Defines the <key id, public key> mappings that are loaded by Blueriq if blueriq.security.openid-connect.use-discovery is false.
Note that the key value should be encoded as Base64 encoded bytes that conform to the X509EncodedKeySpec
The client-id of the Runtime, as defined at the identity provider.
The client secret of the Runtime, as defined at the identity provider. This value is used, for example, to complete the OpenID Connect Authorization Code Flow, when exchanging the authorization code for ID and access tokens.
The OpenID Connect scopes used when starting the Authorization Code flow. The scopes must include the value "openid" in order for the identity provider to recognize that the OpenID Connect Authorization Code flow must be initiated. If "openid" is not specified as a scope, the identity provider may instead initiate the OAuth2 Authorization Code flow (depends on the identity provider in use). Multiple scopes can be specified separated with coma.
the URL of the endpoint where access codes can be exchanged for ID and access tokens.
Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/token
Additional custom parameters to be sent to the token endpoint. For example;
blueriq.security.openid-connect.token-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/
the URL where the OpenID Connect Authorization Code flow can be started.
Example for Keycloak: http://<host>:<port>/auth/realms/<realm name>/protocol/openid-connect/auth
Additional custom parameters to be sent to the authorization endpoint. For example;
blueriq.security.openid-connect.authorization-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/
The expected issuer in the "iss" claim of JWT tokens. A received JWT which does not have this exact, case-sensitive value in its "iss" claim will be rejected as invalid.
Boolean indicating whether the audience claim should be checked. If true, the audience claim must contain the Runtime's client-id. All JWTs which do not contain the Runtime's client-id in the audience claim are rejected as invalid.
When false, the audience claim is not checked. Default: false.
Boolean indicating whether when logging out of Blueriq the user should be logged out of the Single-Sign-On session as well.
Default: false
Optional URI that the OpenID Connect provider should redirect to after logging out. This property will be taken account both when using discovery and when using manual configuration through properties.
Since Blueriq 15.13.1
Additional custom parameters to be sent to the user info endpoint. For example;
blueriq.security.openid-connect.user-info-endpoint-parameters.audience=https://example.eu.auth0.com/api/v2/