbom.ApplicationManifestConfig manifestConfig` + +_No Javadoc found_ + @@ -2180,6 +2192,17 @@ _No Javadoc found_ +a| https://github.com/quarkusio/quarkus/blob/main/core/deployment/src/main/java/io/quarkus/deployment/sbom/SbomBuildItem.java[`io.quarkus.deployment.sbom.SbomBuildItem`, window="_blank"] +[.description] +-- +Aggregates SBOMs generated for packaged applications. The API around this is still in development and will likely change in the near future. +-- a|`io.quarkus.bootstrap.app.SbomResult result` + +_No Javadoc found_ + + + + a| https://github.com/quarkusio/quarkus/blob/main/core/deployment/src/main/java/io/quarkus/deployment/builditem/nativeimage/ServiceProviderBuildItem.java[`io.quarkus.deployment.builditem.nativeimage.ServiceProviderBuildItem`, window="_blank"] [.description] -- diff --git a/_generated-doc/latest/infra/quarkus-maven-plugin-goals.adoc b/_generated-doc/latest/infra/quarkus-maven-plugin-goals.adoc index 6da90aa1d3..df6c59afde 100644 --- a/_generated-doc/latest/infra/quarkus-maven-plugin-goals.adoc +++ b/_generated-doc/latest/infra/quarkus-maven-plugin-goals.adoc @@ -183,6 +183,15 @@ Whether to replace the original JAR with the Uber runner JAR as the main project |`boolean` | +a| [[quarkus-maven-plugin-goal-build-attachSboms]] attachSboms + +[.description] +-- +Whether to attach SBOMs generated for Uber JARs as project artifacts +-- +|`boolean` +| + a| [[quarkus-maven-plugin-goal-build-bootstrapId]] bootstrapId [.description] @@ -797,6 +806,85 @@ a| [[quarkus-maven-plugin-goal-create-jbang-repos]] repos |=== += quarkus:dependency-sbom + +Quarkus application SBOM generator + +[.configuration-reference, cols="70,15,15"] +|=== + +h|[[quarkus-maven-plugin-goal-dependency-sbom-parameter-table]] Parameter +h|Type +h|Default value + +a| [[quarkus-maven-plugin-goal-dependency-sbom-quarkus.dependency.sbom.format]] quarkus.dependency.sbom.format + +[.description] +-- +CycloneDX BOM format. Allowed values are json and xml. The default is json. +-- +|`String` +|`json` + +a| [[quarkus-maven-plugin-goal-dependency-sbom-quarkus.dependency.sbom.include-license-text]] quarkus.dependency.sbom.include-license-text + +[.description] +-- +Whether to include license text in the generated SBOM. The default is false +-- +|`boolean` +|`false` + +a| [[quarkus-maven-plugin-goal-dependency-sbom-quarkus.dependency.sbom.mode]] quarkus.dependency.sbom.mode + +[.description] +-- +Target launch mode corresponding to io.quarkus.runtime.LaunchMode for which the SBOM should be built. io.quarkus.runtime.LaunchMode.NORMAL is the default. +-- +|`String` +|`prod` + +a| [[quarkus-maven-plugin-goal-dependency-sbom-quarkus.dependency.sbom.output-file]] quarkus.dependency.sbom.output-file + +[.description] +-- +File to store the SBOM in. If not configured, the SBOM will be stored in the ${project.build.directory} directory. +-- +|`File` +| + +a| [[quarkus-maven-plugin-goal-dependency-sbom-project]] project +|`MavenProject` (required) +|`${project}` + +a| [[quarkus-maven-plugin-goal-dependency-sbom-repos]] repos +|`List` (required) +|`${project.remoteProjectRepositories}` + +a| [[quarkus-maven-plugin-goal-dependency-sbom-quarkus.dependency.sbom.schema-version]] quarkus.dependency.sbom.schema-version + +[.description] +-- +CycloneDX BOM schema version +-- +|`String` +| + +a| [[quarkus-maven-plugin-goal-dependency-sbom-session]] session +|`MavenSession` +|`${session}` + +a| [[quarkus-maven-plugin-goal-dependency-sbom-quarkus.dependency.sbom.skip]] quarkus.dependency.sbom.skip + +[.description] +-- +Whether to skip the execution of the goal +-- +|`boolean` +|`false` + +|=== + = quarkus:dependency-tree Displays Quarkus application build dependency tree including the deployment ones. @@ -909,6 +997,15 @@ Whether to replace the original JAR with the Uber runner JAR as the main project |`boolean` | +a| [[quarkus-maven-plugin-goal-deploy-attachSboms]] attachSboms + +[.description] +-- +Whether to attach SBOMs generated for Uber JARs as project artifacts +-- +|`boolean` +| + a| [[quarkus-maven-plugin-goal-deploy-bootstrapId]] bootstrapId [.description] @@ -1699,6 +1796,15 @@ Whether to replace the original JAR with the Uber runner JAR as the main project |`boolean` | +a| [[quarkus-maven-plugin-goal-image-build-attachSboms]] attachSboms + +[.description] +-- +Whether to attach SBOMs generated for Uber JARs as project artifacts +-- +|`boolean` +| + a| [[quarkus-maven-plugin-goal-image-build-bootstrapId]] bootstrapId [.description] @@ -1897,6 +2003,15 @@ Whether to replace the original JAR with the Uber runner JAR as the main project |`boolean` | +a| [[quarkus-maven-plugin-goal-image-push-attachSboms]] attachSboms + +[.description] +-- +Whether to attach SBOMs generated for Uber JARs as project artifacts +-- +|`boolean` +| + a| [[quarkus-maven-plugin-goal-image-push-bootstrapId]] bootstrapId [.description] diff --git a/_guides/_attributes.adoc b/_guides/_attributes.adoc index 5cfbab54e4..b12fa3aaea 100644 --- a/_guides/_attributes.adoc +++ b/_guides/_attributes.adoc @@ -1,7 +1,7 @@ // Common attributes. // --> No blank lines (it ends the document header) :project-name: Quarkus -:quarkus-version: 3.14.2 +:quarkus-version: 3.14.3 :quarkus-platform-groupid: io.quarkus.platform // . :maven-version: 3.9.8 diff --git a/_guides/cdi-integration.adoc b/_guides/cdi-integration.adoc index 4c9233e24f..39920b6516 100644 --- a/_guides/cdi-integration.adoc +++ b/_guides/cdi-integration.adoc @@ -323,6 +323,24 @@ SyntheticBeanBuildItem syntheticBean(TestRecorder recorder) { <1> By default, a synthetic bean is initialized during `STATIC_INIT`. <2> The bean instance is supplied by a value returned from a recorder method. +It is also possible to create a generic synthetic bean `Foo`. + +.`SyntheticBeanBuildItem` Example 3 +[source,java] +---- +@BuildStep +@Record(STATIC_INIT) +SyntheticBeanBuildItem syntheticBean(TestRecorder recorder) { + return SyntheticBeanBuildItem.configure(Foo.class) + .types(ParameterizedType.create(Foo.class, ClassType.create(Bar.class)))) <1> + .scope(Singleton.class) + .runtimeValue(recorder.createFooBar()) + .done(); +} +---- + +<1> `types()` or `addType()` must be used to specify the generic type. + It is possible to mark a synthetic bean to be initialized during `RUNTIME_INIT`. See the <> for more information about the difference between `STATIC_INIT` and `RUNTIME_INIT`. diff --git a/_guides/cyclonedx.adoc b/_guides/cyclonedx.adoc new file mode 100644 index 0000000000..dec4770004 --- /dev/null +++ b/_guides/cyclonedx.adoc @@ -0,0 +1,198 @@ +//// +This guide is maintained in the main Quarkus repository +and pull requests should be submitted there: +https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc +//// +[id="cyclonedx"] += Generating CycloneDX BOMs +include::_attributes.adoc[] +:categories: tooling +:summary: This guide explains how to generate SBOMs for Quarkus applications in the CycloneDX format. +:topics: sbom +:extensions: io.quarkus:quarkus-cyclonedx + +An SBOM (Software Bill of Material) is a manifest that describes what a given software distribution consists of in terms of components. In addition to that, it may include a lot more information such as relationships between those components, licenses, provenance, etc. +SBOMs would typically be used by software security and software supply chain risk management tools to perform vulnerability and compliance related analysis. + +This guide describes Quarkus SBOM generation capabilities following https://cyclonedx.org/[CycloneDX] specification. + +== Why Quarkus-specific tooling? + +While Quarkus integrates with build tools such as https://maven.apache.org/[Maven] and https://gradle.org/[Gradle], it could itself be categorized as a build tool with its own component and dependency model, build steps, and build outcomes. One of the essential component types of a Quarkus application is a Quarkus extension, which consists of a runtime and a build time artifacts, and their dependencies. + +To properly resolve Quarkus extension and other application dependencies Quarkus uses its own dependency resolver, which is implemented on top of the dependency resolver provided by the underlying build tool: Maven or Gradle. + +As a consequence, in case of Maven, for example, the results of `dependency:tree` will not include all the dependencies Quarkus will use to build an application. A similar issue will affect other dependency analysis tools that assume a project adheres to the standard Maven dependency model: they will not be able to capture the effective Quarkus application dependency graph. Unfortunately, that includes the implementation of the https://github.com/CycloneDX/cyclonedx-maven-plugin[CycloneDX Maven plugin]. + +Besides the dependencies, that are an input to a build process, there is also an outcome of the build that is the final distribution of an application. Users of an application may request an SBOM manifesting not only the dependencies (the input to a build) but also the final distribution (the outcome of the build) before they agree to deploy the application. Quarkus allows application developers to choose various packaging types for their applications, some of which are Quarkus-specific. Providing certain Quarkus-specific details about components included in a distribution may help better evaluate the impact of potential security-related issues. + +== Dependency SBOMs + +This chapter describes how to generate SBOMs manifesting only the dependencies of an application before it is built. In other words, these SBOMs will manifest the input into a build. These SBOMs could be used to perform vulnerability and compliance related analysis before building applications. + +=== Maven Dependency SBOMs + +For Quarkus Maven projects dependency SBOMs can be generated with the `quarkus:dependency-sbom` goal. The outcome of the goal will be saved in a `target/--dependency-cyclonedx.json` file (which can be changed by setting the `outputFile` goal parameter or the `quarkus.dependency.sbom.output-file` property). The complete Quarkus build and runtime dependency graphs will be recorded in the https://cyclonedx.org/[CycloneDX] `JSON` format. + +`XML` format can be requested by setting `format` goal parameter (or `quarkus.dependency.sbom.format` property) to `xml`. + +Each component in the generated SBOM will include the `quarkus:component:scope` property that will indicate whether this component is used at runtime or only development/build time. +[source,json] +---- + { + "name" : "quarkus:component:scope", + "value" : "runtime" + } +---- + +By default, `quarkus:dependency-sbom` captures the dependencies of a production build. Quarkus supports three application bootstrap modes: normal (production), test, and dev. In all three modes, an application may have different dependency graphs. The `mode` parameter can be used to indicate which dependency graph should be recorded. If the `mode` is set to `test` or `dev`, the target file name will become `target/---dependency-cyclonedx.json`. + +The complete set of parameters and their description can be obtained by executing `mvn help:describe -Dcmd=quarkus:dependency-sbom -Ddetail`. + +=== Gradle Dependency SBOMs + +Unlike Maven, the https://github.com/CycloneDX/cyclonedx-gradle-plugin[Gradle CycloneDX plugin implementation] can be used in Quarkus projects to generate dependency SBOMs, since the implementation manifests dependency configurations registered by configured plugins. + +Please, refer to the https://github.com/CycloneDX/cyclonedx-gradle-plugin[Gradle CycloneDX plugin] documentation for its configuration options. Here is a list of Quarkus dependency configurations that would be relevant for manifesting: + +* `quarkusProdRuntimeClasspathConfiguration` - Quarkus application production runtime dependencies; +* `quarkusProdRuntimeClasspathConfigurationDeployment` - Quarkus application production runtime and build time dependencies; +* `quarkusTestRuntimeClasspathConfiguration` - Quarkus application test runtime dependencies; +* `quarkusTestRuntimeClasspathConfigurationDeployment` - Quarkus application test runtime and build time dependencies; +* `quarkusDevRuntimeClasspathConfiguration` - Quarkus application dev mode runtime dependencies; +* `quarkusDevRuntimeClasspathConfigurationDeployment` - Quarkus application dev mode runtime and build time dependencies. + +Given that the plugin is not aware of how Quarkus uses these dependencies, it will not be able to set the `quarkus:component:scope` property for components. On the other hand, the requested configuration name can be used indicate which scope to target. + +== Distribution SBOMs + +This chapter describes SBOMs that manifest outcomes of Quarkus builds that are final application distributions. + +During an application build and package assembly process, Quarkus captures certain details about the produced distribution and then allows an SBOM generator to consume and record that information in an SBOM format. + +At this point, the only SBOM generator available for Quarkus users that can manifest application distributions is `io.quarkus:quarkus-cyclonedx`. Once it's added as a project dependency it will generate SBOMs every time an application is built. SBOMs will be saved in the project's build output directory under `-cyclonedx.` name, where + +* `` is the base file name (without the extension) of the executable that launches an application; +* `` is either `json` (the default) or `xml`, which can be configured using `quarkus.cyclonedx.format` property. If both formats are desired `quarkus.cyclonedx.format` can be set to `all`. + +=== Fast JAR + +Fast JAR packaging uses a Quarkus-specific filesystem directory layout that contains files generated by Quarkus and Maven artifacts that are runtime dependencies of an application. + +SBOMs for Fast JAR packaging type will use the executable JAR file as their main component and record both runtime and build time Quarkus application dependencies. + +==== Runtime Components + +Every file in the resulting Fast JAR distribution will appear in the SBOM with the `quarkus:component:scope` property set to `runtime` and `evidence.occurrences.location` field pointing to the location of the component in the application distribution directory, for example + +[source,json] +---- + "purl" : "pkg:maven/org.jboss.slf4j/slf4j-jboss-logmanager@2.0.0.Final?type=jar", + "properties" : [ + { + "name" : "quarkus:component:scope", + "value" : "runtime" + } + ], + "evidence" : { + "occurrences" : [ + { + "location" : "lib/main/org.jboss.slf4j.slf4j-jboss-logmanager-2.0.0.Final.jar" + } + ] + } +---- + +NOTE: `evidence.occurrences.location` was introduced in CycloneDX schema version 1.5, for older versions the location will be indicated using the `quarkus:component:location` property. + +==== Pedigree + +Pedigree is a way to provide information that certain patches, or changes in general, have been applied to a certain component. + +In certain cases, Quarkus may copy modified versions of dependency artifacts to an application distribution. Manipulating the original content of a component will change its hash sums which may get highlighted as suspicious by the tools comparing original component hash sums to those found in the distribution. + +When Quarkus applies modifications to artifacts resolved from Maven repositories, it can manifest these changes as pedigree notes in the generated SBOM. +For example, if an application developer decided to remove certain classpath resources from a dependency, such as + +[source,properties] +---- +quarkus.class-loading.removed-resources."jakarta.transaction\:jakarta.transaction-api"=META-INF/NOTICE.md,jakarta/transaction/package.html +---- + +The resulting SBOM will include +[source,json] +---- + "purl" : "pkg:maven/jakarta.transaction/jakarta.transaction-api@2.0.1?type=jar", + "pedigree" : { + "notes" : "Removed META-INF/NOTICE.md,jakarta/transaction/package.html" + }, +---- + +==== Build time dependencies + +Build time dependencies will be recorded with the `quarkus:component:scope` property set to `development`: + +[source,json] +---- + "purl" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "properties" : [ + { + "name" : "quarkus:component:scope", + "value" : "development" + } + ] +---- + +They will not include `evidence.occurrences.location` since they will not be found in the distribution. + +=== Uber JAR + +SBOMs for Uber JARs will use the Uber JAR Maven artifact as their main component. + +Since an Uber JAR is published as a Maven artifact itself, SBOMs generated for Uber JARs will also be automatically published as Maven artifacts. This, however, can be disabled by setting the `attachSboms` parameter of the `quarkus:build` goal to `false`. + +Gradle users will have to explicitly configure a publishing plugin to deploy SBOMs as Maven artifacts. + +Runtime components in an SBOM generated for an Uber JAR will not include `evidence.occurrences.location` since their content is merged in a single JAR file. + +=== Native image + +SBOMs for native images will use the native executable file as their main component. + +Since native executables are not currently attached to projects as Maven artifacts, their SBOMs will not be attached as Maven artifacts either. + +As in the case of an Uber JAR, runtime components in an SBOM generated for an native executable will not include `evidence.occurrences.location` since their corresponding code and resources are included in a single native executable file. + +=== Mutable JAR + +Mutable JAR distribution is similar to the Fast JAR one except it also includes build time dependencies to support re-augmentation (re-building) of an application. + +SBOMs generated for Mutable JAR distributions will also record locations of components that will be used during re-augmentation process using `evidence.occurrences.location` but keeping their `quarkus:component:scope` property set to `development`. For example: + +[source,json] +---- + "purl" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "properties" : [ + { + "name" : "quarkus:component:scope", + "value" : "development" + } + ], + "evidence" : { + "occurrences" : [ + { + "location" : "lib/deployment/org.apache.httpcomponents.httpcore-4.4.16.jar" + } + ] + } +---- + +== Quarkus Property Taxonomy + +[cols="1,1,1"] +|=== +|Name |Value range |Description + +|`quarkus:component:scope` |`runtime` or `development` |Indicates whether a component is a runtime or a build/development time dependency of an application. +|`quarkus:component:location` |String representing a file system path using `/` as a path element |Used in SBOMs with schema versions 1.4 or older. Starting from schema 1.5, `evidence.occurrences.location` is used instead. This property is used only if a component is found in the distribution. The value is a relative path to a file pointing to the location of a component in a distribution using `/` as a path element separator. +|=== diff --git a/_guides/gradle-tooling.adoc b/_guides/gradle-tooling.adoc index 6cd28b895a..0ba1a19ae1 100644 --- a/_guides/gradle-tooling.adoc +++ b/_guides/gradle-tooling.adoc @@ -814,5 +814,33 @@ action must be declared as an input of the task. The Quarkus Gradle plugin works with builds that have the link:https://docs.gradle.org/current/userguide/configuration_cache.html[Gradle's configuration cache] enabled, but -the configuration cache is disabled for the Quarkus tasks. This means, that the Quarkus plugin does not break such +the configuration cache is disabled for some of the Quarkus tasks. This means, that the Quarkus plugin does not break such Gradle builds. +The current state of compatibility is shown in the following table: + +[cols="2","4"] +|==== +|Quarkus task|Configuration Cache Compatibility +|`quarkusGenerateCode` |✅ +|`quarkusGenerateCodeDev`|✅ +|`quarkusGenerateCodeTests`|✅ +|`quarkusDependenciesBuild`|✅ +|`quarkusAppPartsBuild`|✅ +|`quarkusShowEffectiveConfig`|✅ +|`quarkusBuild`|✅ +|`imageBuild`|✅ +|`imagePush`|✅ +|`quarkusDev`|❌ +|`quarkusRun`|❌ +|`quarkusRemoteDev`|❌ +|`quarkusTest`|❌ +|`quarkusGoOffline`|❌ +|`quarkusInfo`|❌ +|`quarkusUpdate`|❌ +|`deploy`|❌ +|`listExtensions`|❌ +|`listCategories`|❌ +|`listPlatforms`|❌ +|`addExtension`|❌ +|`removeExtension`|❌ +|==== diff --git a/_guides/ide-tooling.adoc b/_guides/ide-tooling.adoc index d9531c3980..f7b1f1dae9 100644 --- a/_guides/ide-tooling.adoc +++ b/_guides/ide-tooling.adoc @@ -22,10 +22,10 @@ In addition, IntelliJ IDEA has additional support for Quarkus in their Ultimate The table below gives an overview of the current IDEs with links and a high-level overview of their features. -:vscode-logo: https://simpleicons.org/icons/visualstudiocode.svg -:eclipse-logo: https://simpleicons.org/icons/eclipseide.svg -:intellij-logo: https://simpleicons.org/icons/intellijidea.svg -:che-logo: https://simpleicons.org/icons/eclipseche.svg +:vscode-logo: visualstudiocode.svg +:eclipse-logo: eclipseide.svg +:intellij-logo: intellijidea.svg +:che-logo: eclipseche.svg [cols="6*^", header] |=== | . diff --git a/_guides/images/eclipseche.svg b/_guides/images/eclipseche.svg new file mode 100644 index 0000000000..904aff3755 --- /dev/null +++ b/_guides/images/eclipseche.svg @@ -0,0 +1 @@ +Eclipse Che \ No newline at end of file diff --git a/_guides/images/eclipseide.svg b/_guides/images/eclipseide.svg new file mode 100644 index 0000000000..80a9282e05 --- /dev/null +++ b/_guides/images/eclipseide.svg @@ -0,0 +1 @@ +Eclipse IDE \ No newline at end of file diff --git a/_guides/images/intellijidea.svg b/_guides/images/intellijidea.svg new file mode 100644 index 0000000000..6cc5f0f214 --- /dev/null +++ b/_guides/images/intellijidea.svg @@ -0,0 +1 @@ +IntelliJ IDEA \ No newline at end of file diff --git a/_guides/images/visualstudiocode.svg b/_guides/images/visualstudiocode.svg new file mode 100644 index 0000000000..cb4cb1501c --- /dev/null +++ b/_guides/images/visualstudiocode.svg @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/_guides/qute-reference.adoc b/_guides/qute-reference.adoc index 64ba4bf0e3..654b06364b 100644 --- a/_guides/qute-reference.adoc +++ b/_guides/qute-reference.adoc @@ -2228,7 +2228,7 @@ Quarkus provides a set of built-in extension methods. TIP: A map value can be also accessed directly: `{map.myKey}`. Use the bracket notation for keys that are not legal identifiers: `{map['my key']}`. -==== Lists +===== Lists * `get(index)`: Returns the element at the specified position in a list ** `{list.get(0)}` @@ -2654,6 +2654,79 @@ class DetailResource { WARNING: Unlike with `@Inject` the templates obtained via `RestTemplate` are not validated, i.e. the build does not fail if a template does not exist. +[[vertx_integration]] +=== Vert.x Integration + +If you want to use `io.vertx.core.json.JsonObject` as data in your templates, then you will need to add the `quarkus-vertx` extension to your build file if not already part of your dependencies (most applications use this extension by default). + + +[source,xml,role="primary maven-dependency"] +.pom.xml +---- + + io.quarkus + quarkus-vertx + +---- + +[source,gradle,role="secondary gradle-dependency"] +.build.gradle +---- +implementation("io.quarkus:quarkus-vertx") +---- + +With this dependency included, we have a special value resolver for `io.vertx.core.json.JsonObject` which makes it possible to access the properties of a JSON object in a template: + +.src/main/resources/templates/foo.txt +[source,text] +---- +{tool.name} +{tool.fieldNames} +{tool.fields} +{tool.size} +{tool.empty} +{tool.isEmpty} +{tool.get('name')} +{tool.containsKey('name')} +---- + +.QuteVertxIntegration.java +[source,java] +---- +import java.util.HashMap; +import jakarta.inject.Inject; +import io.vertx.core.json.JsonObject; +import io.quarkus.qute.Template; + +public class QuteVertxIntegration { + + @Inject + Template foo; + + public String render() { + HashMap toolMap = new Map(); + toolMap.put("name", "Roq"); + JsonObject jsonObject = new JsonObject(toolMap); + return foo.data("tool", jsonObject).render(); + } +} +---- + +The `QuteVertxIntegration#render()` output should look like: + +[source,text] +---- +Roq +[name] +[name] +1 +false +false +Roq +true +---- + + === Development Mode In the development mode, all files located in `src/main/resources/templates` are watched for changes. diff --git a/_guides/rest-data-panache.adoc b/_guides/rest-data-panache.adoc index ff002dbb2d..ac5c22cc5b 100644 --- a/_guides/rest-data-panache.adoc +++ b/_guides/rest-data-panache.adoc @@ -13,7 +13,6 @@ include::_attributes.adoc[] A lot of web applications are monotonous CRUD applications with REST APIs that are tedious to write. To streamline this task, REST Data with Panache extension can generate the basic CRUD endpoints for your entities and repositories. -While this extension is still experimental and provides a limited feature set, we hope to get an early feedback for it. Currently, this extension supports Hibernate ORM and MongoDB with Panache and can generate CRUD resources that work with `application/json` and `application/hal+json` content. == Setting up REST Data with Panache @@ -23,17 +22,20 @@ Please, check out the next compatibility table to use the right one according to .Compatibility Table |=== -|Extension |Hibernate | RESTEasy +|Extension |Status |Hibernate |RESTEasy |<> +|`Stable` |`ORM` |`Classic and Reactive` |<> +|`Experimental` |`Reactive` |`Reactive` |<> +|`Experimental` |`ORM` |`Classic and Reactive` |=== diff --git a/_guides/rest.adoc b/_guides/rest.adoc index e38650b354..81aca81ff5 100644 --- a/_guides/rest.adoc +++ b/_guides/rest.adoc @@ -1391,9 +1391,28 @@ In both cases, importing those modules will allow HTTP message bodies to be read and serialised to JSON, for <>. -==== Advanced Jackson-specific features +==== Jackson-specific features -When using the `quarkus-rest-jackson` extension there are some advanced features that Quarkus REST supports. +===== Exception handling + +By default, Quarkus provides a built-in `ExceptionMapper` for `MismatchedInputException` which returns an HTTP 400 status code +along with a good error message in Dev and Test modes, about what went wrong during serialization of an entity. + +[NOTE] +==== +There are situations where various Jackson related exceptions need to handled in a uniform way.For example, the application may need to handle all `JsonMappingException` the same way. +This becomes a problem when taking JAX-RS / Jakarta REST rules into account, because the exception mapper `ExceptionMapper` for `MismatchedInputException` would be used instead of the user provide +`ExceptionMapper` for `JsonMappingException` (as `MismatchedInputException` is a subtype of `JsonMappingException`). + +One solution for this case is to configure the following: + +[source,properties] +---- +quarkus.class-loading.removed-resources."io.quarkus\:quarkus-rest-jackson"=io/quarkus/resteasy/reactive/jackson/runtime/mappers/BuiltinMismatchedInputExceptionMapper.class +---- + +which essentially makes Quarkus ignore the `ExceptionMapper` for `MismatchedInputException` completely. +==== [[secure-serialization]] ===== Secure serialization diff --git a/_guides/security-jwt.adoc b/_guides/security-jwt.adoc index 781a24f719..3b5515a5f7 100644 --- a/_guides/security-jwt.adoc +++ b/_guides/security-jwt.adoc @@ -817,7 +817,7 @@ To prevent it, set `quarkus.smallrye-jwt.blocking-authentication=true`. === Token Propagation -Please see the xref:security-openid-connect-client-reference.adoc#token-propagation[Token Propagation] section about the Bearer access token propagation to the downstream services. +Please see the xref:security-openid-connect-client-reference.adoc#token-propagation-rest[Token Propagation] section about the Bearer access token propagation to the downstream services. [[integration-testing]] === Testing diff --git a/_guides/security-oidc-auth0-tutorial.adoc b/_guides/security-oidc-auth0-tutorial.adoc index 5d180dfdd6..d5e9dfe2b9 100644 --- a/_guides/security-oidc-auth0-tutorial.adoc +++ b/_guides/security-oidc-auth0-tutorial.adoc @@ -625,7 +625,7 @@ In fact, the last code example, showing the injected `UserInfo`, is a concrete e But what about propagating access tokens to some custom services ? It is very easy to achieve in Quarkus, both for the authorization code and bearer token flows. All you need to do is to create a REST Client interface for calling the service requiring a Bearer token access and annotate it with `@AccessToken` and the access token arriving to the front-end endpoint as the Auth0 Bearer access token or acquired by Quarkus after completing the Auth0 authorization code flow, will be propagated to the target microservice. This is as easy as it can get. For examples of propagating access tokens, see the following sections in this tutorial. -For more information about token propagation, see xref:security-openid-connect-client-reference.adoc#reactive-token-propagation[OIDC token propagation]. +For more information about token propagation, see xref:security-openid-connect-client-reference.adoc#token-propagation-rest[OIDC token propagation]. [[jwt-access-tokens]] === Access tokens in JWT format diff --git a/_guides/security-oidc-bearer-token-authentication.adoc b/_guides/security-oidc-bearer-token-authentication.adoc index 3052aa4ecf..eb04efd1c8 100644 --- a/_guides/security-oidc-bearer-token-authentication.adoc +++ b/_guides/security-oidc-bearer-token-authentication.adoc @@ -475,7 +475,7 @@ quarkus.oidc.introspection-path=/protocol/openid-connect/tokens/introspect === Token propagation -For information about bearer access token propagation to the downstream services, see the xref:security-openid-connect-client-reference.adoc#token-propagation[Token propagation] section of the Quarkus "OpenID Connect (OIDC) and OAuth2 client and filters reference" guide. +For information about bearer access token propagation to the downstream services, see the xref:security-openid-connect-client-reference.adoc#token-propagation-rest[Token propagation] section of the Quarkus "OpenID Connect (OIDC) and OAuth2 client and filters reference" guide. === JWT token certificate chain diff --git a/_guides/security-oidc-code-flow-authentication.adoc b/_guides/security-oidc-code-flow-authentication.adoc index 3fd51fe7d7..5e64a01bbd 100644 --- a/_guides/security-oidc-code-flow-authentication.adoc +++ b/_guides/security-oidc-code-flow-authentication.adoc @@ -1497,7 +1497,7 @@ TIP: You can listen to other security events as described in the xref:security-c === Propagating tokens to downstream services -For information about Authorization Code Flow access token propagation to downstream services, see the xref:security-openid-connect-client-reference.adoc#token-propagation[Token Propagation] section. +For information about Authorization Code Flow access token propagation to downstream services, see the xref:security-openid-connect-client-reference.adoc#token-propagation-rest[Token Propagation] section. == Integration considerations diff --git a/_guides/security-openid-connect-client-reference.adoc b/_guides/security-openid-connect-client-reference.adoc index 2de1e8a175..e1b9f2b4fc 100644 --- a/_guides/security-openid-connect-client-reference.adoc +++ b/_guides/security-openid-connect-client-reference.adoc @@ -131,7 +131,7 @@ quarkus.oidc-client.grant.type=refresh Then you can use the `OidcClient.refreshTokens` method with a provided refresh token to get the access token. -Using the `urn:ietf:params:oauth:grant-type:token-exchange` or `urn:ietf:params:oauth:grant-type:jwt-bearer` grants might be required if you are building a complex microservices application and want to avoid the same `Bearer` token be propagated to and used by more than one service. See <> and <> for more details. +Using the `urn:ietf:params:oauth:grant-type:token-exchange` or `urn:ietf:params:oauth:grant-type:jwt-bearer` grants might be required if you are building a complex microservices application and want to avoid the same `Bearer` token be propagated to and used by more than one service. See <> and <> for more details. Using `OidcClient` to support the `authorization code` grant might be required if, for some reason, you cannot use the xref:security-oidc-code-flow-authentication.adoc[Quarkus OIDC extension] to support Authorization Code Flow. If there is a very good reason for you to implement Authorization Code Flow, then you can configure `OidcClient` as follows: @@ -1102,10 +1102,10 @@ public class OidcRequestCustomizer implements OidcRequestFilter { } ---- -[[token-propagation-reactive]] -== Token Propagation Reactive +[[token-propagation-rest]] +== Token Propagation for Quarkus REST -The `quarkus-rest-client-oidc-token-propagation` extension provides a REST Client, `io.quarkus.oidc.token.propagation.reactive.AccessTokenRequestReactiveFilter`, that simplifies the propagation of authentication information. This client propagates the xref:security-oidc-bearer-token-authentication.adoc[bearer token] present in the currently active request or the token acquired from the xref:security-oidc-code-flow-authentication.adoc[authorization code flow mechanism] as the HTTP `Authorization` header's `Bearer` scheme value. +The `quarkus-rest-client-oidc-token-propagation` extension provides a REST Client filter, `io.quarkus.oidc.token.propagation.reactive.AccessTokenRequestReactiveFilter`, that simplifies the propagation of authentication information. This client propagates the xref:security-oidc-bearer-token-authentication.adoc[bearer token] present in the currently active request or the token acquired from the xref:security-oidc-code-flow-authentication.adoc[authorization code flow mechanism] as the HTTP `Authorization` header's `Bearer` scheme value. You can selectively register `AccessTokenRequestReactiveFilter` by using either `io.quarkus.oidc.token.propagation.AccessToken` or `org.eclipse.microprofile.rest.client.annotation.RegisterProvider` annotation, for example: @@ -1178,8 +1178,8 @@ quarkus.resteasy-client-oidc-token-propagation.exchange-token=true `AccessTokenRequestReactiveFilter` uses a default `OidcClient` by default. A named `OidcClient` can be selected with a `quarkus.rest-client-oidc-token-propagation.client-name` configuration property or with the `io.quarkus.oidc.token.propagation.AccessToken#exchangeTokenClient` annotation attribute. -[[token-propagation]] -== Token Propagation +[[token-propagation-resteasy]] +== Token Propagation for RESTEasy Classic The `quarkus-resteasy-client-oidc-token-propagation` extension provides two Jakarta REST `jakarta.ws.rs.client.ClientRequestFilter` class implementations that simplify the propagation of authentication information. `io.quarkus.oidc.token.propagation.AccessTokenRequestFilter` propagates the xref:security-oidc-bearer-token-authentication.adoc[Bearer token] present in the current active request or the token acquired from the xref:security-oidc-code-flow-authentication.adoc[Authorization code flow mechanism], as the HTTP `Authorization` header's `Bearer` scheme value. @@ -1333,24 +1333,6 @@ As mentioned, use `AccessTokenRequestFilter` if you work with Keycloak or an Ope You can generate the tokens as described in xref:security-oidc-bearer-token-authentication.adoc#bearer-token-integration-testing[OpenID Connect Bearer Token Integration testing] section. Prepare the REST test endpoints. You can have the test front-end endpoint, which uses the injected MP REST client with a registered token propagation filter, call the downstream endpoint. For example, see the `integration-tests/resteasy-client-oidc-token-propagation` in the `main` Quarkus repository. -[[reactive-token-propagation]] -== Token Propagation Reactive - -Add the following Maven Dependency: - -[source,xml] ----- - - io.quarkus - quarkus-rest-client-resteasy-client-oidc-token-propagation - ----- - -The `quarkus-rest-client-resteasy-client-oidc-token-propagation` extension provides `io.quarkus.oidc.token.propagation.reactive.AccessTokenRequestReactiveFilter` which can be used to propagate the current `Bearer` or `Authorization Code Flow` access tokens. - -The `quarkus-rest-client-resteasy-client-oidc-token-propagation` extension (as opposed to the non-reactive `quarkus-resteasy-client-oidc-token-propagation` extension) does not currently support the exchanging or resigning of the tokens before the propagation. -However, these features might be added in the future. - ifndef::no-quarkus-oidc-client-graphql[] [[quarkus-oidc-client-graphql]] == GraphQL client integration diff --git a/_guides/security-openid-connect-multitenancy.adoc b/_guides/security-openid-connect-multitenancy.adoc index 5a6211dabd..342643b9dc 100644 --- a/_guides/security-openid-connect-multitenancy.adoc +++ b/_guides/security-openid-connect-multitenancy.adoc @@ -657,10 +657,13 @@ public class HelloResource { ---- <1> The `io.quarkus.oidc.Tenant` annotation must be placed on either the resource class or resource method. -[[TIP]] +[TIP] +==== In the example above, authentication of the `sayHello` endpoint is enforced with the `@Authenticated` annotation. + Alternatively, if you use an the xref:security-authorize-web-endpoints-reference.adoc#authorization-using-configuration[HTTP Security policy] -to secure the endpoint, then, for the `@Tenant` annotation be effective, you must delay this policy's permission check as shown in the example below: +to secure the endpoint, then, for the `@Tenant` annotation be effective, you must delay this policy's permission check as shown in the following example: + [source,properties] ---- quarkus.http.auth.permission.authenticated.paths=/api/hello @@ -669,6 +672,7 @@ quarkus.http.auth.permission.authenticated.policy=authenticated quarkus.http.auth.permission.authenticated.applies-to=JAXRS <1> ---- <1> Tell Quarkus to run the HTTP permission check after the tenant has been selected with the `@Tenant` annotation. +==== [[tenant-config-resolver]] === Dynamic tenant configuration resolution diff --git a/_guides/security-openid-connect-providers.adoc b/_guides/security-openid-connect-providers.adoc index 667ae69b54..72ac3bbc4c 100644 --- a/_guides/security-openid-connect-providers.adoc +++ b/_guides/security-openid-connect-providers.adoc @@ -584,7 +584,7 @@ As mentioned in the xref:security-oidc-code-flow-authentication.adoc[OIDC code f It is this access token that has to be propagated to services such as `Google Calendar`, or `Spotify Playlists` for the currently authenticated user to be able to use such services. You do not have to bring provider-specific libraries in order to achieve this, but instead you can use a reactive `Token Propagation` filter, which can be bound to a given REST client with a simple annotation. -For more information, see the Quarkus xref:security-openid-connect-client-reference.adoc#token-propagation-reactive[Access token propagation] guide. +For more information, see the Quarkus xref:security-openid-connect-client-reference.adoc#token-propagation-rest[Access token propagation] guide. For example, after you have configured the <> provider, you can have events added to the user's Google Calendar by using a REST client as shown in the following example: diff --git a/_guides/tls-registry-reference.adoc b/_guides/tls-registry-reference.adoc index 955917ba94..1a9cdc0ded 100644 --- a/_guides/tls-registry-reference.adoc +++ b/_guides/tls-registry-reference.adoc @@ -3,9 +3,10 @@ This guide is maintained in the main Quarkus repository and pull requests should be submitted there: https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc //// +[id="tls-registry-reference"] = TLS registry reference include::_attributes.adoc[] -:categories: network +:categories: web :summary: TLS registry configuration and usage :numbered: :sectnums: @@ -14,17 +15,18 @@ include::_attributes.adoc[] :extensions: io.quarkus:quarkus-tls-registry The TLS registry is a Quarkus extension centralizing the TLS configuration for the application. -It allows to define the TLS configuration in a single place and to reference it from multiple places in the application. +You can use the TLS registry to define the configuration in one place and reference it from multiple places in the application. -The TLS extension should be automatically added to your project as soon as you use a compatible extension. -For example, if your application uses Quarkus REST, gRPC or reactive routes, the TLS registry is automatically added to your project. +The TLS extension is automatically added to your project when you use a compatible extension. +For example, if your application uses Quarkus REST, gRPC, or reactive routes, the TLS registry is automatically added to your project. == Using TLS registry -To configure a TLS connection, and more specifically the key stores and trust stores, you use the `quarkus.tls.*` properties. +To configure a TLS connection, including key and trust stores, use the `quarkus.tls.*` properties. -Configuration directly under `quarkus.tls` is the default configuration that will be used by all the TLS connections in the application. -However, you can also have specific configurations for specific connections by using the `quarkus.tls..*` properties. +The configuration model always contains a default (unnamed) TLS configuration that is configured by properties directly under `quarkus.tls.*`. +In addition, it allows you to define separate named configurations; these use `quarkus.tls..*` properties. +However, by using the `quarkus.tls..*` properties, you can also have specific configurations for specific connections. === Configure the HTTP server to use https:// @@ -37,7 +39,7 @@ quarkus.tls.key-store.pem.0.key=server.key quarkus.http.insecure-requests=disabled # Reject HTTP requests ---- -So you a `p12` (PKCS12) key store, use the following configuration: +With a `p12` (PKCS12) keystore, use the following configuration: [source,properties] ---- @@ -71,13 +73,13 @@ quarkus.grpc.clients.hello.use-quarkus-grpc-client=true === Configuring mTLS -To configure mTLS, you need to configure both the server and the client. -Both will receive a key store and a trust store: +To configure mTLS, set up both the server and the client. +Each will require a keystore and a truststore: -- the server key store contains the server certificate and private key -- the client key store contains the client certificate and private key -- the server trust store contains the client certificate (to authenticate the client) -- the client trust store contains the server certificate (to authenticate the server) +- the server keystore contains the server certificate and private key +- the client keystore contains the client certificate and private key +- the server truststore contains the client certificate (to authenticate the client) +- the client truststore contains the server certificate (to authenticate the server) [source,properties] ---- @@ -105,8 +107,7 @@ quarkus.grpc.server.plain-text=false [#referencing-a-tls-configuration] == Referencing a TLS configuration -Once you have configured a _named_ configuration using `quarkus.tls.`, you need to reference it. -This is done using the `tls-configuration-name` property: +After you have configured a _named_ configuration by using `quarkus.tls.`, reference it by using the `tls-configuration-name` property: [source,properties] ---- @@ -124,17 +125,18 @@ The configuration depends on the format (`pem`, `p12`, `jks`...). There are other important properties too. This section details the various properties you can use to configure TLS. + === Key stores Key stores are used to store the private key and the certificate. -They are mainly used on the server-side, but can also be used on the client-side when mTLS is used. +They are mainly used on the server side but can also be used on the client side when mTLS is used. ==== PEM key stores -PEM key stores are composed of a list of pair of two files: the certificate and the private key. -The certificate file is a `.crt` or `.pem` file, and the private key file is often a `.key` file. +Privacy Enhanced Mail (PEM) keystores are composed of a list of pairs of two files: the certificate and the private key. +The certificate file is a `.crt` or `.pem` file; the private key file is often a `.key` file. -To configure a PEM key store, use the following properties: +To configure a PEM keystore, use the following properties: [source,properties] ---- @@ -144,35 +146,39 @@ quarkus.tls.key-store.pem.b.cert=my-second-cert.crt quarkus.tls.key-store.pem.b.key=my-second-key.key ---- -In general, you will only need one pair of certificate and private key. -The certificate may contain multiple certificates (a chain), but there should be one private key. +In general, you only need a single pair consisting of a certificate and a private key. +Even if the certificate is part of a certificate chain, it includes only one private key corresponding to the end-entity certificate. -When multiple pairs are configured, the selection is done using SNI (Server Name Indication). -The client will send the server name it wants to connect to, and the server will select the appropriate pair of certificate and private key. -Make sure xref:./tls-registry-reference.adoc#sni[SNI] is enabled on both the client and server to use this feature. +When multiple pairs are configured, the selection is based on Server Name Indication (SNI). +The client sends the server name it wants to connect to, and the server selects the appropriate pair of certificates and private keys. +To use this feature, ensure xref:./tls-registry-reference.adoc#sni[SNI] is enabled on both the client and server. -IMPORTANT: When configuring multiple key/cert pairs, the order is following the lexicographical order of the name (`a` and `b` in the previous snippet). So, the first pair is the one with the lowest lexicographical order. You can define the order by using the `quarkus.tls.key-store.pem.order` property, for example: `quarkus.tls.key-store.pem.order=b,c,a`. This is important when using SNI, as the first pair is the default one. +IMPORTANT: When configuring multiple key or certificate pairs, the order follows the lexicographical order of their names, as demonstrated with `a` and `b` in the previous example. +The pair with the lowest lexicographical order is considered the first. +You can define the order by using the `quarkus.tls.key-store.pem.order` property. +For example, `quarkus.tls.key-store.pem.order=b,c,a`. +This setting is crucial when using SNI, where the first specified pair is used as the default. ==== PKCS12 key stores PKCS12 key stores are a single file containing the certificate and the private key. -To configure a PKCS12 key store, use the following properties: +To configure a PKCS12 keystore, use the following properties: [source,properties] ---- quarkus.tls.key-store.p12.path=server-keystore.p12 quarkus.tls.key-store.p12.password=secret ---- -`.p12` files are password-protected, so you need to provide the password to open the key store. -Also, they can include more than one certificate and private key. -In this case, you can: +`.p12` files are password-protected, so you need to provide the password to open the keystore. +These files can include more than one certificate and private key. -- either provide the alias of the certificate and private key you want to use -- or use SNI to select the appropriate certificate and private key (all keys must use the same password) +If this is the case, take either of the following actions: +* Provide the alias of the certificate and the private key you want to use. ++ To configure the alias, use the following properties: - ++ [source,properties] ---- quarkus.tls.key-store.p12.path=server-keystore.p12 @@ -181,11 +187,15 @@ quarkus.tls.key-store.p12.alias=my-alias quarkus.tls.key-store.p12.alias-password=my-alias-password ---- +* Alternatively, use SNI to select the appropriate certificate and private key. +Note that all keys must use the same password. + + ==== JKS key stores JKS key stores are a single file containing the certificate and the private key. Note that the JKS format should be avoided as it is less secure than PKCS12. -To configure a JKS key store, use the following properties: +To configure a JKS keystore, use the following properties: [source,properties] ---- @@ -193,15 +203,14 @@ quarkus.tls.key-store.jks.path=server-keystore.jks quarkus.tls.key-store.jks.password=secret ---- -`.jks` files are password-protected, so you need to provide the password to open the key store. +`.jks` files are password-protected, so you need to provide the password to open the keystore. Also, they can include more than one certificate and private key. -In this case, you can: - -- either provide the alias of the certificate and private key you want to use -- or use SNI to select the appropriate certificate and private key (all keys must use the same password) +If this is the case: +* Provide the alias of the certificate and the private key you want to use. ++ To configure the alias, use the following properties: - ++ [source,properties] ---- quarkus.tls.key-store.jks.path=server-keystore.jks @@ -210,10 +219,15 @@ quarkus.tls.key-store.jks.alias=my-alias quarkus.tls.key-store.jks.alias-password=my-alias-password ---- +* Alternatively, use SNI to select the appropriate certificate and private key. +Note that all keys must use the same password. + + + [#sni] ==== SNI -Server Name Indication (SNI) is a TLS extension that allows a client to specify the hostname it is attempting to connect to during the TLS handshake. +Server Name Indication (SNI) is a TLS extension allowing a client to specify the hostname it attempts to connect to during the TLS handshake. It enables a server to present different TLS certificates for multiple domains on a single IP address, facilitating secure communication for virtual hosting scenarios. To enable SNI, use the following property: @@ -223,17 +237,20 @@ To enable SNI, use the following property: quarkus.tls.key-store.sni=true # Disabled by default ---- -With this setting enabled, the client indicate the server name during the TLS handshake, allowing the server to select the right certificate: +With this setting enabled, the client indicates the server name during the TLS handshake, allowing the server to select the appropriate certificate: + +* When configuring the keystore with PEM files, multiple certificate (CRT) and key files must be provided. CRT is a common file extension for X.509 certificate files, typically in PEM (Privacy-Enhanced Mail) format. These files contain the public certificate. -- When configuring the keystore with PEM files, multiple CRT/Key must be given. -- When configuring the keystore with a JKS or a P12 file, it selects one alias based on the SNI hostname. In this case, all the keystore password and alias password must be the same. Do not set the `alias` property in this case. +* When configuring the keystore with a JKS or P12 file, the server selects the appropriate certificate based on the SNI (Server Name Indication) hostname provided by the client during the TLS handshake. +The server matches the SNI hostname with the common name (CN) or subject alternative names (SAN) configured in the certificates stored in the keystore. +All keystore and alias passwords must be identical, and there is no need to set the alias property. ==== Credential providers -Instead of passing the key store password and alias password in the configuration, you can use a credential provider. +You can use a credential provider instead of passing the keystore password and alias password in the configuration. -A credential provider offers a way to retrieve the key store password and alias password. -Note that the credential provider is only used if the password / alias password are not set in the configuration. +A credential provider offers a way to retrieve the keystore and alias password. +Note that the credential provider is only used if the password or alias password is not set in the configuration. To configure a credential provider, use the following properties: @@ -245,7 +262,7 @@ quarkus.tls.key-store.credentials-provider.name=my-credentials # The name of the bean providing the credential provider (optional, using the default credential provider if not set) quarkus.tls.key-store.credentials-provider.bean-name=my-credentials-provider -# The key used to retrieve the key store password, `password` by default +# The key used to retrieve the keystore password, `password` by default quarkus.tls.key-store.credentials-provider.password-key=password # The key used to retrieve the alias password, `alias-password` by default @@ -257,14 +274,15 @@ IMPORTANT: The credential provider can only be used with PKCS12 and JKS key stor === Trust stores Trust stores are used to store the certificates of the trusted parties. -They are generally used on the client-side, and on the server-side when mTLS is used. +In regular TLS, the client uses a truststore to authenticate the server. +With mutual TLS (mTLS), both the server and the client use truststores to authenticate each other. ==== PEM trust stores PEM trust stores are composed of a list of `.crt` or `.pem` files. Each of them contains a certificate. -To configure a PEM trust store, use the following properties: +To configure a PEM truststore, use the following properties: [source,properties] ---- @@ -274,9 +292,9 @@ quarkus.tls.trust-store.pem.certs=ca.crt,ca2.pem ==== PKCS12 trust stores PKCS12 trust stores are a single file containing the certificates. -When multiple certificates are included, you can use the alias to select the appropriate certificate. +You can use the alias to select the appropriate certificate when multiple certificates are included. -To configure a PKCS12 trust store, use the following properties: +To configure a PKCS12 truststore, use the following properties: [source,properties] ---- @@ -285,16 +303,16 @@ quarkus.tls.trust-store.p12.password=password quarkus.tls.trust-store.p12.alias=my-alias ---- -`.p12` files are password-protected, so you need to provide the password to open the trust store. -However, unlike for key stores, the alias does not require a password (because it's the public certificate and not a private key). +`.p12` files are password-protected, so you need to provide the password to open the truststore. +However, unlike key stores, the alias does not require a password because it contains a public certificate, not a private key. ==== JKS trust stores -JKS trust stores are a single file containing the certificates. -When multiple certificates are included, you can use the alias to select the appropriate certificate. -Note that the JKS format should be avoided as it is less secure than PKCS12. +JKS truststores are single files containing multiple certificates. +You can use the alias to select the appropriate certificate when multiple certificates are present. +However, avoid using the JKS format as it is less secure than PKCS12. -To configure a JKS trust store, use the following properties: +To configure a JKS truststore, use the following properties: [source,properties] ---- @@ -303,15 +321,14 @@ quarkus.tls.trust-store.jks.password=password quarkus.tls.trust-store.jks.alias=my-alias ---- -`.jks` files are password-protected, so you need to provide the password to open the trust store. -However, unlike for key stores, the alias does not require a password (because it's the public certificate and not a private key). +`.jks` files are password-protected, so you need to provide the password to open the truststore. +However, unlike keystores, the alias does not require a password because it contains a public certificate, not a private key. ==== Credential providers -Instead of passing the trust store password in the configuration, you can use a credential provider. - -A credential provider offers a way to retrieve passwords and other credentials. -Note that the credential provider is only used if the password is not set in the configuration. +Instead of passing the truststore password in the configuration, you can use a credential provider. +A credential provider allows you to retrieve passwords and other credentials. +Note that the credential provider is used only if the password is not set in the configuration. To configure a credential provider, use the following properties: @@ -323,7 +340,7 @@ quarkus.tls.trust-store.credentials-provider.name=my-credentials # The name of the bean providing the credential provider (optional, using the default credential provider if not set) quarkus.tls.trust-store.credentials-provider.bean-name=my-credentials-provider -# The key used to retrieve the trust store password, `password` by default +# The key used to retrieve the truststore password, `password` by default quarkus.tls.trust-store.credentials-provider.password-key=password ---- @@ -333,14 +350,14 @@ IMPORTANT: The credential provider can only be used with PKCS12 and JKS trust st While key stores and trust stores are the most important properties, there are other properties you can use to configure TLS. -NOTE: while the following examples use the _default_ configuration, you can use the _named_ configuration by prefixing the properties with the name of the configuration. +NOTE: While the following examples use the _default_ configuration, you can use the _named_ configuration by prefixing the properties with the configuration's name. ==== Cipher suites -The cipher suites are the list of ciphers that can be used during the TLS handshake. -You can configure the ordered list of enabled cipher suites. +Cipher suites are the list of ciphers that you can use during the TLS handshake. +You can configure the ordered list of enabled cipher suites. If not configured, a reasonable default is selected from the built-in ciphers. -However, when configured, it takes precedence over the default suite defined by the SSL engine in use. +However, when specified, your configuration precedes the default suite defined by the SSL engine in use. To configure the cipher suites, use the following property: @@ -352,10 +369,11 @@ quarkus.tls.cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 ==== TLS protocol versions The TLS protocol versions are the list of protocols that can be used during the TLS handshake. -You can configure the ordered list of enabled TLS protocols. -If not configured , it defaults to `TLSv1.3`, `TLSv1.2`. +Enabled TLS protocol versions are specified as an ordered list separated by commas. +The relevant configuration property is `quarkus.tls.protocols` (or `quarkus.tls..protocols` for named TLS configurations). +It defaults to `TLSv1.3, TLSv1.2` if not configured. -Are supported: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. +The supported values are: `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. To only enable `TLSv1.3`, configure the following property: @@ -367,7 +385,7 @@ quarkus.tls.protocols=TLSv1.3 ==== Handshake timeout When a TLS connection is established, the handshake phase is the first step. -During this phase, the client and server exchange information to establish the connection, typically the cipher suite, the TLS protocol version, the certification validation and so on. +During this phase, the client and server exchange information to establish the connection, typically the cipher suite, the TLS protocol version, the certification validation, and so on. To configure the timeout for the handshake phase, use the following property: @@ -378,10 +396,10 @@ quarkus.tls.handshake-timeout=10S # Default. ==== ALPN -Application-Layer Protocol Negotiation (ALPN) is a TLS extension that allows the client and server during the TLS handshake to negotiate which protocol they will use for communication. -ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before the TLS connection is established. +Application-Layer Protocol Negotiation (ALPN) is a TLS extension that allows the client and server to negotiate which protocol they will use for communication during the TLS handshake. +ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before establishing the TLS connection. -This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for faster protocol selection. +This helps in scenarios like HTTP/2, where multiple protocols might be available, allowing for faster protocol selection. ALPN is enabled by default. To disable it, use the following property: @@ -391,19 +409,19 @@ To disable it, use the following property: quarkus.tls.alpn=false ---- + ==== Certificate Revocation List (CRL) -A Certificate Revocation List (CRL) is a list of certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. -When a certificate is compromised, no longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to trust the certificate anymore. +A Certificate Revocation List (CRL) is a list of certificates the issuing Certificate Authority (CA) revoked before their scheduled expiration date. +When a certificate is compromised, no longer needed, or deemed invalid, the CA adds it to the CRL to inform relying parties not to trust it anymore. You can configure the CRL with the list of certificate files you do not trust anymore. -Two formats are allowed: DER and PKCS#7 (also known as P7B). +Two formats are allowed: DER and PKCS#7 (P7B). * When using the DER format, you must pass DER-encoded CRLs. -* When using the PKCS#7 format, you must pass PKCS#7 `SignedData` object, with the only significant field being `crls`. +* When using the PKCS#7 format, you must pass the PKCS#7 `SignedData` object, with the only significant field being `crls`. To configure the CRL, use the following property: - [source,properties] ---- quarkus.tls.certificate-revocation-list=ca.crl, ca2.crl @@ -411,13 +429,20 @@ quarkus.tls.certificate-revocation-list=ca.crl, ca2.crl ==== Trusting all certificates and hostname verification -IMPORTANT: These two properties should not be used in production. +[IMPORTANT] +==== +These two properties should not be used in production. + +You can configure your TLS connection to trust all certificates and disable the hostname verification. + +Note that these are two different processes: -You can configure your TLS connection to trust all certificates and to disable the hostname verification. -These are two different steps: +* Trusting all certificates ignores the certificate validation, so all certificates are trusted. +This method is useful for testing with self-signed certificates, but it should not be used in production. -- trusting all certificates ignores the certificate validation, so all certificates are trusted. It is useful for testing with self-signed certificates, but should not be used in production. -- hostname verification is the process of verifying the server's identity. It is useful to prevent man-in-the-middle attacks. It often defaults to `HTTPS` or `LDAPS`. +* Hostname verification is the process of verifying the server's identity. +It is useful to prevent man-in-the-middle attacks and often defaults to `HTTPS` or `LDAPS`. +==== To trust all certificates, use the following property: @@ -441,9 +466,10 @@ include::{generated-dir}/config/quarkus-tls-registry.adoc[opts=optional, levelof == The registry API -While extensions will automatically use the TLS registry, you can also use the registry API to access the TLS configuration programmatically. +While extensions automatically use the TLS registry, you can also access the TLS configuration programmatically through the registry API. -To access the TLS configuration, inject the `TlsConfigurationRegistry` bean and gets the TLS configuration by name (or the default one): +To access the TLS configuration, inject the `TlsConfigurationRegistry` bean. +You can retrieve a named TLS configuration by calling `get("")` or the default configuration by calling `getDefault()`. [source,java] ---- @@ -475,7 +501,7 @@ TlsCertificateBuildItem item = new TlsCertificateBuildItem("named", new MyCertificateSupplier()); ---- -The certificate supplier is a runtime object that is generally retrieved using a recorder method. +The certificate supplier is a runtime object generally retrieved by using a recorder method. Here is an example of a certificate supplier: [source,java] @@ -511,15 +537,15 @@ public class MyCertificateSupplier implements Supplier { == Startup checks -When the application starts, the TLS registry performs some checks to ensure the configuration is correct: +When the application starts, the TLS registry performs several checks to ensure the configuration is correct: -- the key stores and trust stores are accessible -- the aliases are available and accessible in the key stores and trust stores -- the certificates are valid -- the cipher suites and protocols are valid -- the CRLs are valid +* Key stores and trust stores are accessible. +* Aliases are available and accessible in the key stores and trust stores. +* Certificates are valid. +* Cipher suites and protocols are valid. +* Certificate Revocation Lists (CRLs) are valid. -If any of these checks fail, the application will fail to start. +If any of these checks fail, the application will not start. [#reloading-certificates] == Reloading certificates @@ -534,7 +560,7 @@ The `reload` method returns a `boolean` indicating whether the reload was succes A value of `true` means the reload operation was successful, not necessarily that there were updates to the certificates. After a `TlsConfiguration` has been reloaded, servers and clients using this configuration may need to perform specific actions to apply the new certificates. -The recommended approach is to fire a CDI event (`CertificateReloadedEvent`) that servers and clients can listen to and make the necessary changes: +The recommended approach is to fire a CDI event (`CertificateUpdatedEvent`) that servers and clients can listen to and make the necessary changes: [source, java] ---- @@ -544,12 +570,12 @@ TlsConfigurationRegistry registry; public void reload() { TlsConfiguration config = registry.get("name").orElseThrow(); if (config.reload()) { - event.fire(new CertificateReloadedEvent("name", config)); + event.fire(new CertificateUpdatedEvent("name", config)); } } // In the server or client code -public void onReload(@Observes CertificateReloadedEvent event) { +public void onReload(@Observes CertificateUpdatedEvent event) { if ("name".equals(event.getName())) { server.updateSSLOptions(event.tlsConfiguration().getSSLOptions()); // Or update the SSLContext. @@ -561,9 +587,9 @@ These APIs provide a way to implement custom certificate reloading. === Periodic reloading -The TLS registry does include a built-in mechanism for periodically checking the file system for changes and reloading the certificates. -You can configure periodic reloading of certificates using properties. -The `reload-period` property specifies the interval at which certificates are reloaded, and it will emit a `CertificateReloadedEvent`. +The TLS registry includes a built-in mechanism for periodically checking the file system for changes and reloading certificates. +You can configure periodic certificate reloading by using properties. +The `reload-period` property specifies the interval for reloading certificates and will emit a `CertificateUpdatedEvent` each time certificates are reloaded. [source, properties] ---- @@ -581,8 +607,8 @@ quarkus.tls.http.key-store.pem.0.cert=tls.crt quarkus.tls.http.key-store.pem.0.key=tls.key ---- -Remember that the impacted server and client may need to listen to the `CertificateReloadedEvent` to apply the new certificates. -This is automatically done for the Quarkus HTTP server (including the management interface if enabled). +Remember that the impacted server and client may need to listen to the `CertificateUpdatedEvent` to apply the new certificates. +This is automatically done for the Quarkus HTTP server, including the management interface if it is enabled. == Using Kubernetes secrets or cert-manager @@ -591,7 +617,7 @@ When running in Kubernetes, you can use Kubernetes secrets to store the key stor === Using Kubernetes secrets To use Kubernetes secrets, you need to create a secret with the key stores and trust stores. -Let's take the following secret as an example: +Consider the following secret as an example: [source, yaml] ---- @@ -605,7 +631,7 @@ metadata: type: kubernetes.io/tls ---- -The easiest way to uses these certificates is to mount the secret as a volume in the pod: +The easiest way to use these certificates is to mount the secret as a volume in the pod: [source, yaml] ---- @@ -672,14 +698,14 @@ You can combine this with the periodic reloading to automatically reload the cer === Using cert-manager -When running in Kubernetes, you can use cert-manager to automatically generate and renew certificates. -Cert-manager will produce a secret with the key stores and trust stores. -So, configuring the TLS registry is the same as when using Kubernetes secrets. -The generated secret uses the following files: +When running in Kubernetes, you can use cert-manager to generate and renew certificates automatically. +Cert-manager produces a secret containing the keystores and truststores. +Configuring the TLS registry is the same as when using Kubernetes secrets. +The generated secret includes the following files: -- `tls.crt` for the certificate -- `tls.key` for the private key -- `ca.crt` for the CA certificate (if needed) +* `tls.crt` for the certificate +* `tls.key` for the private key +* `ca.crt` for the CA certificate (if needed) To handle the renewal, you can use the periodic reloading mechanism: @@ -696,14 +722,14 @@ To handle the renewal, you can use the periodic reloading mechanism: %prod.quarkus.http.insecure-requests=disabled ---- -== Utilizing OpenShift serving certificates +== Working with OpenShift serving certificates -When running your application in OpenShift, you can leverage the https://docs.openshift.com/container-platform/4.16/security/certificates/service-serving-certificate.html[OpenShift serving certificates] to automatically generate and renew TLS certificates. -The Quarkus TLS registry can use these certificates and Certificate Authority (CA) files to handle HTTPS traffic securely and to validate certificates. +When running your application in OpenShift, you can leverage the https://docs.openshift.com/container-platform/4.16/security/certificates/service-serving-certificate.html[OpenShift serving certificates] to generate and renew TLS certificates automatically. +The Quarkus TLS registry can use these certificates and Certificate Authority (CA) files to handle HTTPS traffic and validate certificates securely. === Acquiring a certificate -To have OpenShift generate a certificate, you need to annotate an existing _Service_ object. +To have OpenShift generate a certificate, annotate an existing _Service_ object. The generated certificate will be stored in a secret, which you can then mount in your pod. Consider the following _Service_ example: @@ -733,16 +759,20 @@ spec: type: ClusterIP ---- -The annotation `service.beta.openshift.io/serving-cert-secret-name` instructs OpenShift to generate a certificate and store it in a secret named `my-tls-secret`. If your service is already running, you can add this annotation with the following command: +The annotation `service.beta.openshift.io/serving-cert-secret-name` instructs OpenShift to generate a certificate and store it in a secret named `my-tls-secret`. +To use the stored certificate: + +. Add this annotation to your already running service: ++ [source, shell] ---- oc annotate service hero-service \ service.beta.openshift.io/serving-cert-secret-name=my-tls-secret ---- -Next, mount the secret in your pod by updating your _Deployment_ configuration to include a volume and mount the secret: - +. Mount the secret as a volume in your pod by updating your _Deployment_ configuration: ++ [source, yaml] ---- apiVersion: apps/v1 @@ -791,25 +821,26 @@ spec: protocol: TCP ---- <1> Define a volume to mount the secret. Use the same name as the secret declared above. -<2> Set up the key store with the paths to the certificate and private key. This can be configured using environment variables or configuration files. Here, we use environment variables. OpenShift serving certificates always create the `tls.crt` and `tls.key` files. +<2> Set up the keystore with the paths to the certificate and private key. This can be configured using environment variables or configuration files. Here, we use environment variables. OpenShift serving certificates always create the `tls.crt` and `tls.key` files. <3> Mount the secret in the container. Ensure the path matches the one used in the configuration (here `/etc/tls`). <4> Configure the port to serve HTTPS. ++ +NOTE: By setting the `quarkus.tls.key-store.pem.acme.cert` and `quarkus.tls.key-store.pem.acme.key` variables (or their environment variable variant as done above), the TLS registry will use the certificate and private key from the secret. +This configures the default keystore for the Quarkus HTTP server, allowing it to use the certificate. +For information about using this certificate in a named configuration, see <>. -By setting the `quarkus.tls.key-store.pem.acme.cert` and `quarkus.tls.key-store.pem.acme.key` variables (or their environment variable variant as done above), the TLS registry will use the certificate and private key from the secret. This configures the default key store for the Quarkus HTTP server, allowing it to use the certificate. -For using this certificate in a named configuration, refer to <>. - -Deploy your application, and it will utilize the certificate generated by OpenShift, making the service available over HTTPS. +. Deploy your application to use the certificate generated by OpenShift. +This will make the service available over HTTPS. === Trusting the Certificate Authority (CA) -Now that your service uses a certificate issued by OpenShift, you might need to configure your client applications to trust this certificate. -To accomplish this, create a _ConfigMap_ that holds the CA certificate and mount it in the application's pod. +Now that your service uses a certificate issued by OpenShift, configure your client applications to trust this certificate. +To do so, create a ConfigMap that holds the CA certificate, and then configure the pod to mount it. -In this example, we'll use a Quarkus REST client, but the same principle applies to any client. - -First, create a _ConfigMap_ for the CA certificate. -Start by defining an _empty_ ConfigMap, which will be populated with the CA certificate: +As demonstrated below with a Quarkus REST client, the same principle applies to any client. +. Start by defining an _empty_ ConfigMap, which will be populated with the CA certificate: ++ [source, yaml] ---- apiVersion: v1 @@ -819,13 +850,13 @@ metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" ---- - ++ The `service.beta.openshift.io/inject-cabundle` annotation is used to inject the CA certificate into the ConfigMap. Note that the ConfigMap initially has no data — it is empty. During its processing, OpenShift injects the CA certificate into the ConfigMap in the `service-ca.crt` file. -Next, mount the ConfigMap by adding a volume and mount it in your _Deployment_ configuration: - +. Mount the ConfigMap by adding a volume and mounting it in your _Deployment_ configuration: ++ [source, yaml] ---- apiVersion: apps/v1 @@ -865,8 +896,10 @@ spec: <1> Mount the ConfigMap in the container. Ensure the path matches the one used in the configuration (here `/deployments/tls`). <2> Define a volume to mount the ConfigMap and reference the ConfigMap that receives the CA certificate. -Finally, configure the REST client to use this CA certificate. Consider the following REST client interface: - +. Configure the REST client to use this CA certificate. ++ +Consider the following REST client interface: ++ [source, java] ---- package org.acme; @@ -887,19 +920,21 @@ public interface HeroClient { } ---- -<1> Configure the base URI and the configuration key. The name must be in the format `..svc`, otherwise the certificate will not be trusted. Ensure to also configure the `configKey`. - -Next, configure the REST client to trust the CA certificate: +<1> Configure the base URI and the configuration key. +The name must be in the format `..svc`; otherwise, the certificate will not be trusted. +Ensure that the `configKey` is also configured. +. Configure the REST client to trust the CA certificate generated by OpenShift: ++ [source, properties] ---- quarkus.rest-client.hero.tls-configuration-name=my-service-tls # <1> quarkus.tls.my-service-tls.trust-store.pem.certs=/deployments/tls/service-ca.crt # <2> ---- <1> Configure the `hero` REST client with the TLS configuration named `my-service-tls`. -<2> Set up the `my-service-tls` TLS configuration, specifically the trust store with the CA certificate. Ensure the path matches the one used in the Kubernetes _Deployment_ configuration. The file is always named `service-ca.crt`. - -Now, the REST client is configured to trust the certificate generated by OpenShift. +<2> Set up the `my-service-tls` TLS configuration, specifically the truststore with the CA certificate. +Ensure the path matches the one used in the Kubernetes _Deployment_ configuration. +The file is always named `service-ca.crt`. === Certificate renewal @@ -933,74 +968,76 @@ Commands: available. ---- -In most cases, you generate the Quarkus Development CA once, and then generate certificates signed by this CA. +In most cases, you generate the Quarkus Development CA once and then generate certificates signed by this CA. The Quarkus Development CA is a Certificate Authority that can be used to sign certificates locally. It is only valid for development purposes and only trusted on the local machine. -The generated CA is located in `$HOME/.quarkus/quarkus-dev-root-ca.pem`, and installed in the system trust store. +The generated CA is located in `$HOME/.quarkus/quarkus-dev-root-ca.pem`, and installed in the system truststore. -=== CA, signed vs. self-signed certificates +=== Understanding self-signed versus CA-signed certificates When developing with TLS, you can use two types of certificates: - - a self-signed certificate: the certificate is signed by the same entity that uses it. It is not trusted by default. It's generally what we use when we don't have a CA, or don't want to dig too much into TLS. This is not a production setup, and may be used only for development. -- a signed certificate: the certificate is signed by a Certificate Authority (CA). The CA is a trusted entity that signs the certificate. The certificate is trusted by default. This is what we use in production. +* **Self-signed certificate**: The certificate is signed by the same entity that uses it. +It is not trusted by default. +This type of certificate is typically used when a Certificate Authority (CA) is unavailable or you want a simple setup. +It is not suitable for production and should only be used for development. + +* **CA-signed certificate**: The certificate is signed by a Certificate CA, a trusted entity. +This certificate is trusted by default and is the standard choice for production environments. -We could use self-signed certificate when running application locally, but it's not always convenient. -Typically, browsers will not trust the certificate, and you will have to import it manually. -`curl`, `wget`, `httpie` and other tools will also not trust the certificate. +While you can use a self-signed certificate for local development, it has limitations. +Browsers and tools like `curl`, `wget`, and `httpie` typically do not trust self-signed certificates, requiring manual import. -To avoid this, we can use a development CA to sign the certificates, and install it into the system trust store. -Thus, every certificate signed by this CA will be trusted by the system. +To avoid this issue, you can use a development CA to sign certificates and install the CA in the system truststore. +This ensures that the system trusts all certificates signed by the CA. -Quarkus makes it easy to generate a development CA and certificates signed by this CA. +Quarkus simplifies the generation of a development CA and the certificates that are signed by this CA. === Generate a development CA The development CA is a Certificate Authority that can be used to sign certificates locally. -Note that the generated CA is only valid for development purposes, and only trusted on the local machine. - -To generate a development CA, use the following command: +Note that the generated CA is only valid for development purposes and can only be trusted on the local machine. +. Generate a development CA: ++ [source, shell] ---- -quarkus tls generate-ca-certificate --install --renew --truststore +quarkus tls generate-ca-certificate --install --renew --truststore <1> <2> <3> ---- - -`--install` installs the CA in the system trust store. -Windows, Mac and Linux (Fedora and Ubuntu) are supported. -However, depending on your browser, you may need to import the generated CA manually. -Refer to the browser documentation for more information. +<1> `--install` installs the CA in the system truststore. +Windows, Mac, and Linux (Fedora and Ubuntu) are supported. +However, depending on your browser, you might need to import the generated CA manually. +Refer to your browser's documentation for more information. The generated CA is located in `$HOME/.quarkus/quarkus-dev-root-ca.pem`. +<2> `--renew` renews the CA if it already exists. +When this option is used, the private key is changed, so you need to regenerate the certificates signed by the CA. +If the CA expires, it will automatically renew without requiring the `--renew` option. +<3> `--truststore` also generates a PKCS12 truststore containing the CA certificate. -WARNING: When installing the certificate, your system may ask for your password to install the certificate in the system trust store, or ask for confirmation in a dialog (on Windows). - -IMPORTANT: On Windows, makes sure you run from an elevated terminal (run as administrator) to install the CA in the system trust store. - -`--renew` renews the CA if it already exists. -When this option is used, you need to re-generate the certificates that were signed by the CA, as the private key is changed. -Note that if the CA expires, it will automatically be renewed (without passing `--renew`). +WARNING: When installing the certificate, your system might ask for your password to install the certificate in the system truststore or ask for confirmation in a dialog on Windows. -`--truststore` also generates a PKCS12 trust store containing the CA certificate. +IMPORTANT: On Windows, run as administrator from an elevated terminal to install the CA in the system truststore. === Generate a trusted (signed) certificate -Once you have installed the Quarkus Development CA, you can generate a trusted certificate. -It will be signed by the Quarkus Development CA, and so trusted by your system. +After installing the Quarkus Development CA, you can generate a trusted certificate. +This certificate will be signed by the Quarkus Development CA and trusted by your system. [source, shell] ---- quarkus tls generate-certificate --name my-cert ---- -This generates a certificate signed by the Quarkus Development CA, and so if properly installed / imported, will be trusted by your system. +This command generates a certificate signed by the Quarkus Development CA, which your system will trust if properly installed or imported. The certificate is stored in `./.certs/`. Two files are generated: -- `$NAME-keystore.p12` - contains the private key and the certificate. It's password protected. -- `$NAME-truststore.p12` - contains the CA certificate, that you can used as trust store (for test, for instance). +* `$NAME-keystore.p12`: Contains the private key and the certificate. +It is password-protected. +* `$NAME-truststore.p12`: Contains the CA certificate, which you can use as a truststore, for example, for testing. -More options are available: +Additional options are available: [source, shell] ---- @@ -1018,7 +1055,7 @@ Generate a TLS certificate with the Quarkus Dev CA if available. -r, --renew Whether existing certificates will need to be replaced ---- -When generating the certificate, a `.env` file is also generated making the Quarkus dev mode aware of these certificates. +A `.env` file is also generated when generating the certificate, making the Quarkus dev mode aware of these certificates. So, then, if you run your application in dev mode, it will use these certificates: [source, shell] @@ -1028,7 +1065,7 @@ So, then, if you run your application in dev mode, it will use these certificate INFO [io.quarkus] (Quarkus Main Thread) demo 1.0.0-SNAPSHOT on JVM (powered by Quarkus 999-SNAPSHOT) started in 1.286s. Listening on: http://localhost:8080 and https://localhost:8443 ---- -Now, you can open the Dev UI using HTTPS: `https://localhost:8443/q/dev`, or issue a request using `curl`: +Now, you can open the Dev UI using HTTPS: `https://localhost:8443/q/dev` or issue a request using `curl`: [source, shell] ---- @@ -1036,7 +1073,7 @@ curl https://localhost:8443/hello Hello from Quarkus REST% ---- -IMPORTANT: If the Quarkus Development CA is not installed, a self-signed certificate is generated. +IMPORTANT: A self-signed certificate is generated if the Quarkus Development CA is not installed. === Generating a self-signed certificate @@ -1048,7 +1085,7 @@ Even if the Quarkus Development CA is installed, you can generate a self-signed quarkus tls generate-certificate --name my-cert --self-signed ---- -This generates a self-signed certificate, not signed by the Quarkus Development CA. +This generates a self-signed certificate that the Quarkus Development CA does not sign. === Uninstalling the Quarkus Development CA @@ -1113,19 +1150,20 @@ sudo security -v remove-trusted-cert -d /Users/clement/.quarkus/quarkus-dev-root https://letsencrypt.org[Let's Encrypt] is a free, automated certificate authority provided by https://www.abetterinternet.org/[Internet Security Research Group]. -Let's Encrypt uses https://datatracker.ietf.org/doc/html/rfc8555[Automated certificate management environment (ACME) protocol] to support an automatic certificate issuance and renewal. Please read https://letsencrypt.org/docs/[Let's Encrypt documentation] to learn more about Let's Encrypt and ACME. +Let's Encrypt uses https://datatracker.ietf.org/doc/html/rfc8555[Automated certificate management environment (ACME) protocol] to support automatic certificate issuance and renewal. +To learn more about Let's Encrypt and ACME, see https://letsencrypt.org/docs/[Let's Encrypt documentation]. -TLS registry project provides a CLI ACME client to issue and renew Let's Encrypt certificates. -Your application uses TLS registry to resolve ACME protocol challenges. +The TLS registry extension allows a CLI ACME client to issue and renew Let's Encrypt certificates. +Your application uses this TLS registry extension to resolve ACME protocol challenges. Follow the steps below to have your Quarkus application prepared and automatically updated with new and renewed Let's Encrypt certificates. [[lets-encrypt-prerequisites]] === Prerequisites -Make sure that a fully resolvable DNS domain name is available and can be used to access your application. -This domain name is used for creating a Let's Encrypt account, and supporting Let's Encrypt ACME challenges to prove that you own this domain. -You can use https://ngrok.com/[Ngrok] to start experimenting with the Quarkus Let's Encrypt ACME feature, see <> section below for more information. +Ensure that a fully resolvable DNS domain name is available that you can use to access your application. +You can use this domain name to create a Let's Encrypt account and support Let's Encrypt ACME challenges to prove that you own this domain. +You can use https://ngrok.com/[ngrok] to start experimenting with the Quarkus Let's Encrypt ACME feature; for more information, see the <> section below. Your Quarkus HTTPS application must use a _build-time_ property to enable a Let's Encrypt ACME challenge route: @@ -1134,8 +1172,8 @@ Your Quarkus HTTPS application must use a _build-time_ property to enable a Let' quarkus.tls.lets-encrypt.enabled=true ---- -The TLS registry can manage the challenge process from either the main HTTP interface or from the management interface. -Using a management interface is **strongly** recommended to let Quarkus deal with ACME challenge configuration separately to the main application's deployment and security requirements: +The TLS registry can manage the challenge process from either the main HTTP interface or the management interface. +Using a management interface is **strongly** recommended to let Quarkus deal with ACME challenge configuration separately from the main application's deployment and security requirements: [source, properties] ---- @@ -1143,13 +1181,34 @@ quarkus.tls.lets-encrypt.enabled=true quarkus.management.enabled=true ---- -The challenge itself is served from the primary HTTP interface (the one accessible from your DNS domain name). +[IMPORTANT] +==== +.Port 80 +The Let's Encrypt ACME challenge requires that the application is reachable on port `80` (basically: `http://your-dns-name`). +Ensure the port `80` is accessible from the Internet. +It might require an explicit security policy depending on your hosting provider. + +We also recommend setting `quarkus.http.insecure-requests` to `redirect` to redirect all HTTP requests to HTTPS. +The ACME challenge accepts self-signed certificates and up to 10 redirections: + +[source, properties] +---- +quarkus.tls.lets-encrypt.enabled=true +quarkus.management.enabled=true +quarkus.http.insecure-requests=redirect +---- + +==== + +[[lets-encrypt-prepare]] + +The challenge is served from the primary HTTP interface (accessible from your DNS domain name). IMPORTANT: Do not start your application yet. === Application preparation -Before you request a Let's Encrypt certificate, you must run TLS registry Let's Encrypt CLI `prepare` command to prepare your application: +Before you request a Let's Encrypt certificate, you must run the TLS registry Let's Encrypt CLI `prepare` command to prepare your application: [source, shell] ---- @@ -1160,9 +1219,9 @@ IMPORTANT: Make sure you run a prepare command in the root directory of your app The `prepare` command does the following: -- Creates a `.letsencrypt` folder in your application's root directory -- Creates a self-signed domain certificate and private key for your application configured in the previous <> step to be able to start and accept HTTPS requests. -- Create a `.env` configuration file in your application's root directory configure the application to use the self-signed domain certificate and private key (until we get the Let's Encrypt certificate). +* Creates a `.letsencrypt` folder in your application's root directory +* Creates a self-signed domain certificate and private key for your application configured in the previous <> step to be able to start and accept HTTPS requests +* Creates a `.env` configuration file in your application's root directory and configures the application to use the self-signed domain certificate and private key (until we get the Let's Encrypt certificate) The following snippet shows an example of the generated `.env` file: @@ -1172,7 +1231,7 @@ quarkus.tls.key-store.pem.acme.cert=.letsencrypt/lets-encrypt.crt quarkus.tls.key-store.pem.acme.key=.letsencrypt/lets-encrypt.key ---- -NOTE: The `.env` file does not contain the `quarkus.tls.lets-encrypt.enabled` and `quarkus.management.enabled` properties as they are build-time properties requiring a rebuild of the application. +NOTE: The `.env` file does not contain the `quarkus.tls.lets-encrypt.enabled` and `quarkus.management.enabled` properties as they are build-time properties that require a rebuild of the application. === Start your application @@ -1183,7 +1242,7 @@ You can start your application: java -jar quarkus-run.jar ---- -Access your application endpoint using `https://your-domain-name:8443/`, for example, `https://your-domain-name:8443/hello`, accept a self-signed certificate in the browser. +Access your application endpoint by using `https://your-domain-name:8443/`; for example, `https://your-domain-name:8443/hello`, and accept a self-signed certificate in the browser. Next, keep the application running and request your first Let's Encrypt certificate. @@ -1201,17 +1260,23 @@ quarkus tls lets-encrypt issue-certificate \ ---- <1> Set your domain name. <2> Provide your contact email address that Let's Encrypt can use to contact you in case of any issues with your Let's Encrypt account. -<3> Set your application management URL which can be used to handle ACME challenges. Use `https://localhost:8443/` if you chose not to enable a management router in the <> step. +<3> Set your application management URL, which you can use to handle ACME challenges. +Use `https://localhost:8443/` if you choose not to enable a management router in the <> step. -During this command, the TLS registry CLI checks if the application is prepared to serve the challenge, creates and records Let's Encrypt account information, issues a Let's Encrypt certificate request, and interacts with the Quarkus application to resolve ACME challenges. +During the processing of the `issue-certificate` command, the TLS registry CLI performs the following tasks: + +* Checks if the application is prepared to serve the challenge. +* Creates and records Let's Encrypt account information. +* Issues a Let's Encrypt certificate request. +* Interacts with the Quarkus application to resolve ACME challenges. Once the Let's Encrypt certificate chain and private key have been successfully acquired, they are converted to PEM format and copied to your application's `.letsencrypt` folder. -The TLS registry is informed that a new certificate and private key are ready, and reloads them automatically. +The TLS registry is informed that a new certificate and private key are ready and reloads them automatically. Now, access your application's endpoint using `https://your-domain-name:8443/` again. -Confirm in the browser that your domain certificate is now signed by the Let's Encrypt certificate authority. +Confirm in the browser that the Let's Encrypt certificate authority is now signing your domain certificate. -Note that currently, a Let's Encrypt account is created implicitly by the `issue-certificate` command to make it easy for users to get started with the ACME protocol. +Note that currently, the `issue-certificate` command implicitly creates a Let's Encrypt account to make it easy for users to get started with the ACME protocol. Support for the Let's Encrypt account management will evolve further. [[lets-encrypt-renew-certificate]] @@ -1231,37 +1296,37 @@ quarkus tls lets-encrypt renew-certificate \ During this command, TLS registry CLI reads a Let's Encrypt account information recorded during the <> step, issues a Let's Encrypt certificate request, and communicates with a Quarkus application to have ACME challenges resolved. Once the Let's Encrypt certificate chain and private key have been successfully renewed, they are converted to PEM format and copied to your application's `.letsencrypt` folder. -TLS registry is informed that a new certificate and private key are ready and it reloads them automatically. +The TLS registry is notified when a new certificate and private key are ready, and it automatically reloads them. [[lets-encrypt-ngrok]] -=== Use NGrok for testing +=== Use ngrok for testing -https://ngrok.com/[Ngrok] can be used to provide a secure HTTPS tunnel to your application running on localhost, and make it easy to test HTTPS based applications. +https://ngrok.com/[ngrok] can be used to provide a secure HTTPS tunnel to your application running on localhost, and make it easy to test HTTPS based applications. -Using Ngrok provides an easiest option to get started with the Quarkus Let's Encrypt ACME feature. +ngrok provides a simplified way of getting started with the Quarkus Let's Encrypt ACME feature. -The first thing you have to do with Ngrok is to ask it to reserve a domain. -You can use https://github.com/quarkiverse/quarkus-ngrok[Quarkiverse NGrok] in devmode, or have it reserved directly in the NGrok dashboard. +The first thing you have to do with ngrok is to ask it to reserve a domain. +You can use https://github.com/quarkiverse/quarkus-ngrok[Quarkiverse ngrok] in dev mode or reserve it directly in the ngrok dashboard. -Unfortunately, you can't use your NGrok domain to test the Quarkus Let's Encrypt ACME feature immediately. -This is due to the fact that Ngrok is itself using Let's Encrypt and intercepts ACME challenges which are meant to be handled by the Quarkus application instead. +Unfortunately, you cannot use your ngrok domain to test the Quarkus Let's Encrypt ACME feature immediately. +This is because ngrok itself uses Let's Encrypt and intercepts ACME challenges that are meant to be handled by the Quarkus application instead. -Therefore, you need to remove an NGrok Let's Encrypt certificate policy from your NGrok domain: +Therefore, remove the ngrok Let's Encrypt certificate policy from your ngrok domain: [source, shell] ---- ngrok api --api-key reserved-domains delete-certificate-management-policy ---- -`YOUR-RESERVED-DOMAIN-ID` is your reserved domain's id which starts from `rd_`, you can find it in the https://dashboard.ngrok.com/cloud-edge/domains[NGrok dashboard domains section]. +`YOUR-RESERVED-DOMAIN-ID` is your reserved domain's id which starts from `rd_`, you can find it in the https://dashboard.ngrok.com/cloud-edge/domains[ngrok dashboard domains section]. -Now, NGrok will forward ACME challenges over HTTP only, therefore you need to start Ngrok like this: +Now, because ngrok only forwards ACME challenges over HTTP, start ngrok as follows: [source, shell] ---- -ngrok http --domain 8080 --scheme http +ngrok http --domain 8080 --scheme http <1> ---- - -where `8080` is the localhost HTTP port that your application is listening on. +<1> `8080` is the localhost HTTP port your application is listening on. +Note that the application will be accessible from `http://YOUR-NGROK-DOMAIN` on port `80` but redirected to your local machine on port `8080`. You can now test the Quarkus Let's Encrypt ACME feature from your local machine. diff --git a/_guides/update-quarkus.adoc b/_guides/update-quarkus.adoc index 0d6fc59295..8e094c35a2 100644 --- a/_guides/update-quarkus.adoc +++ b/_guides/update-quarkus.adoc @@ -20,6 +20,7 @@ Post-update, if expected updates are missing, consider the following reasons: - The recipe might not include a specific item in your project. - Your project might use an extension that is incompatible with the latest {project-name} version. +- If you have Gradle Kotlin build files (`.kts`), Quarkus Update https://github.com/quarkusio/quarkus/issues/33046[will fail] until OpenRewrite supports these. [IMPORTANT] ====