All provider configuration

authentication-sessions

infinispan

Value

	Value
`spi-authentication-sessions-infinispan-auth-sessions-limit` The maximum number of concurrent authentication sessions per RootAuthenticationSession. CLI: `--spi-authentication-sessions-infinispan-auth-sessions-limit` Env: `KC_SPI_AUTHENTICATION_SESSIONS_INFINISPAN_AUTH_SESSIONS_LIMIT`	`300` (default) or any `int`

spi-authentication-sessions-infinispan-auth-sessions-limit

The maximum number of concurrent authentication sessions per RootAuthenticationSession.

CLI: --spi-authentication-sessions-infinispan-auth-sessions-limit
Env: KC_SPI_AUTHENTICATION_SESSIONS_INFINISPAN_AUTH_SESSIONS_LIMIT

300 (default) or any int

ciba-auth-channel

ciba-http-auth-channel

Value

	Value
`spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri` The HTTP(S) URI of the authentication channel. CLI: `--spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri` Env: `KC_SPI_CIBA_AUTH_CHANNEL_CIBA_HTTP_AUTH_CHANNEL_HTTP_AUTHENTICATION_CHANNEL_URI`	any `string`

spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri

The HTTP(S) URI of the authentication channel.

CLI: --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri
Env: KC_SPI_CIBA_AUTH_CHANNEL_CIBA_HTTP_AUTH_CHANNEL_HTTP_AUTHENTICATION_CHANNEL_URI

any string

connections-http-client

default

Value

	Value
`spi-connections-http-client-default-client-key-password` The key password. CLI: `--spi-connections-http-client-default-client-key-password` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEY_PASSWORD`	`-1` (default) or any `string`
`spi-connections-http-client-default-client-keystore` The file path of the key store from where the key material is going to be read from to set-up TLS connections. CLI: `--spi-connections-http-client-default-client-keystore` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE`	any `string`
`spi-connections-http-client-default-client-keystore-password` The key store password. CLI: `--spi-connections-http-client-default-client-keystore-password` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE_PASSWORD`	any `string`
`spi-connections-http-client-default-connection-pool-size` Assigns maximum total connection value. CLI: `--spi-connections-http-client-default-connection-pool-size` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_POOL_SIZE`	any `int`
`spi-connections-http-client-default-connection-ttl-millis` Sets maximum time, in milliseconds, to live for persistent connections. CLI: `--spi-connections-http-client-default-connection-ttl-millis` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_TTL_MILLIS`	`-1` (default) or any `long`
`spi-connections-http-client-default-disable-cookies` Disables state (cookie) management. CLI: `--spi-connections-http-client-default-disable-cookies` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_COOKIES`	`true` (default), `false`
`spi-connections-http-client-default-disable-trust-manager` Disable trust management and hostname verification. NOTE this is a security hole, so only set this option if you cannot or do not want to verify the identity of the host you are communicating with. CLI: `--spi-connections-http-client-default-disable-trust-manager` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_TRUST_MANAGER`	`true`, `false` (default)
`spi-connections-http-client-default-establish-connection-timeout-millis` When trying to make an initial socket connection, what is the timeout? CLI: `--spi-connections-http-client-default-establish-connection-timeout-millis` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_ESTABLISH_CONNECTION_TIMEOUT_MILLIS`	`-1` (default) or any `long`
`spi-connections-http-client-default-max-connection-idle-time-millis` Sets the time, in milliseconds, for evicting idle connections from the pool. CLI: `--spi-connections-http-client-default-max-connection-idle-time-millis` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_CONNECTION_IDLE_TIME_MILLIS`	`900000` (default) or any `long`
`spi-connections-http-client-default-max-pooled-per-route` Assigns maximum connection per route value. CLI: `--spi-connections-http-client-default-max-pooled-per-route` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_POOLED_PER_ROUTE`	`64` (default) or any `int`
`spi-connections-http-client-default-proxy-mappings` Denotes the combination of a regex based hostname pattern and a proxy-uri in the form of hostnamePattern;proxyUri. CLI: `--spi-connections-http-client-default-proxy-mappings` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_PROXY_MAPPINGS`	any `string`
`spi-connections-http-client-default-reuse-connections` If connections should be reused. CLI: `--spi-connections-http-client-default-reuse-connections` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_REUSE_CONNECTIONS`	`true` (default), `false`
`spi-connections-http-client-default-socket-timeout-millis` Socket inactivity timeout. CLI: `--spi-connections-http-client-default-socket-timeout-millis` Env: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_SOCKET_TIMEOUT_MILLIS`	`5000` (default) or any `long`

spi-connections-http-client-default-client-key-password

The key password.

CLI: --spi-connections-http-client-default-client-key-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEY_PASSWORD

-1 (default) or any string

spi-connections-http-client-default-client-keystore

The file path of the key store from where the key material is going to be read from to set-up TLS connections.

CLI: --spi-connections-http-client-default-client-keystore
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE

any string

spi-connections-http-client-default-client-keystore-password

The key store password.

CLI: --spi-connections-http-client-default-client-keystore-password
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CLIENT_KEYSTORE_PASSWORD

any string

spi-connections-http-client-default-connection-pool-size

Assigns maximum total connection value.

CLI: --spi-connections-http-client-default-connection-pool-size
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_POOL_SIZE

any int

spi-connections-http-client-default-connection-ttl-millis

Sets maximum time, in milliseconds, to live for persistent connections.

CLI: --spi-connections-http-client-default-connection-ttl-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_CONNECTION_TTL_MILLIS

-1 (default) or any long

spi-connections-http-client-default-disable-cookies

Disables state (cookie) management.

CLI: --spi-connections-http-client-default-disable-cookies
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_COOKIES

true (default), false

spi-connections-http-client-default-disable-trust-manager

Disable trust management and hostname verification.

NOTE this is a security hole, so only set this option if you cannot or do not want to verify the identity of the host you are communicating with.

CLI: --spi-connections-http-client-default-disable-trust-manager
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_DISABLE_TRUST_MANAGER

true, false (default)

spi-connections-http-client-default-establish-connection-timeout-millis

When trying to make an initial socket connection, what is the timeout?

CLI: --spi-connections-http-client-default-establish-connection-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_ESTABLISH_CONNECTION_TIMEOUT_MILLIS

-1 (default) or any long

spi-connections-http-client-default-max-connection-idle-time-millis

Sets the time, in milliseconds, for evicting idle connections from the pool.

CLI: --spi-connections-http-client-default-max-connection-idle-time-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_CONNECTION_IDLE_TIME_MILLIS

900000 (default) or any long

spi-connections-http-client-default-max-pooled-per-route

Assigns maximum connection per route value.

CLI: --spi-connections-http-client-default-max-pooled-per-route
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_MAX_POOLED_PER_ROUTE

64 (default) or any int

spi-connections-http-client-default-proxy-mappings

Denotes the combination of a regex based hostname pattern and a proxy-uri in the form of hostnamePattern;proxyUri.

CLI: --spi-connections-http-client-default-proxy-mappings
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_PROXY_MAPPINGS

any string

spi-connections-http-client-default-reuse-connections

If connections should be reused.

CLI: --spi-connections-http-client-default-reuse-connections
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_REUSE_CONNECTIONS

true (default), false

spi-connections-http-client-default-socket-timeout-millis

Socket inactivity timeout.

CLI: --spi-connections-http-client-default-socket-timeout-millis
Env: KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_SOCKET_TIMEOUT_MILLIS

5000 (default) or any long

connections-infinispan

quarkus

Value

	Value
`spi-connections-infinispan-quarkus-site-name` Site name for multi-site deployments CLI: `--spi-connections-infinispan-quarkus-site-name` Env: `KC_SPI_CONNECTIONS_INFINISPAN_QUARKUS_SITE_NAME`	any `string`

spi-connections-infinispan-quarkus-site-name

Site name for multi-site deployments

CLI: --spi-connections-infinispan-quarkus-site-name
Env: KC_SPI_CONNECTIONS_INFINISPAN_QUARKUS_SITE_NAME

any string

connections-jpa

quarkus

Value

	Value
`spi-connections-jpa-quarkus-initialize-empty` Initialize database if empty. If set to false the database has to be manually initialized. If you want to manually initialize the database set migrationStrategy to manual which will create a file with SQL commands to initialize the database. CLI: `--spi-connections-jpa-quarkus-initialize-empty` Env: `KC_SPI_CONNECTIONS_JPA_QUARKUS_INITIALIZE_EMPTY`	`true` (default), `false`
`spi-connections-jpa-quarkus-migration-export` Path for where to write manual database initialization/migration file. CLI: `--spi-connections-jpa-quarkus-migration-export` Env: `KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_EXPORT`	any `string`
`spi-connections-jpa-quarkus-migration-strategy` Strategy to use to migrate database. Valid values are update, manual and validate. Update will automatically migrate the database schema. Manual will export the required changes to a file with SQL commands that you can manually execute on the database. Validate will simply check if the database is up-to-date. CLI: `--spi-connections-jpa-quarkus-migration-strategy` Env: `KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_STRATEGY`	`update` (default), `manual`, `validate`

spi-connections-jpa-quarkus-initialize-empty

Initialize database if empty.

If set to false the database has to be manually initialized. If you want to manually initialize the database set migrationStrategy to manual which will create a file with SQL commands to initialize the database.

CLI: --spi-connections-jpa-quarkus-initialize-empty
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_INITIALIZE_EMPTY

true (default), false

spi-connections-jpa-quarkus-migration-export

Path for where to write manual database initialization/migration file.

CLI: --spi-connections-jpa-quarkus-migration-export
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_EXPORT

any string

spi-connections-jpa-quarkus-migration-strategy

Strategy to use to migrate database.

Valid values are update, manual and validate. Update will automatically migrate the database schema. Manual will export the required changes to a file with SQL commands that you can manually execute on the database. Validate will simply check if the database is up-to-date.

CLI: --spi-connections-jpa-quarkus-migration-strategy
Env: KC_SPI_CONNECTIONS_JPA_QUARKUS_MIGRATION_STRATEGY

update (default), manual, validate

cookie

default

Value

	Value
`spi-cookie-default-same-site-legacy` Adds legacy cookies without SameSite parameter CLI: `--spi-cookie-default-same-site-legacy` Env: `KC_SPI_COOKIE_DEFAULT_SAME_SITE_LEGACY`	`true` (default), `false`

spi-cookie-default-same-site-legacy

Adds legacy cookies without SameSite parameter

true (default), false

dblock

jpa

Value

	Value
`spi-dblock-jpa-lock-wait-timeout` The maximum time to wait when waiting to release a database lock. CLI: `--spi-dblock-jpa-lock-wait-timeout` Env: `KC_SPI_DBLOCK_JPA_LOCK_WAIT_TIMEOUT`	any `int`

spi-dblock-jpa-lock-wait-timeout

The maximum time to wait when waiting to release a database lock.

CLI: --spi-dblock-jpa-lock-wait-timeout
Env: KC_SPI_DBLOCK_JPA_LOCK_WAIT_TIMEOUT

any int

events-listener

email

Value

	Value
`spi-events-listener-email-exclude-events` A comma-separated list of events that should not be sent via email to the user’s account. CLI: `--spi-events-listener-email-exclude-events` Env: `KC_SPI_EVENTS_LISTENER_EMAIL_EXCLUDE_EVENTS`	`authreqid_to_token`, `authreqid_to_token_error`, `client_delete`, `client_delete_error`, `client_info`, `client_info_error`, `client_initiated_account_linking`, `client_initiated_account_linking_error`, `client_login`, `client_login_error`, `client_register`, `client_register_error`, `client_update`, `client_update_error`, `code_to_token`, `code_to_token_error`, `custom_required_action`, `custom_required_action_error`, `delete_account`, `delete_account_error`, `execute_action_token`, `execute_action_token_error`, `execute_actions`, `execute_actions_error`, `federated_identity_link`, `federated_identity_link_error`, `grant_consent`, `grant_consent_error`, `identity_provider_first_login`, `identity_provider_first_login_error`, `identity_provider_link_account`, `identity_provider_link_account_error`, `identity_provider_login`, `identity_provider_login_error`, `identity_provider_post_login`, `identity_provider_post_login_error`, `identity_provider_response`, `identity_provider_response_error`, `identity_provider_retrieve_token`, `identity_provider_retrieve_token_error`, `impersonate`, `impersonate_error`, `introspect_token`, `introspect_token_error`, `invalid_signature`, `invalid_signature_error`, `login`, `login_error`, `logout`, `logout_error`, `oauth2_device_auth`, `oauth2_device_auth_error`, `oauth2_device_code_to_token`, `oauth2_device_code_to_token_error`, `oauth2_device_verify_user_code`, `oauth2_device_verify_user_code_error`, `oauth2_extension_grant`, `oauth2_extension_grant_error`, `permission_token`, `permission_token_error`, `pushed_authorization_request`, `pushed_authorization_request_error`, `refresh_token`, `refresh_token_error`, `register`, `register_error`, `register_node`, `register_node_error`, `remove_federated_identity`, `remove_federated_identity_error`, `remove_totp`, `remove_totp_error`, `reset_password`, `reset_password_error`, `restart_authentication`, `restart_authentication_error`, `revoke_grant`, `revoke_grant_error`, `send_identity_provider_link`, `send_identity_provider_link_error`, `send_reset_password`, `send_reset_password_error`, `send_verify_email`, `send_verify_email_error`, `token_exchange`, `token_exchange_error`, `unregister_node`, `unregister_node_error`, `update_consent`, `update_consent_error`, `update_email`, `update_email_error`, `update_password`, `update_password_error`, `update_profile`, `update_profile_error`, `update_totp`, `update_totp_error`, `user_disabled_by_permanent_lockout`, `user_disabled_by_permanent_lockout_error`, `user_disabled_by_temporary_lockout`, `user_disabled_by_temporary_lockout_error`, `user_info_request`, `user_info_request_error`, `validate_access_token`, `validate_access_token_error`, `verify_email`, `verify_email_error`, `verify_profile`, `verify_profile_error`
`spi-events-listener-email-include-events` A comma-separated list of events that should be sent via email to the user’s account. CLI: `--spi-events-listener-email-include-events` Env: `KC_SPI_EVENTS_LISTENER_EMAIL_INCLUDE_EVENTS`	`authreqid_to_token`, `authreqid_to_token_error`, `client_delete`, `client_delete_error`, `client_info`, `client_info_error`, `client_initiated_account_linking`, `client_initiated_account_linking_error`, `client_login`, `client_login_error`, `client_register`, `client_register_error`, `client_update`, `client_update_error`, `code_to_token`, `code_to_token_error`, `custom_required_action`, `custom_required_action_error`, `delete_account`, `delete_account_error`, `execute_action_token`, `execute_action_token_error`, `execute_actions`, `execute_actions_error`, `federated_identity_link`, `federated_identity_link_error`, `grant_consent`, `grant_consent_error`, `identity_provider_first_login`, `identity_provider_first_login_error`, `identity_provider_link_account`, `identity_provider_link_account_error`, `identity_provider_login`, `identity_provider_login_error`, `identity_provider_post_login`, `identity_provider_post_login_error`, `identity_provider_response`, `identity_provider_response_error`, `identity_provider_retrieve_token`, `identity_provider_retrieve_token_error`, `impersonate`, `impersonate_error`, `introspect_token`, `introspect_token_error`, `invalid_signature`, `invalid_signature_error`, `login`, `login_error`, `logout`, `logout_error`, `oauth2_device_auth`, `oauth2_device_auth_error`, `oauth2_device_code_to_token`, `oauth2_device_code_to_token_error`, `oauth2_device_verify_user_code`, `oauth2_device_verify_user_code_error`, `oauth2_extension_grant`, `oauth2_extension_grant_error`, `permission_token`, `permission_token_error`, `pushed_authorization_request`, `pushed_authorization_request_error`, `refresh_token`, `refresh_token_error`, `register`, `register_error`, `register_node`, `register_node_error`, `remove_federated_identity`, `remove_federated_identity_error`, `remove_totp`, `remove_totp_error`, `reset_password`, `reset_password_error`, `restart_authentication`, `restart_authentication_error`, `revoke_grant`, `revoke_grant_error`, `send_identity_provider_link`, `send_identity_provider_link_error`, `send_reset_password`, `send_reset_password_error`, `send_verify_email`, `send_verify_email_error`, `token_exchange`, `token_exchange_error`, `unregister_node`, `unregister_node_error`, `update_consent`, `update_consent_error`, `update_email`, `update_email_error`, `update_password`, `update_password_error`, `update_profile`, `update_profile_error`, `update_totp`, `update_totp_error`, `user_disabled_by_permanent_lockout`, `user_disabled_by_permanent_lockout_error`, `user_disabled_by_temporary_lockout`, `user_disabled_by_temporary_lockout_error`, `user_info_request`, `user_info_request_error`, `validate_access_token`, `validate_access_token_error`, `verify_email`, `verify_email_error`, `verify_profile`, `verify_profile_error`

spi-events-listener-email-exclude-events

A comma-separated list of events that should not be sent via email to the user’s account.

CLI: --spi-events-listener-email-exclude-events
Env: KC_SPI_EVENTS_LISTENER_EMAIL_EXCLUDE_EVENTS

authreqid_to_token, authreqid_to_token_error, client_delete, client_delete_error, client_info, client_info_error, client_initiated_account_linking, client_initiated_account_linking_error, client_login, client_login_error, client_register, client_register_error, client_update, client_update_error, code_to_token, code_to_token_error, custom_required_action, custom_required_action_error, delete_account, delete_account_error, execute_action_token, execute_action_token_error, execute_actions, execute_actions_error, federated_identity_link, federated_identity_link_error, grant_consent, grant_consent_error, identity_provider_first_login, identity_provider_first_login_error, identity_provider_link_account, identity_provider_link_account_error, identity_provider_login, identity_provider_login_error, identity_provider_post_login, identity_provider_post_login_error, identity_provider_response, identity_provider_response_error, identity_provider_retrieve_token, identity_provider_retrieve_token_error, impersonate, impersonate_error, introspect_token, introspect_token_error, invalid_signature, invalid_signature_error, login, login_error, logout, logout_error, oauth2_device_auth, oauth2_device_auth_error, oauth2_device_code_to_token, oauth2_device_code_to_token_error, oauth2_device_verify_user_code, oauth2_device_verify_user_code_error, oauth2_extension_grant, oauth2_extension_grant_error, permission_token, permission_token_error, pushed_authorization_request, pushed_authorization_request_error, refresh_token, refresh_token_error, register, register_error, register_node, register_node_error, remove_federated_identity, remove_federated_identity_error, remove_totp, remove_totp_error, reset_password, reset_password_error, restart_authentication, restart_authentication_error, revoke_grant, revoke_grant_error, send_identity_provider_link, send_identity_provider_link_error, send_reset_password, send_reset_password_error, send_verify_email, send_verify_email_error, token_exchange, token_exchange_error, unregister_node, unregister_node_error, update_consent, update_consent_error, update_email, update_email_error, update_password, update_password_error, update_profile, update_profile_error, update_totp, update_totp_error, user_disabled_by_permanent_lockout, user_disabled_by_permanent_lockout_error, user_disabled_by_temporary_lockout, user_disabled_by_temporary_lockout_error, user_info_request, user_info_request_error, validate_access_token, validate_access_token_error, verify_email, verify_email_error, verify_profile, verify_profile_error

spi-events-listener-email-include-events

A comma-separated list of events that should be sent via email to the user’s account.

CLI: --spi-events-listener-email-include-events
Env: KC_SPI_EVENTS_LISTENER_EMAIL_INCLUDE_EVENTS

authreqid_to_token, authreqid_to_token_error, client_delete, client_delete_error, client_info, client_info_error, client_initiated_account_linking, client_initiated_account_linking_error, client_login, client_login_error, client_register, client_register_error, client_update, client_update_error, code_to_token, code_to_token_error, custom_required_action, custom_required_action_error, delete_account, delete_account_error, execute_action_token, execute_action_token_error, execute_actions, execute_actions_error, federated_identity_link, federated_identity_link_error, grant_consent, grant_consent_error, identity_provider_first_login, identity_provider_first_login_error, identity_provider_link_account, identity_provider_link_account_error, identity_provider_login, identity_provider_login_error, identity_provider_post_login, identity_provider_post_login_error, identity_provider_response, identity_provider_response_error, identity_provider_retrieve_token, identity_provider_retrieve_token_error, impersonate, impersonate_error, introspect_token, introspect_token_error, invalid_signature, invalid_signature_error, login, login_error, logout, logout_error, oauth2_device_auth, oauth2_device_auth_error, oauth2_device_code_to_token, oauth2_device_code_to_token_error, oauth2_device_verify_user_code, oauth2_device_verify_user_code_error, oauth2_extension_grant, oauth2_extension_grant_error, permission_token, permission_token_error, pushed_authorization_request, pushed_authorization_request_error, refresh_token, refresh_token_error, register, register_error, register_node, register_node_error, remove_federated_identity, remove_federated_identity_error, remove_totp, remove_totp_error, reset_password, reset_password_error, restart_authentication, restart_authentication_error, revoke_grant, revoke_grant_error, send_identity_provider_link, send_identity_provider_link_error, send_reset_password, send_reset_password_error, send_verify_email, send_verify_email_error, token_exchange, token_exchange_error, unregister_node, unregister_node_error, update_consent, update_consent_error, update_email, update_email_error, update_password, update_password_error, update_profile, update_profile_error, update_totp, update_totp_error, user_disabled_by_permanent_lockout, user_disabled_by_permanent_lockout_error, user_disabled_by_temporary_lockout, user_disabled_by_temporary_lockout_error, user_info_request, user_info_request_error, validate_access_token, validate_access_token_error, verify_email, verify_email_error, verify_profile, verify_profile_error

jboss-logging

Value

	Value
`spi-events-listener-jboss-logging-error-level` The log level for error messages. CLI: `--spi-events-listener-jboss-logging-error-level` Env: `KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_ERROR_LEVEL`	`debug`, `error`, `fatal`, `info`, `trace`, `warn` (default)
`spi-events-listener-jboss-logging-quotes` The quotes to use for values, it should be one character like " or '. Use "none" if quotes are not needed. CLI: `--spi-events-listener-jboss-logging-quotes` Env: `KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_QUOTES`	`"` (default) or any `string`
`spi-events-listener-jboss-logging-sanitize` If true the log messages are sanitized to avoid line breaks. If false messages are not sanitized. CLI: `--spi-events-listener-jboss-logging-sanitize` Env: `KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SANITIZE`	`true` (default), `false`
`spi-events-listener-jboss-logging-success-level` The log level for success messages. CLI: `--spi-events-listener-jboss-logging-success-level` Env: `KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SUCCESS_LEVEL`	`debug` (default), `error`, `fatal`, `info`, `trace`, `warn`

spi-events-listener-jboss-logging-error-level

The log level for error messages.

CLI: --spi-events-listener-jboss-logging-error-level
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_ERROR_LEVEL

debug, error, fatal, info, trace, warn (default)

spi-events-listener-jboss-logging-quotes

The quotes to use for values, it should be one character like " or '.

Use "none" if quotes are not needed.

CLI: --spi-events-listener-jboss-logging-quotes
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_QUOTES

" (default) or any string

spi-events-listener-jboss-logging-sanitize

If true the log messages are sanitized to avoid line breaks.

If false messages are not sanitized.

CLI: --spi-events-listener-jboss-logging-sanitize
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SANITIZE

true (default), false

spi-events-listener-jboss-logging-success-level

The log level for success messages.

CLI: --spi-events-listener-jboss-logging-success-level
Env: KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SUCCESS_LEVEL

debug (default), error, fatal, info, trace, warn

export

dir

Value

	Value
`spi-export-dir-dir` Directory to export to CLI: `--spi-export-dir-dir` Env: `KC_SPI_EXPORT_DIR_DIR`	any `string`
`spi-export-dir-realm-name` Realm to export CLI: `--spi-export-dir-realm-name` Env: `KC_SPI_EXPORT_DIR_REALM_NAME`	any `string`
`spi-export-dir-users-export-strategy` Users export strategy CLI: `--spi-export-dir-users-export-strategy` Env: `KC_SPI_EXPORT_DIR_USERS_EXPORT_STRATEGY`	`DIFFERENT_FILES` (default) or any `string`
`spi-export-dir-users-per-file` Users per exported file CLI: `--spi-export-dir-users-per-file` Env: `KC_SPI_EXPORT_DIR_USERS_PER_FILE`	`50` (default) or any `int`

spi-export-dir-dir

Directory to export to

CLI: --spi-export-dir-dir
Env: KC_SPI_EXPORT_DIR_DIR

any string

spi-export-dir-realm-name

Realm to export

CLI: --spi-export-dir-realm-name
Env: KC_SPI_EXPORT_DIR_REALM_NAME

any string

spi-export-dir-users-export-strategy

Users export strategy

CLI: --spi-export-dir-users-export-strategy
Env: KC_SPI_EXPORT_DIR_USERS_EXPORT_STRATEGY

DIFFERENT_FILES (default) or any string

spi-export-dir-users-per-file

Users per exported file

CLI: --spi-export-dir-users-per-file
Env: KC_SPI_EXPORT_DIR_USERS_PER_FILE

50 (default) or any int

single-file

Value

	Value
`spi-export-single-file-file` File to export to CLI: `--spi-export-single-file-file` Env: `KC_SPI_EXPORT_SINGLE_FILE_FILE`	any `string`
`spi-export-single-file-realm-name` Realm to export CLI: `--spi-export-single-file-realm-name` Env: `KC_SPI_EXPORT_SINGLE_FILE_REALM_NAME`	any `string`

spi-export-single-file-file

File to export to

CLI: --spi-export-single-file-file
Env: KC_SPI_EXPORT_SINGLE_FILE_FILE

any string

spi-export-single-file-realm-name

Realm to export

CLI: --spi-export-single-file-realm-name
Env: KC_SPI_EXPORT_SINGLE_FILE_REALM_NAME

any string

import

dir

Value

	Value
`spi-import-dir-dir` Directory to import from CLI: `--spi-import-dir-dir` Env: `KC_SPI_IMPORT_DIR_DIR`	any `string`
`spi-import-dir-realm-name` Realm to export CLI: `--spi-import-dir-realm-name` Env: `KC_SPI_IMPORT_DIR_REALM_NAME`	any `string`
`spi-import-dir-strategy` Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING CLI: `--spi-import-dir-strategy` Env: `KC_SPI_IMPORT_DIR_STRATEGY`	any `string`

spi-import-dir-dir

Directory to import from

CLI: --spi-import-dir-dir
Env: KC_SPI_IMPORT_DIR_DIR

any string

spi-import-dir-realm-name

Realm to export

CLI: --spi-import-dir-realm-name
Env: KC_SPI_IMPORT_DIR_REALM_NAME

any string

spi-import-dir-strategy

Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING

CLI: --spi-import-dir-strategy
Env: KC_SPI_IMPORT_DIR_STRATEGY

any string

single-file

Value

	Value
`spi-import-single-file-file` File to import from CLI: `--spi-import-single-file-file` Env: `KC_SPI_IMPORT_SINGLE_FILE_FILE`	any `string`
`spi-import-single-file-realm-name` Realm to export CLI: `--spi-import-single-file-realm-name` Env: `KC_SPI_IMPORT_SINGLE_FILE_REALM_NAME`	any `string`
`spi-import-single-file-strategy` Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING CLI: `--spi-import-single-file-strategy` Env: `KC_SPI_IMPORT_SINGLE_FILE_STRATEGY`	any `string`

spi-import-single-file-file

File to import from

CLI: --spi-import-single-file-file
Env: KC_SPI_IMPORT_SINGLE_FILE_FILE

any string

spi-import-single-file-realm-name

Realm to export

CLI: --spi-import-single-file-realm-name
Env: KC_SPI_IMPORT_SINGLE_FILE_REALM_NAME

any string

spi-import-single-file-strategy

Strategy for import: IGNORE_EXISTING, OVERWRITE_EXISTING

CLI: --spi-import-single-file-strategy
Env: KC_SPI_IMPORT_SINGLE_FILE_STRATEGY

any string

public-key-storage

infinispan

Value

	Value
`spi-public-key-storage-infinispan-max-cache-time` Maximum interval in seconds that keys are cached when they are retrieved via all keys methods. When all keys for the entry are retrieved there is no way to detect if a key is missing (different to the case when the key is retrieved via ID for example). In that situation this option forces a refresh from time to time. Default 24 hours. CLI: `--spi-public-key-storage-infinispan-max-cache-time` Env: `KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MAX_CACHE_TIME`	`86400` (default) or any `int`
`spi-public-key-storage-infinispan-min-time-between-requests` Minimum interval in seconds between two requests to retrieve the new public keys. The server will always try to download new public keys when a single key is requested and not found. However it will avoid the download if the previous refresh was done less than 10 seconds ago (by default). This behavior is used to avoid DoS attacks against the external keys endpoint. CLI: `--spi-public-key-storage-infinispan-min-time-between-requests` Env: `KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MIN_TIME_BETWEEN_REQUESTS`	`10` (default) or any `int`

spi-public-key-storage-infinispan-max-cache-time

Maximum interval in seconds that keys are cached when they are retrieved via all keys methods.

When all keys for the entry are retrieved there is no way to detect if a key is missing (different to the case when the key is retrieved via ID for example). In that situation this option forces a refresh from time to time. Default 24 hours.

CLI: --spi-public-key-storage-infinispan-max-cache-time
Env: KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MAX_CACHE_TIME

86400 (default) or any int

spi-public-key-storage-infinispan-min-time-between-requests

Minimum interval in seconds between two requests to retrieve the new public keys.

The server will always try to download new public keys when a single key is requested and not found. However it will avoid the download if the previous refresh was done less than 10 seconds ago (by default). This behavior is used to avoid DoS attacks against the external keys endpoint.

CLI: --spi-public-key-storage-infinispan-min-time-between-requests
Env: KC_SPI_PUBLIC_KEY_STORAGE_INFINISPAN_MIN_TIME_BETWEEN_REQUESTS

10 (default) or any int

resource-encoding

gzip

Value

	Value
`spi-resource-encoding-gzip-excluded-content-types` A space separated list of content-types to exclude from encoding. CLI: `--spi-resource-encoding-gzip-excluded-content-types` Env: `KC_SPI_RESOURCE_ENCODING_GZIP_EXCLUDED_CONTENT_TYPES`	`image/png image/jpeg` (default) or any `string`

spi-resource-encoding-gzip-excluded-content-types

A space separated list of content-types to exclude from encoding.

CLI: --spi-resource-encoding-gzip-excluded-content-types
Env: KC_SPI_RESOURCE_ENCODING_GZIP_EXCLUDED_CONTENT_TYPES

image/png image/jpeg (default) or any string

sticky-session-encoder

infinispan

Value

	Value
`spi-sticky-session-encoder-infinispan-should-attach-route` If the route should be attached to cookies to reflect the node that owns a particular session. CLI: `--spi-sticky-session-encoder-infinispan-should-attach-route` Env: `KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE`	`true` (default), `false`

spi-sticky-session-encoder-infinispan-should-attach-route

If the route should be attached to cookies to reflect the node that owns a particular session.

CLI: --spi-sticky-session-encoder-infinispan-should-attach-route
Env: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE

true (default), false

truststore

file

Value

	Value
`spi-truststore-file-file` DEPRECATED: The file path of the trust store from where the certificates are going to be read from to validate TLS connections. CLI: `--spi-truststore-file-file` Env: `KC_SPI_TRUSTSTORE_FILE_FILE`	any `string`
`spi-truststore-file-hostname-verification-policy` DEPRECATED: The hostname verification policy. CLI: `--spi-truststore-file-hostname-verification-policy` Env: `KC_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY`	`any`, `wildcard` (default), `strict`
`spi-truststore-file-password` DEPRECATED: The trust store password. CLI: `--spi-truststore-file-password` Env: `KC_SPI_TRUSTSTORE_FILE_PASSWORD`	any `string`
`spi-truststore-file-type` DEPRECATED: Type of the truststore. If not provided, the type would be detected based on the truststore file extension or platform default type. CLI: `--spi-truststore-file-type` Env: `KC_SPI_TRUSTSTORE_FILE_TYPE`	any `string`

spi-truststore-file-file

DEPRECATED: The file path of the trust store from where the certificates are going to be read from to validate TLS connections.

CLI: --spi-truststore-file-file
Env: KC_SPI_TRUSTSTORE_FILE_FILE

any string

spi-truststore-file-hostname-verification-policy

DEPRECATED: The hostname verification policy.

CLI: --spi-truststore-file-hostname-verification-policy
Env: KC_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY

any, wildcard (default), strict

spi-truststore-file-password

DEPRECATED: The trust store password.

CLI: --spi-truststore-file-password
Env: KC_SPI_TRUSTSTORE_FILE_PASSWORD

any string

spi-truststore-file-type

DEPRECATED: Type of the truststore.

If not provided, the type would be detected based on the truststore file extension or platform default type.

CLI: --spi-truststore-file-type
Env: KC_SPI_TRUSTSTORE_FILE_TYPE

any string

user-profile

declarative-user-profile

Value

	Value
`spi-user-profile-declarative-user-profile-admin-read-only-attributes` Array of regular expressions to identify fields that should be treated read-only so administrators can’t change them. CLI: `--spi-user-profile-declarative-user-profile-admin-read-only-attributes` Env: `KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_ADMIN_READ_ONLY_ATTRIBUTES`	any `MultivaluedString`
`spi-user-profile-declarative-user-profile-max-email-local-part-length` To set user profile max email local part length CLI: `--spi-user-profile-declarative-user-profile-max-email-local-part-length` Env: `KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_MAX_EMAIL_LOCAL_PART_LENGTH`	any `String`
`spi-user-profile-declarative-user-profile-read-only-attributes` Array of regular expressions to identify fields that should be treated read-only so users can’t change them. CLI: `--spi-user-profile-declarative-user-profile-read-only-attributes` Env: `KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_READ_ONLY_ATTRIBUTES`	any `MultivaluedString`

spi-user-profile-declarative-user-profile-admin-read-only-attributes

Array of regular expressions to identify fields that should be treated read-only so administrators can’t change them.

CLI: --spi-user-profile-declarative-user-profile-admin-read-only-attributes
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_ADMIN_READ_ONLY_ATTRIBUTES

any MultivaluedString

spi-user-profile-declarative-user-profile-max-email-local-part-length

To set user profile max email local part length

CLI: --spi-user-profile-declarative-user-profile-max-email-local-part-length
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_MAX_EMAIL_LOCAL_PART_LENGTH

any String

spi-user-profile-declarative-user-profile-read-only-attributes

Array of regular expressions to identify fields that should be treated read-only so users can’t change them.

CLI: --spi-user-profile-declarative-user-profile-read-only-attributes
Env: KC_SPI_USER_PROFILE_DECLARATIVE_USER_PROFILE_READ_ONLY_ATTRIBUTES

any MultivaluedString

well-known

openid-configuration

Value

	Value
`spi-well-known-openid-configuration-include-client-scopes` If client scopes should be used to calculate the list of supported scopes. CLI: `--spi-well-known-openid-configuration-include-client-scopes` Env: `KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_INCLUDE_CLIENT_SCOPES`	`true` (default), `false`
`spi-well-known-openid-configuration-openid-configuration-override` The file path from where the metadata should be loaded from. You can use an absolute file path or, if the file is in the server classpath, use the `classpath:` prefix to load the file from the classpath. CLI: `--spi-well-known-openid-configuration-openid-configuration-override` Env: `KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_OPENID_CONFIGURATION_OVERRIDE`	any `string`

spi-well-known-openid-configuration-include-client-scopes

If client scopes should be used to calculate the list of supported scopes.

CLI: --spi-well-known-openid-configuration-include-client-scopes
Env: KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_INCLUDE_CLIENT_SCOPES

true (default), false

spi-well-known-openid-configuration-openid-configuration-override

The file path from where the metadata should be loaded from.

You can use an absolute file path or, if the file is in the server classpath, use the classpath: prefix to load the file from the classpath.

CLI: --spi-well-known-openid-configuration-openid-configuration-override
Env: KC_SPI_WELL_KNOWN_OPENID_CONFIGURATION_OPENID_CONFIGURATION_OVERRIDE

any string