All provider configuration

Complete list of all the available provider configuration options

authentication-sessions

infinispan

Value

spi-authentication-sessions-infinispan-auth-sessions-limit

The maximum number of concurrent authentication sessions per RootAuthenticationSession.

CLI: --spi-authentication-sessions-infinispan-auth-sessions-limit
Env: KC_SPI_AUTHENTICATION_SESSIONS_INFINISPAN_AUTH_SESSIONS_LIMIT

300 (default) or any int

remote

Value

spi-authentication-sessions-remote-auth-sessions-limit

The maximum number of concurrent authentication sessions per RootAuthenticationSession.

CLI: --spi-authentication-sessions-remote-auth-sessions-limit
Env: KC_SPI_AUTHENTICATION_SESSIONS_REMOTE_AUTH_SESSIONS_LIMIT

300 (default) or any int

spi-authentication-sessions-remote-max-retries

The maximum number of retries if an error occurs.

A value of zero or less disable any retries.

CLI: --spi-authentication-sessions-remote-max-retries
Env: KC_SPI_AUTHENTICATION_SESSIONS_REMOTE_MAX_RETRIES

10 (default) or any int

spi-authentication-sessions-remote-retry-base-time

The base back-off time in milliseconds.

CLI: --spi-authentication-sessions-remote-retry-base-time
Env: KC_SPI_AUTHENTICATION_SESSIONS_REMOTE_RETRY_BASE_TIME

10 (default) or any int

brute-force-protector

default-brute-force-detector

Value

spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests

If concurrent logins are allowed by the brute force protection.

CLI: --spi-brute-force-protector-default-brute-force-detector-allow-concurrent-requests
Env: KC_SPI_BRUTE_FORCE_PROTECTOR_DEFAULT_BRUTE_FORCE_DETECTOR_ALLOW_CONCURRENT_REQUESTS

true, false (default)

ciba-auth-channel

ciba-http-auth-channel

Value

spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri

The HTTP(S) URI of the authentication channel.

CLI: --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri
Env: KC_SPI_CIBA_AUTH_CHANNEL_CIBA_HTTP_AUTH_CHANNEL_HTTP_AUTHENTICATION_CHANNEL_URI

any string

connections-http-client

default

Value

spi-connections-http-client-default-client-key-password

The key password.

CLI: --spi-connections-http-client-default-client-key-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEY_PASSWORD

-1 (default) or any string

spi-connections-http-client-default-client-keystore

The file path of the key store from where the key material is going to be read from to set-up TLS connections.

CLI: --spi-connections-http-client-default-client-keystore
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE

any string

spi-connections-http-client-default-client-keystore-password

The key store password.

CLI: --spi-connections-http-client-default-client-keystore-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE_PASSWORD

any string

spi-connections-http-client-default-connection-pool-size

Assigns maximum total connection value.

CLI: --spi-connections-http-client-default-connection-pool-size
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_POOL_SIZE

any int

spi-connections-http-client-default-connection-ttl-millis

Sets maximum time, in milliseconds, to live for persistent connections.

CLI: --spi-connections-http-client-default-connection-ttl-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_TTL_MILLIS

-1 (default) or any long

spi-connections-http-client-default-disable-cookies

Disables state (cookie) management.

CLI: --spi-connections-http-client-default-disable-cookies
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_COOKIES

true (default), false

spi-connections-http-client-default-disable-trust-manager

Disable trust management and hostname verification.

NOTE this is a security hole, so only set this option if you cannot or do not want to verify the identity of the host you are communicating with.

CLI: --spi-connections-http-client-default-disable-trust-manager
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_TRUST_MANAGER

true, false (default)

spi-connections-http-client-default-establish-connection-timeout-millis

When trying to make an initial socket connection, what is the timeout?

CLI: --spi-connections-http-client-default-establish-connection-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_ESTABLISH_CONNECTION_TIMEOUT_MILLIS

-1 (default) or any long

spi-connections-http-client-default-max-connection-idle-time-millis

Sets the time, in milliseconds, for evicting idle connections from the pool.

CLI: --spi-connections-http-client-default-max-connection-idle-time-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_CONNECTION_IDLE_TIME_MILLIS

900000 (default) or any long

spi-connections-http-client-default-max-consumed-response-size

Maximum size of a response consumed by the client (to prevent denial of service)

CLI: --spi-connections-http-client-default-max-consumed-response-size
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_CONSUMED_RESPONSE_SIZE

10000000 (default) or any long

spi-connections-http-client-default-max-pooled-per-route

Assigns maximum connection per route value.

CLI: --spi-connections-http-client-default-max-pooled-per-route
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_POOLED_PER_ROUTE

64 (default) or any int

spi-connections-http-client-default-proxy-mappings

Denotes the combination of a regex based hostname pattern and a proxy-uri in the form of hostnamePattern;proxyUri.

CLI: --spi-connections-http-client-default-proxy-mappings
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_PROXY_MAPPINGS

any string

spi-connections-http-client-default-reuse-connections

If connections should be reused.

CLI: --spi-connections-http-client-default-reuse-connections
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_REUSE_CONNECTIONS

true (default), false

spi-connections-http-client-default-socket-timeout-millis

Socket inactivity timeout.

CLI: --spi-connections-http-client-default-socket-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_SOCKET_TIMEOUT_MILLIS

5000 (default) or any long

opentelemetry

Value

spi-connections-http-client-opentelemetry-client-key-password

The key password.

CLI: --spi-connections-http-client-opentelemetry-client-key-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_CLIENT_KEY_PASSWORD

-1 (default) or any string

spi-connections-http-client-opentelemetry-client-keystore

The file path of the key store from where the key material is going to be read from to set-up TLS connections.

CLI: --spi-connections-http-client-opentelemetry-client-keystore
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_CLIENT_KEYSTORE

any string

spi-connections-http-client-opentelemetry-client-keystore-password

The key store password.

CLI: --spi-connections-http-client-opentelemetry-client-keystore-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_CLIENT_KEYSTORE_PASSWORD

any string

spi-connections-http-client-opentelemetry-connection-pool-size

Assigns maximum total connection value.

CLI: --spi-connections-http-client-opentelemetry-connection-pool-size
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_CONNECTION_POOL_SIZE

any int

spi-connections-http-client-opentelemetry-connection-ttl-millis

Sets maximum time, in milliseconds, to live for persistent connections.

CLI: --spi-connections-http-client-opentelemetry-connection-ttl-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_CONNECTION_TTL_MILLIS

-1 (default) or any long

spi-connections-http-client-opentelemetry-disable-cookies

Disables state (cookie) management.

CLI: --spi-connections-http-client-opentelemetry-disable-cookies
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_DISABLE_COOKIES

true (default), false

spi-connections-http-client-opentelemetry-disable-trust-manager

Disable trust management and hostname verification.

NOTE this is a security hole, so only set this option if you cannot or do not want to verify the identity of the host you are communicating with.

CLI: --spi-connections-http-client-opentelemetry-disable-trust-manager
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_DISABLE_TRUST_MANAGER

true, false (default)

spi-connections-http-client-opentelemetry-establish-connection-timeout-millis

When trying to make an initial socket connection, what is the timeout?

CLI: --spi-connections-http-client-opentelemetry-establish-connection-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_ESTABLISH_CONNECTION_TIMEOUT_MILLIS

-1 (default) or any long

spi-connections-http-client-opentelemetry-max-connection-idle-time-millis

Sets the time, in milliseconds, for evicting idle connections from the pool.

CLI: --spi-connections-http-client-opentelemetry-max-connection-idle-time-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_MAX_CONNECTION_IDLE_TIME_MILLIS

900000 (default) or any long

spi-connections-http-client-opentelemetry-max-consumed-response-size

Maximum size of a response consumed by the client (to prevent denial of service)

CLI: --spi-connections-http-client-opentelemetry-max-consumed-response-size
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_MAX_CONSUMED_RESPONSE_SIZE

10000000 (default) or any long

spi-connections-http-client-opentelemetry-max-pooled-per-route

Assigns maximum connection per route value.

CLI: --spi-connections-http-client-opentelemetry-max-pooled-per-route
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_MAX_POOLED_PER_ROUTE

64 (default) or any int

spi-connections-http-client-opentelemetry-proxy-mappings

Denotes the combination of a regex based hostname pattern and a proxy-uri in the form of hostnamePattern;proxyUri.

CLI: --spi-connections-http-client-opentelemetry-proxy-mappings
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_PROXY_MAPPINGS

any string

spi-connections-http-client-opentelemetry-reuse-connections

If connections should be reused.

CLI: --spi-connections-http-client-opentelemetry-reuse-connections
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_REUSE_CONNECTIONS

true (default), false

spi-connections-http-client-opentelemetry-socket-timeout-millis

Socket inactivity timeout.

CLI: --spi-connections-http-client-opentelemetry-socket-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_OPENTELEMETRY_SOCKET_TIMEOUT_MILLIS

5000 (default) or any long

connections-infinispan

quarkus

Value

spi-connections-infinispan-quarkus-site-name

Site name for multi-site deployments

CLI: --spi-connections-infinispan-quarkus-site-name
Env: KC_SPI_CONNECTIONS_INFINISPAN_QUARKUS_SITE_NAME

any string

connections-jpa

quarkus

Value

spi-connections-jpa-quarkus-initialize-empty

Initialize database if empty.

If set to false the database has to be manually initialized. If you want to manually initialize the database set migrationStrategy to manual which will create a file with SQL commands to initialize the database.

CLI: --spi-connections-jpa-quarkus-initialize-empty
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_INITIALIZE_EMPTY

true (default), false

spi-connections-jpa-quarkus-migration-export

Path for where to write manual database initialization/migration file.

CLI: --spi-connections-jpa-quarkus-migration-export
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_EXPORT

any string

spi-connections-jpa-quarkus-migration-strategy

Strategy to use to migrate database.

Valid values are update, manual and validate. Update will automatically migrate the database schema. Manual will export the required changes to a file with SQL commands that you can manually execute on the database. Validate will simply check if the database is up-to-date.

CLI: --spi-connections-jpa-quarkus-migration-strategy
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_STRATEGY

update (default), manual, validate

datastore

legacy

Value

spi-datastore-legacy-allow-migrate-existing-database-to-snapshot

By default, it is not allowed to run the snapshot/development server against the database, which was previously migrated to some officially released server version.

As an attempt of doing this indicates that you are trying to run development server against production database, which can result in a loss or corruption of data, and also does not allow upgrading. If it is really intended, you can use this option, which will allow to use nightly/development server against production database when explicitly switch to true. This option is recommended just in the development environments and should be never used in the production!

CLI: --spi-datastore-legacy-allow-migrate-existing-database-to-snapshot
Env: KC_SPI_DATASTORE_LEGACY_ALLOW_MIGRATE_EXISTING_DATABASE_TO_SNAPSHOT

true, false (default)

dblock

jpa

Value

spi-dblock-jpa-lock-wait-timeout

The maximum time to wait when waiting to release a database lock.

CLI: --spi-dblock-jpa-lock-wait-timeout
Env: KC_SPI_DBLOCK_JPA_LOCK_WAIT_TIMEOUT

any int

events-listener

email

Value

spi-events-listener-email-exclude-events

A comma-separated list of events that should not be sent via email to the user’s account.

CLI: --spi-events-listener-email-exclude-events
Env: KC_SPI_EVENTS_LISTENER_EMAIL_EXCLUDE_EVENTS

authreqid_to_token, authreqid_to_token_error, client_delete, client_delete_error, client_info, client_info_error, client_initiated_account_linking, client_initiated_account_linking_error, client_login, client_login_error, client_register, client_register_error, client_update, client_update_error, code_to_token, code_to_token_error, custom_required_action, custom_required_action_error, delete_account, delete_account_error, execute_action_token, execute_action_token_error, execute_actions, execute_actions_error, federated_identity_link, federated_identity_link_error, federated_identity_override_link, federated_identity_override_link_error, grant_consent, grant_consent_error, identity_provider_first_login, identity_provider_first_login_error, identity_provider_link_account, identity_provider_link_account_error, identity_provider_login, identity_provider_login_error, identity_provider_post_login, identity_provider_post_login_error, identity_provider_response, identity_provider_response_error, identity_provider_retrieve_token, identity_provider_retrieve_token_error, impersonate, impersonate_error, introspect_token, introspect_token_error, invalid_signature, invalid_signature_error, invite_org, invite_org_error, login, login_error, logout, logout_error, oauth2_device_auth, oauth2_device_auth_error, oauth2_device_code_to_token, oauth2_device_code_to_token_error, oauth2_device_verify_user_code, oauth2_device_verify_user_code_error, oauth2_extension_grant, oauth2_extension_grant_error, permission_token, permission_token_error, pushed_authorization_request, pushed_authorization_request_error, refresh_token, refresh_token_error, register, register_error, register_node, register_node_error, remove_credential, remove_credential_error, remove_federated_identity, remove_federated_identity_error, remove_totp, remove_totp_error, reset_password, reset_password_error, restart_authentication, restart_authentication_error, revoke_grant, revoke_grant_error, send_identity_provider_link, send_identity_provider_link_error, send_reset_password, send_reset_password_error, send_verify_email, send_verify_email_error, token_exchange, token_exchange_error, unregister_node, unregister_node_error, update_consent, update_consent_error, update_credential, update_credential_error, update_email, update_email_error, update_password, update_password_error, update_profile, update_profile_error, update_totp, update_totp_error, user_disabled_by_permanent_lockout, user_disabled_by_permanent_lockout_error, user_disabled_by_temporary_lockout, user_disabled_by_temporary_lockout_error, user_info_request, user_info_request_error, validate_access_token, validate_access_token_error, verify_email, verify_email_error, verify_profile, verify_profile_error

spi-events-listener-email-include-events

A comma-separated list of events that should be sent via email to the user’s account.

CLI: --spi-events-listener-email-include-events
Env: KC_SPI_EVENTS_LISTENER_EMAIL_INCLUDE_EVENTS

authreqid_to_token, authreqid_to_token_error, client_delete, client_delete_error, client_info, client_info_error, client_initiated_account_linking, client_initiated_account_linking_error, client_login, client_login_error, client_register, client_register_error, client_update, client_update_error, code_to_token, code_to_token_error, custom_required_action, custom_required_action_error, delete_account, delete_account_error, execute_action_token, execute_action_token_error, execute_actions, execute_actions_error, federated_identity_link, federated_identity_link_error, federated_identity_override_link, federated_identity_override_link_error, grant_consent, grant_consent_error, identity_provider_first_login, identity_provider_first_login_error, identity_provider_link_account, identity_provider_link_account_error, identity_provider_login, identity_provider_login_error, identity_provider_post_login, identity_provider_post_login_error, identity_provider_response, identity_provider_response_error, identity_provider_retrieve_token, identity_provider_retrieve_token_error, impersonate, impersonate_error, introspect_token, introspect_token_error, invalid_signature, invalid_signature_error, invite_org, invite_org_error, login, login_error, logout, logout_error, oauth2_device_auth, oauth2_device_auth_error, oauth2_device_code_to_token, oauth2_device_code_to_token_error, oauth2_device_verify_user_code, oauth2_device_verify_user_code_error, oauth2_extension_grant, oauth2_extension_grant_error, permission_token, permission_token_error, pushed_authorization_request, pushed_authorization_request_error, refresh_token, refresh_token_error, register, register_error, register_node, register_node_error, remove_credential, remove_credential_error, remove_federated_identity, remove_federated_identity_error, remove_totp, remove_totp_error, reset_password, reset_password_error, restart_authentication, restart_authentication_error, revoke_grant, revoke_grant_error, send_identity_provider_link, send_identity_provider_link_error, send_reset_password, send_reset_password_error, send_verify_email, send_verify_email_error, token_exchange, token_exchange_error, unregister_node, unregister_node_error, update_consent, update_consent_error, update_credential, update_credential_error, update_email, update_email_error, update_password, update_password_error, update_profile, update_profile_error, update_totp, update_totp_error, user_disabled_by_permanent_lockout, user_disabled_by_permanent_lockout_error, user_disabled_by_temporary_lockout, user_disabled_by_temporary_lockout_error, user_info_request, user_info_request_error, validate_access_token, validate_access_token_error, verify_email, verify_email_error, verify_profile, verify_profile_error

jboss-logging

Value

spi-events-listener-jboss-logging-error-level

The log level for error messages.

CLI: --spi-events-listener-jboss-logging-error-level
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_ERROR_LEVEL

debug, error, fatal, info, trace, warn (default)

spi-events-listener-jboss-logging-quotes

The quotes to use for values, it should be one character like " or '.

Use "none" if quotes are not needed.

CLI: --spi-events-listener-jboss-logging-quotes
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_QUOTES

" (default) or any string

spi-events-listener-jboss-logging-sanitize

If true the log messages are sanitized to avoid line breaks.

If false messages are not sanitized.

CLI: --spi-events-listener-jboss-logging-sanitize
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SANITIZE

true (default), false

spi-events-listener-jboss-logging-success-level

The log level for success messages.

CLI: --spi-events-listener-jboss-logging-success-level
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SUCCESS_LEVEL

debug (default), error, fatal, info, trace, warn

export

dir

Value

spi-export-dir-dir

Directory to export to

CLI: --spi-export-dir-dir
Env: KC_SPI_EXPORT_DIR_DIR

any string

spi-export-dir-realm-name

Realm to export

CLI: --spi-export-dir-realm-name
Env: KC_SPI_EXPORT_DIR_REALM_NAME

any string

spi-export-dir-users-export-strategy

Users export strategy

CLI: --spi-export-dir-users-export-strategy
Env: KC_SPI_EXPORT_DIR_USERS_EXPORT_STRATEGY

DIFFERENT_FILES (default) or any string

spi-export-dir-users-per-file

Users per exported file

CLI: --spi-export-dir-users-per-file
Env: KC_SPI_EXPORT_DIR_USERS_PER_FILE

50 (default) or any int

single-file

Value

spi-export-single-file-file

File to export to

CLI: --spi-export-single-file-file
Env: KC_SPI_EXPORT_SINGLE_FILE_FILE

any string

spi-export-single-file-realm-name

Realm to export

CLI: --spi-export-single-file-realm-name
Env: KC_SPI_EXPORT_SINGLE_FILE_REALM_NAME

any string

group

jpa

Value

spi-group-jpa-escape-slashes-in-group-path

If true slashes / in group names are escaped with the character ~ when converted to paths.

CLI: --spi-group-jpa-escape-slashes-in-group-path
Env: KC_SPI_GROUP_JPA_ESCAPE_SLASHES_IN_GROUP_PATH

true, false (default)

spi-group-jpa-searchable-attributes

The list of attributes separated by comma that are allowed in client attribute searches.

CLI: --spi-group-jpa-searchable-attributes
Env: KC_SPI_GROUP_JPA_SEARCHABLE_ATTRIBUTES

any string

import

dir

Value

spi-import-dir-dir

Directory to import from

CLI: --spi-import-dir-dir
Env: KC_SPI_IMPORT_DIR_DIR

any string

spi-import-dir-realm-name

Realm to export

CLI: --spi-import-dir-realm-name
Env: KC_SPI_IMPORT_DIR_REALM_NAME

any string

spi-import-dir-strategy

Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING

CLI: --spi-import-dir-strategy
Env: KC_SPI_IMPORT_DIR_STRATEGY

any string

single-file

Value

spi-import-single-file-file

File to import from

CLI: --spi-import-single-file-file
Env: KC_SPI_IMPORT_SINGLE_FILE_FILE

any string

spi-import-single-file-realm-name

Realm to export

CLI: --spi-import-single-file-realm-name
Env: KC_SPI_IMPORT_SINGLE_FILE_REALM_NAME

any string

spi-import-single-file-strategy

Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING

CLI: --spi-import-single-file-strategy
Env: KC_SPI_IMPORT_SINGLE_FILE_STRATEGY

any string

load-balancer-check

remote

Value

spi-load-balancer-check-remote-poll-interval

The Remote caches poll interval, in milliseconds, for connection availability

CLI: --spi-load-balancer-check-remote-poll-interval
Env: KC_SPI_LOAD_BALANCER_CHECK_REMOTE_POLL_INTERVAL

5000 (default) or any int

login-failure

remote

Value

spi-login-failure-remote-max-retries

The maximum number of retries if an error occurs.

A value of zero or less disable any retries.

CLI: --spi-login-failure-remote-max-retries
Env: KC_SPI_LOGIN_FAILURE_REMOTE_MAX_RETRIES

10 (default) or any int

spi-login-failure-remote-retry-base-time

The base back-off time in milliseconds.

CLI: --spi-login-failure-remote-retry-base-time
Env: KC_SPI_LOGIN_FAILURE_REMOTE_RETRY_BASE_TIME

10 (default) or any int

password-hashing

argon2

Value

spi-password-hashing-argon2-cpu-cores

Maximum parallel CPU cores to use for hashing

CLI: --spi-password-hashing-argon2-cpu-cores
Env: KC_SPI_PASSWORD_HASHING_ARGON2_CPU_CORES

any int

spi-password-hashing-argon2-iterations

Iterations

CLI: --spi-password-hashing-argon2-iterations
Env: KC_SPI_PASSWORD_HASHING_ARGON2_ITERATIONS

5 (default) or any int

spi-password-hashing-argon2-memory

Memory size (KB)

CLI: --spi-password-hashing-argon2-memory
Env: KC_SPI_PASSWORD_HASHING_ARGON2_MEMORY

7168 (default) or any int

spi-password-hashing-argon2-parallelism

Parallelism

CLI: --spi-password-hashing-argon2-parallelism
Env: KC_SPI_PASSWORD_HASHING_ARGON2_PARALLELISM

1 (default) or any int

spi-password-hashing-argon2-type

Type

CLI: --spi-password-hashing-argon2-type
Env: KC_SPI_PASSWORD_HASHING_ARGON2_TYPE

id (default), d, i

spi-password-hashing-argon2-type

Hash length

CLI: --spi-password-hashing-argon2-type
Env: KC_SPI_PASSWORD_HASHING_ARGON2_TYPE

32 (default) or any int

spi-password-hashing-argon2-version

Version

CLI: --spi-password-hashing-argon2-version
Env: KC_SPI_PASSWORD_HASHING_ARGON2_VERSION

1.3 (default), 1.0

public-key-storage

infinispan

Value

spi-public-key-storage-infinispan-max-cache-time

Maximum interval in seconds that keys are cached when they are retrieved via all keys methods.

When all keys for the entry are retrieved there is no way to detect if a key is missing (different to the case when the key is retrieved via ID for example). In that situation this option forces a refresh from time to time. Default 24 hours.

CLI: --spi-public-key-storage-infinispan-max-cache-time
Env: KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MAX_CACHE_TIME

86400 (default) or any int

spi-public-key-storage-infinispan-min-time-between-requests

Minimum interval in seconds between two requests to retrieve the new public keys.

The server will always try to download new public keys when a single key is requested and not found. However it will avoid the download if the previous refresh was done less than 10 seconds ago (by default). This behavior is used to avoid DoS attacks against the external keys endpoint.

CLI: --spi-public-key-storage-infinispan-min-time-between-requests
Env: KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MIN_TIME_BETWEEN_REQUESTS

10 (default) or any int

required-action

UPDATE_PASSWORD

Value

spi-required-action-UPDATE_PASSWORD-max_auth_age

Configures the duration in seconds this action can be used after the last authentication before the user is required to re-authenticate.

This parameter is used just in the context of AIA when the kc_action parameter is available in the request, which is for instance when user himself updates his password in the account console. When the 'Maximum Authentication Age' password policy is used in the realm, it’s value has precedence over the value configured here.

CLI: --spi-required-action-UPDATE_PASSWORD-max_auth_age
Env: KC_SPI_REQUIRED_ACTION_UPDATE_PASSWORD_MAX_AUTH_AGE

300 (default) or any String

resource-encoding

gzip

Value

spi-resource-encoding-gzip-excluded-content-types

A space separated list of content-types to exclude from encoding.

CLI: --spi-resource-encoding-gzip-excluded-content-types
Env: KC_SPI_RESOURCE_ENCODING_GZIP_EXCLUDED_CONTENT_TYPES

image/png image/jpeg (default) or any string

security-profile

default

Value

spi-security-profile-default-name

Name for the security configuration file to use.

File name.json is searched in classapth and conf installation folder.

CLI: --spi-security-profile-default-name
Env: KC_SPI_SECURITY_PROFILE_DEFAULT_NAME

any string

single-use-object

infinispan

Value

spi-single-use-object-infinispan-persist-revoked-tokens

If revoked tokens are stored persistently across restarts

CLI: --spi-single-use-object-infinispan-persist-revoked-tokens
Env: KC_SPI_SINGLE_USE_OBJECT_INFINISPAN_PERSIST_REVOKED_TOKENS

true (default), false

remote

Value

spi-single-use-object-remote-persist-revoked-tokens

If revoked tokens are stored persistently across restarts

CLI: --spi-single-use-object-remote-persist-revoked-tokens
Env: KC_SPI_SINGLE_USE_OBJECT_REMOTE_PERSIST_REVOKED_TOKENS

true (default), false

sticky-session-encoder

infinispan

Value

spi-sticky-session-encoder-infinispan-should-attach-route

If the route should be attached to cookies to reflect the node that owns a particular session.

CLI: --spi-sticky-session-encoder-infinispan-should-attach-route
Env: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE

true (default), false

remote

Value

spi-sticky-session-encoder-remote-should-attach-route

If the route should be attached to cookies to reflect the node that owns a particular session.

CLI: --spi-sticky-session-encoder-remote-should-attach-route
Env: KC_SPI_STICKY_SESSION_ENCODER_REMOTE_SHOULD_ATTACH_ROUTE

true (default), false

truststore

file

Value

spi-truststore-file-file

DEPRECATED: The file path of the trust store from where the certificates are going to be read from to validate TLS connections.

CLI: --spi-truststore-file-file
Env: KC_SPI_TRUSTSTORE_FILE_FILE

any string

spi-truststore-file-hostname-verification-policy

DEPRECATED: The hostname verification policy.

CLI: --spi-truststore-file-hostname-verification-policy
Env: KC_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY

ANY, WILDCARD, STRICT, DEFAULT (default)

spi-truststore-file-password

DEPRECATED: The trust store password.

CLI: --spi-truststore-file-password
Env: KC_SPI_TRUSTSTORE_FILE_PASSWORD

any string

spi-truststore-file-type

DEPRECATED: Type of the truststore.

If not provided, the type would be detected based on the truststore file extension or platform default type.

CLI: --spi-truststore-file-type
Env: KC_SPI_TRUSTSTORE_FILE_TYPE

any string

user-profile

declarative-user-profile

Value

spi-user-profile-declarative-user-profile-admin-read-only-attributes

Array of regular expressions to identify fields that should be treated read-only so administrators can’t change them.

CLI: --spi-user-profile-declarative-user-profile-admin-read-only-attributes
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_ADMIN_READ_ONLY_ATTRIBUTES

any MultivaluedString

spi-user-profile-declarative-user-profile-max-email-local-part-length

To set user profile max email local part length

CLI: --spi-user-profile-declarative-user-profile-max-email-local-part-length
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_MAX_EMAIL_LOCAL_PART_LENGTH

any String

spi-user-profile-declarative-user-profile-read-only-attributes

Array of regular expressions to identify fields that should be treated read-only so users can’t change them.

CLI: --spi-user-profile-declarative-user-profile-read-only-attributes
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_READ_ONLY_ATTRIBUTES

any MultivaluedString

user-sessions

infinispan

Value

spi-user-sessions-infinispan-max-batch-size

Maximum size of a batch size (only applicable to persistent sessions

CLI: --spi-user-sessions-infinispan-max-batch-size
Env: KC_SPI_USER_SESSIONS_INFINISPAN_MAX_BATCH_SIZE

4 (default) or any int

spi-user-sessions-infinispan-offline-client-session-cache-entry-lifespan-override

Override how long offline client sessions should be kept in memory

CLI: --spi-user-sessions-infinispan-offline-client-session-cache-entry-lifespan-override
Env: KC_SPI_USER_SESSIONS_INFINISPAN_OFFLINE_CLIENT_SESSION_CACHE_ENTRY_LIFESPAN_OVERRIDE

any int

spi-user-sessions-infinispan-offline-session-cache-entry-lifespan-override

Override how long offline user sessions should be kept in memory

CLI: --spi-user-sessions-infinispan-offline-session-cache-entry-lifespan-override
Env: KC_SPI_USER_SESSIONS_INFINISPAN_OFFLINE_SESSION_CACHE_ENTRY_LIFESPAN_OVERRIDE

any int

spi-user-sessions-infinispan-use-caches

Enable or disable caches.

Enabled by default unless the external feature to use only external remote caches is used

CLI: --spi-user-sessions-infinispan-use-caches
Env: KC_SPI_USER_SESSIONS_INFINISPAN_USE_CACHES

true, false

remote

Value

spi-user-sessions-remote-batch-size

Batch size when streaming session from the remote cache

CLI: --spi-user-sessions-remote-batch-size
Env: KC_SPI_USER_SESSIONS_REMOTE_BATCH_SIZE

1024 (default) or any int

spi-user-sessions-remote-max-retries

The maximum number of retries if an error occurs.

A value of zero or less disable any retries.

CLI: --spi-user-sessions-remote-max-retries
Env: KC_SPI_USER_SESSIONS_REMOTE_MAX_RETRIES

10 (default) or any int

spi-user-sessions-remote-retry-base-time

The base back-off time in milliseconds.

CLI: --spi-user-sessions-remote-retry-base-time
Env: KC_SPI_USER_SESSIONS_REMOTE_RETRY_BASE_TIME

10 (default) or any int

well-known

oauth-authorization-server

Value

spi-well-known-oauth-authorization-server-include-client-scopes

If client scopes should be used to calculate the list of supported scopes.

CLI: --spi-well-known-oauth-authorization-server-include-client-scopes
Env: KC_SPI_WELL_KNOWN_OAUTH_AUTHORIZATION_SERVER_INCLUDE_CLIENT_SCOPES

true (default), false

spi-well-known-oauth-authorization-server-openid-configuration-override

The file path from where the metadata should be loaded from.

You can use an absolute file path or, if the file is in the server classpath, use the classpath: prefix to load the file from the classpath.

CLI: --spi-well-known-oauth-authorization-server-openid-configuration-override
Env: KC_SPI_WELL_KNOWN_OAUTH_AUTHORIZATION_SERVER_OPENID_CONFIGURATION_OVERRIDE

any string

openid-configuration

Value

spi-well-known-openid-configuration-include-client-scopes

If client scopes should be used to calculate the list of supported scopes.

CLI: --spi-well-known-openid-configuration-include-client-scopes
Env: KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_INCLUDE_CLIENT_SCOPES

true (default), false

spi-well-known-openid-configuration-openid-configuration-override

The file path from where the metadata should be loaded from.

You can use an absolute file path or, if the file is in the server classpath, use the classpath: prefix to load the file from the classpath.

CLI: --spi-well-known-openid-configuration-openid-configuration-override
Env: KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_OPENID_CONFIGURATION_OVERRIDE

any string

On this page