client config OAuth2 Authentication Token Exchange
| Property | Description |
|---|---|
nessie.authentication.oauth2.token-exchange.enabled | Enable OAuth2 token exchange. If enabled, each access token obtained from the OAuth2 server will be exchanged for a new token, using the token endpoint and the token exchange grant type, as defined in RFC 8693. |
nessie.authentication.oauth2.token-exchange.issuer-url | For token exchanges only. The root URL of an alternate OpenID Connect identity issuer provider, to use when exchanging tokens only. If neither this property nor “nessie.authentication.oauth2.token-exchange.token-endpoint” are defined, the global token endpoint will be used. This means that the same authorization server will be used for both the initial token request and the token exchange. Endpoint discovery is performed using the OpenID Connect Discovery metadata published by the issuer. See OpenID Connect Discovery 1.0 for more information. |
nessie.authentication.oauth2.token-exchange.token-endpoint | For token exchanges only. The URL of an alternate OAuth2 token endpoint to use when exchanging tokens only. If neither this property nor “nessie.authentication.oauth2.token-exchange.issuer-url” are defined, the global token endpoint will be used. This means that the same authorization server will be used for both the initial token request and the token exchange. |
nessie.authentication.oauth2.token-exchange.client-id | For token exchanges only. An alternate client ID to use. If not provided, the global client ID will be used. If provided, and if the client is confidential, then its secret must be provided as well with “nessie.authentication.oauth2.token-exchange.client-secret” – the global client secret will NOT be used. |
nessie.authentication.oauth2.token-exchange.client-secret | For token exchanges only. The client secret to use, if “nessie.authentication.oauth2.token-exchange.client-id” is defined and the token exchange client is confidential. |
nessie.authentication.oauth2.token-exchange.resource | For token exchanges only. A URI that indicates the target service or resource where the client intends to use the requested security token. Optional. |
nessie.authentication.oauth2.token-exchange.audience | For token exchanges only. The logical name of the target service where the client intends to use the requested security token. This serves a purpose similar to the resource parameter but with the client providing a logical name for the target service. |
nessie.authentication.oauth2.token-exchange.scopes | For token exchanges only. Space-separated list of scopes to include in each token exchange request to the OAuth2 server. Optional. If undefined, the global scopes configured through “nessie.authentication.oauth2.client-scopes” will be used. If defined and null or empty, no scopes will be used. The scope names will not be validated by the Nessie client; make sure they are valid according to RFC 6749 Section 3.3 . |
nessie.authentication.oauth2.token-exchange.subject-token | For token exchanges only. The subject token to exchange. This can take 3 kinds of values: * The value org.projectnessie.client.auth.oauth2.TokenExchangeConfig#CURRENT_ACCESS_TOKEN, if the client should use its current access token; * The value org.projectnessie.client.auth.oauth2.TokenExchangeConfig#CURRENT_REFRESH_TOKEN, if the client should use its current refresh token (if available); * An arbitrary token: in this case, the client will always use the static token provided here. The default is to use the current access token. |
nessie.authentication.oauth2.token-exchange.subject-token-type | For token exchanges only. The type of the subject token. Must be a valid URN. The default is either urn:ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token-type:refresh_token , depending on the value of “nessie.authentication.oauth2.token-exchange.subject-token”. If the client is configured to use its access or refresh token as the subject token, please note that if an incorrect token type is provided here, the token exchange could fail. |
nessie.authentication.oauth2.token-exchange.actor-token | For token exchanges only. The actor token to exchange. This can take 4 kinds of values: * The value org.projectnessie.client.auth.oauth2.TokenExchangeConfig#NO_TOKEN, if the client should not include any actor token in the exchange request; * The value org.projectnessie.client.auth.oauth2.TokenExchangeConfig#CURRENT_ACCESS_TOKEN, if the client should use its current access token; * The value org.projectnessie.client.auth.oauth2.TokenExchangeConfig#CURRENT_REFRESH_TOKEN, if the client should use its current refresh token (if available); * An arbitrary token: in this case, the client will always use the static token provided here. The default is to not include any actor token. |
nessie.authentication.oauth2.token-exchange.actor-token-type | For token exchanges only. The type of the actor token. Must be a valid URN. The default is either urn:ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token-type:refresh_token , depending on the value of “nessie.authentication.oauth2.token-exchange.actor-token”. If the client is configured to use its access or refresh token as the actor token, please note that if an incorrect token type is provided here, the token exchange could fail. |