Package dev.relism.flash.ext.oidc

Class OidcConfig

java.lang.Object
dev.relism.flash.ext.oidc.OidcConfig
public final class OidcConfig extends Object
Full OIDC client configuration. Build via builder(String, String, String, String) or fromEnv().

Required fields: issuer, clientId, clientSecret, redirectUri. Everything else has a sensible default.

If redirectUri starts with / it is treated as server-relative: the absolute URL is resolved at request time using selfScheme() and the incoming Host header. Use OidcConfig.Builder.https() when behind TLS. 


 // Keycloak
 OidcConfig.builder(
         "https://keycloak.example.com/realms/myrealm",
         "my-app", "secret", "/auth/callback")
     .rolesClaimPath("realm_access.roles")   // Keycloak default
     .scopeClaimPaths("scope,scp")           // default; supports many IdPs
     .build();

 // Authelia
 OidcConfig.builder(
         "https://auth.example.com",
         "my-app", "secret", "/auth/callback")
     .rolesClaimPath("groups")
     .scopeClaimPaths("scope,scp")
     .build();

 // Two tenants on one server
 OidcConfig tenantA = OidcConfig.builder("https://idp/realms/a", ..., "/tenantA/auth/callback")
     .routePrefix("/tenantA/auth").build();
 OidcConfig tenantB = OidcConfig.builder("https://idp/realms/b", ..., "/tenantB/auth/callback")
     .routePrefix("/tenantB/auth").build();
 app.install(new OidcExtension(tenantA))
    .install(new OidcExtension(tenantB));

  • Method Details

    • issuer

      public String issuer()

    • clientId

      public String clientId()

    • clientSecret

      public String clientSecret()

    • redirectUri

      public String redirectUri()

    • scopes

      public String scopes()

    • routePrefix

      public String routePrefix()

    • selfScheme

      public String selfScheme()

    • rolesClaimPath

      public String rolesClaimPath()

    • scopeClaimPaths

      public String scopeClaimPaths()
      Comma-separated claim paths used to read OAuth2 scopes (default: "scope,scp").

    • algorithm

      public String algorithm()

    • postLogoutRedirectUri

      public String postLogoutRedirectUri()

    • sessionStore

      public OidcSessionStore sessionStore()

    • insecureTls

      public boolean insecureTls()
      If true, TLS certificate validation is skipped. Never use in production.

    • clientAuthMethod

      public ClientAuthMethod clientAuthMethod()

    • schemeName

      public String schemeName()
      OpenAPI security scheme name (derived from issuer if not set explicitly).

    • fromEnv

      public static OidcConfig fromEnv()
      Reads configuration from environment variables: 
       OIDC_ISSUER               required
 OIDC_CLIENT_ID            required
 OIDC_CLIENT_SECRET        required
 OIDC_REDIRECT_URI         required  (e.g. /auth/callback)
 OIDC_SCOPES               default: openid profile email
 OIDC_ROUTE_PREFIX         default: /auth
 OIDC_SELF_SCHEME          default: http
 OIDC_ROLES_CLAIM          default: realm_access.roles
 OIDC_SCOPE_CLAIMS         default: scope,scp
 OIDC_ALGORITHM            default: RS256
 OIDC_POST_LOGOUT_REDIRECT default: /

    • builder

      public static OidcConfig.Builder builder(String issuer, String clientId, String clientSecret, String redirectUri)

    • keycloak

      public static OidcConfig.Builder keycloak(String serverUrl, String realm, String clientId, String clientSecret, String redirectUri)
      Convenience factory for Keycloak: constructs the issuer as {serverUrl}/realms/{realm} automatically. 
      
 OidcConfig.keycloak(
     "https://keycloak.example.com", "flashboard",
     "my-app", "secret", "/auth/callback")
   .https()
   .build();