client config OAuth2 Authentication
| Property | Description |
|---|---|
nessie.authentication.oauth2.issuer-url | OAuth2 issuer URL. The root URL of the OpenID Connect identity issuer provider, which will be used for discovering supported endpoints and their locations. For Keycloak, this is typically the realm URL: https://<keycloak-server>/realms/<realm-name>. Endpoint discovery is performed using the OpenID Connect Discovery metadata published by the issuer. See OpenID Connect Discovery 1.0 for more information. Either this property or ( nessie.authentication.oauth2.token-endpoint) must be set. |
nessie.authentication.oauth2.token-endpoint | URL of the OAuth2 token endpoint. For Keycloak, this is typically https://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/token . Either this property or ( nessie.authentication.oauth2.issuer-url) must be set. In case it is not set, the token endpoint will be discovered from the issuer URL (nessie.authentication.oauth2.issuer-url), using the OpenID Connect Discovery metadata published by the issuer. |
nessie.authentication.oauth2.auth-endpoint | URL of the OAuth2 authorization endpoint. For Keycloak, this is typically https://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/auth . If using the “authorization_code” grant type, either this property or ( nessie.authentication.oauth2.issuer-url) must be set. In case it is not set, the authorization endpoint will be discovered from the issuer URL (nessie.authentication.oauth2.issuer-url), using the OpenID Connect Discovery metadata published by the issuer. |
nessie.authentication.oauth2.device-auth-endpoint | URL of the OAuth2 device authorization endpoint. For Keycloak, this is typically http://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/auth/device . If using the “Device Code” grant type, either this property or ( nessie.authentication.oauth2.issuer-url) must be set. |
nessie.authentication.oauth2.grant-type | The grant type to use when authenticating against the OAuth2 server. Valid values are: * “client_credentials” * “password” * “authorization_code” * “device_code” Optional, defaults to “client_credentials”. Depending on the grant type, different properties must be provided. For the “client_credentials” grant type, the following properties must be provided: * token endpoint (nessie.authentication.oauth2.token-endpoint) or issuer URL (nessie.authentication.oauth2.issuer-url) * client ID (nessie.authentication.oauth2.client-id) * client secret (nessie.authentication.oauth2.client-secret) (if required) For the “password” grant type, the following properties must be provided: * token endpoint (nessie.authentication.oauth2.token-endpoint) or issuer URL (nessie.authentication.oauth2.issuer-url) * client ID (nessie.authentication.oauth2.client-id) * client secret (nessie.authentication.oauth2.client-secret) (if required) * username (nessie.authentication.oauth2.username) * password (nessie.authentication.oauth2.password) For the “authorization_code” grant type, the following properties must be provided: * token endpoint (nessie.authentication.oauth2.token-endpoint) or issuer URL (nessie.authentication.oauth2.issuer-url) * authorization endpoint (nessie.authentication.oauth2.auth-endpoint) or issuer URL (nessie.authentication.oauth2.issuer-url) * client ID (nessie.authentication.oauth2.client-id) * client secret (nessie.authentication.oauth2.client-secret) (if required) For the “device_code” grant type, the following properties must be provided: * token endpoint (nessie.authentication.oauth2.token-endpoint) or issuer URL (nessie.authentication.oauth2.issuer-url) * device authorization endpoint (nessie.authentication.oauth2.device-auth-endpoint) or issuer URL (nessie.authentication.oauth2.issuer-url) * client ID (nessie.authentication.oauth2.client-id) * client secret (nessie.authentication.oauth2.client-secret) (if required) Both client and user must be properly configured with appropriate permissions in the OAuth2 server for the authentication to succeed. |
nessie.authentication.oauth2.client-id | Client ID to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication, ignored otherwise. |
nessie.authentication.oauth2.client-secret | Client secret to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication, ignored otherwise. |
nessie.authentication.oauth2.username | Username to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication and “password” grant type, ignored otherwise. |
nessie.authentication.oauth2.password | Password to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication and the “password” grant type, ignored otherwise. |
nessie.authentication.oauth2.default-access-token-lifespan | Default access token lifespan; if the OAuth2 server returns an access token without specifying its expiration time, this value will be used. Optional, defaults to “PT1M”. Must be a valid ISO-8601 duration. |
nessie.authentication.oauth2.default-refresh-token-lifespan | Default refresh token lifespan. If the OAuth2 server returns a refresh token without specifying its expiration time, this value will be used. Optional, defaults to “PT30M”. Must be a valid ISO-8601 duration. |
nessie.authentication.oauth2.refresh-safety-window | Refresh safety window to use; a new token will be fetched when the current token’s remaining lifespan is less than this value. Optional, defaults to “PT10S”. Must be a valid ISO-8601 duration. |
nessie.authentication.oauth2.preemptive-token-refresh-idle-timeout | Defines for how long the OAuth2 provider should keep the tokens fresh, if the client is not being actively used. Setting this value too high may cause an excessive usage of network I/O and thread resources; conversely, when setting it too low, if the client is used again, the calling thread may block if the tokens are expired and need to be renewed synchronously. Optional, defaults to “PT30S”. Must be a valid ISO-8601 duration. |
nessie.authentication.oauth2.background-thread-idle-timeout | Defines how long the background thread should be kept running if the client is not being actively used, or no token refreshes are being executed. Optional, defaults to “PT30S”. Setting this value too high will cause the background thread to keep running even if the client is not used anymore, potentially leaking thread and memory resources; conversely, setting it too low could cause the background thread to be restarted too often. Must be a valid ISO-8601 duration. |
nessie.authentication.oauth2.client-scopes | Space-separated list of scopes to include in each request to the OAuth2 server. Optional, defaults to empty (no scopes). The scope names will not be validated by the Nessie client; make sure they are valid according to RFC 6749 Section 3.3 . |
nessie.authentication.oauth2.auth-code-flow.web-port | Port of the OAuth2 authorization code flow web server. When running a client inside a container make sure to specify a port and forward the port to the container host. The port used for the internal web server that listens for the authorization code callback. This is only used if the grant type to use is “authorization_code”. Optional; if not present, a random port will be used. |
nessie.authentication.oauth2.auth-code-flow.timeout | Defines how long the client should wait for the authorization code flow to complete. This is only used if the grant type to use is “authorization_code”. Optional, defaults to “PT5M”. |
nessie.authentication.oauth2.device-code-flow.timeout | Defines how long the client should wait for the device code flow to complete. This is only used if the grant type to use is “device_code”. Optional, defaults to “PT5M”. |
nessie.authentication.oauth2.device-code-flow.poll-interval | Defines how often the client should poll the OAuth2 server for the device code flow to complete. This is only used if the grant type to use is “device_code”. Optional, defaults to “PT5S”. |