Identity Configuration | Contexa Docs

Auth Context Properties

AuthContextProperties is bound to the spring.auth prefix. It controls authentication state selection, token transport, token issuer mode, URL groups, MFA runtime defaults, and token lifecycle.

Core Authentication Settings

Property	Type	Default	Description
`spring.auth.state-type`	`StateType`	`OAUTH2`	Selects the default state mode. Current enum values are `OAUTH2` and `SESSION`.
`spring.auth.token-transport-type`	`TokenTransportType`	`HEADER`	Controls how tokens are transported. Current enum values are `COOKIE`, `HEADER`, and `HEADER_COOKIE`.
`spring.auth.token-issuer`	`TokenIssuer`	`INTERNAL`	Selects whether Contexa issues tokens itself or expects an external authorization server. Current enum values are `INTERNAL` and `AUTHORIZATION_SERVER`.
`spring.auth.factor-selection-type`	`FactorSelectionType`	`SELECT`	Controls whether MFA factor choice is explicitly presented or automatically selected. Current enum values are `AUTO` and `SELECT`.
`spring.auth.access-token-validity`	`long`	`3600000`	Access token validity in milliseconds.
`spring.auth.refresh-token-validity`	`long`	`604800000`	Refresh token validity in milliseconds.
`spring.auth.refresh-rotate-threshold`	`long`	`43200000`	Threshold after which refresh-token rotation is triggered on use.
`spring.auth.enable-refresh-token`	`boolean`	`true`	Enables refresh token issuance.
`spring.auth.allow-multiple-logins`	`boolean`	`false`	Allows multiple concurrent active logins for the same principal.
`spring.auth.max-concurrent-logins`	`int`	`3`	Concurrent login ceiling when multiple logins are allowed.
`spring.auth.cookie-secure`	`boolean`	`true`	Marks authentication cookies as secure by default.
`spring.auth.token-persistence`	`String`	`memory`	Frontend token persistence mode passed to login and MFA pages. Current OSS client modes are `memory`, `localstorage`, and `sessionstorage`.
`spring.auth.token-prefix`	`String`	`Bearer`	Authorization header prefix.
`spring.auth.roles-claim`	`String`	`roles`	JWT claim name used for roles.
`spring.auth.scopes-claim`	`String`	`scopes`	JWT claim name used for scopes.
`spring.auth.oauth2-csrf`	`boolean`	`false`	Toggles CSRF protection for OAuth2-oriented endpoints.

YAML

spring:
  auth:
    state-type: oauth2
    token-transport-type: header
    token-issuer: internal
    factor-selection-type: select
    access-token-validity: 3600000
    refresh-token-validity: 604800000
    refresh-rotate-threshold: 43200000
    enable-refresh-token: true
    allow-multiple-logins: false
    max-concurrent-logins: 3
    cookie-secure: true
    token-persistence: memory
    token-prefix: "Bearer "
    roles-claim: roles
    scopes-claim: scopes
    oauth2-csrf: false

Related runtime references: Authentication, Adaptive MFA, and State Management.

URL Configuration Groups

spring.auth.urls is consumed by AuthUrlProvider. For MFA flows, MfaFlowUrlRegistry creates per-flow providers so named flows can safely apply custom prefixes without mutating shared global state.

Single Authentication URLs

Property	Default	Description
`spring.auth.urls.single.form-login-processing`	`/login`	Default processing endpoint for non-MFA form login.
`spring.auth.urls.single.form-login-page`	`/login`	Default page for non-MFA form login.
`spring.auth.urls.single.rest-login-processing`	`/api/login`	Default processing endpoint for non-MFA REST login.
`spring.auth.urls.single.login-failure`	`/login?error`	Failure redirect for non-MFA flows.
`spring.auth.urls.single.login-success`	`/`	Success redirect for non-MFA flows.
`spring.auth.urls.single.logout-page`	`/logout`	Logout page for single-factor flows.
`spring.auth.urls.single.ott.request-email`	`/login/ott`	Single-factor OTT request page.
`spring.auth.urls.single.ott.code-generation`	`/ott/generate`	Single-factor OTT code generation endpoint.
`spring.auth.urls.single.ott.code-sent`	`/login/ott/sent`	Single-factor OTT sent page.
`spring.auth.urls.single.ott.challenge`	`/login/ott/verify`	Single-factor OTT verification page.
`spring.auth.urls.single.ott.login-processing`	`/login/ott`	Single-factor OTT verification endpoint.
`spring.auth.urls.single.ott.login-failure`	`/login/ott?error`	Single-factor OTT failure page.
`spring.auth.urls.single.passkey.login-page`	`/login/webauthn`	Single-factor passkey login page.
`spring.auth.urls.single.passkey.login-processing`	`/login/webauthn`	Single-factor passkey verification endpoint.
`spring.auth.urls.single.passkey.login-failure`	`/login/webauthn?error`	Single-factor passkey failure page.
`spring.auth.urls.single.passkey.assertion-options`	`/webauthn/authenticate/options`	Passkey assertion options endpoint.
`spring.auth.urls.single.passkey.registration-options`	`/webauthn/register/options`	Passkey registration options endpoint.
`spring.auth.urls.single.passkey.registration-processing`	`/webauthn/register`	Passkey registration processing endpoint.

MFA URL Groups

Property	Default	Description
`spring.auth.urls.primary.form-login-processing`	`/mfa/login`	Primary form-processing URL used inside MFA flows.
`spring.auth.urls.primary.form-login-page`	`/mfa/login`	Primary form page used inside MFA flows.
`spring.auth.urls.primary.rest-login-processing`	`/api/mfa/login`	Primary REST login endpoint used inside MFA flows.
`spring.auth.urls.primary.login-failure`	`/login?error`	Primary failure redirect.
`spring.auth.urls.primary.login-success`	`/`	Primary success redirect.
`spring.auth.urls.primary.logout-page`	`/logout`	Primary logout page.
`spring.auth.urls.mfa.select-factor`	`/mfa/select-factor`	MFA factor selection page.
`spring.auth.urls.mfa.success`	`/mfa/success`	MFA success page.
`spring.auth.urls.mfa.failure`	`/mfa/failure`	MFA failure page.
`spring.auth.urls.mfa.cancel`	`/mfa/cancel`	MFA cancellation endpoint/page.
`spring.auth.urls.mfa.status`	`/mfa/status`	MFA status endpoint.
`spring.auth.urls.mfa.request-ott-code`	`/mfa/request-ott-code`	OTT code request endpoint.
`spring.auth.urls.mfa.config`	`/api/mfa/config`	MFA config endpoint used by the page generator and client code.
`spring.auth.urls.factors.ott.request-code-ui`	`/mfa/ott/request-code-ui`	OTT request page.
`spring.auth.urls.factors.ott.code-generation`	`/mfa/ott/generate-code`	OTT code generation endpoint.
`spring.auth.urls.factors.ott.code-sent`	`/mfa/ott/code-sent`	OTT code-sent page.
`spring.auth.urls.factors.ott.challenge-ui`	`/mfa/challenge/ott`	OTT challenge page.
`spring.auth.urls.factors.ott.login-processing`	`/login/mfa-ott`	OTT login-processing endpoint.
`spring.auth.urls.factors.ott.default-failure`	`/mfa/challenge/ott?error=true`	Default OTT failure redirect.
`spring.auth.urls.factors.ott.single-ott-request-email`	`/loginOtt`	Legacy single-OTT request page path retained by `OttUrls`.
`spring.auth.urls.factors.ott.single-ott-code-generation`	`/login/ott/generate`	Legacy single-OTT generation path retained by `OttUrls`.
`spring.auth.urls.factors.ott.single-ott-challenge`	`/loginOttVerifyCode`	Legacy single-OTT challenge path retained by `OttUrls`.
`spring.auth.urls.factors.ott.single-ott-sent`	`/ott/sent`	Legacy single-OTT sent page path retained by `OttUrls`.
`spring.auth.urls.factors.passkey.rp-id`	`localhost`	Default passkey relying-party ID.
`spring.auth.urls.factors.passkey.rp-name`	`contexa-identity`	Default passkey relying-party name.
`spring.auth.urls.factors.passkey.allowed-origins`	`null`	Comma-separated allowed origins. When unset, the passkey builder falls back to `http://localhost:{server.port}`.
`spring.auth.urls.factors.passkey.login-processing`	`/login/mfa-webauthn`	Passkey authentication endpoint for MFA mode.
`spring.auth.urls.factors.passkey.challenge-ui`	`/mfa/challenge/passkey`	Passkey challenge page.
`spring.auth.urls.factors.passkey.registration-processing`	`/webauthn/register`	Passkey registration endpoint.
`spring.auth.urls.factors.passkey.assertion-options`	`/webauthn/authenticate/options`	Passkey assertion options endpoint.
`spring.auth.urls.factors.passkey.registration-options`	`/webauthn/register/options`	Passkey registration options endpoint.
`spring.auth.urls.factors.recovery-code-login-processing`	`/login/recovery/verify`	Recovery-code verification endpoint.
`spring.auth.urls.factors.recovery-code-challenge-ui`	`/mfa/challenge/recovery`	Recovery-code challenge page.

Runtime consumers: AuthUrlProvider resolves these paths, while MfaFlowUrlRegistry creates per-flow providers so named MFA flows can safely use different prefixes.

Token Issuer Settings

spring.auth.internal and spring.auth.oauth2 hold the two token-issuer configurations selected by spring.auth.token-issuer.

Internal JWT Endpoints

Property	Default	Description
`spring.auth.internal.login-uri`	`/api/login`	Internal JWT login endpoint.
`spring.auth.internal.logout-uri`	`/logout`	Internal logout endpoint.
`spring.auth.internal.refresh-uri`	`/api/refresh`	Internal refresh endpoint.

OAuth2 / Authorization-Server Settings

Property	Default	Description
`spring.auth.oauth2.client-id`	`default-client`	OAuth2 client identifier.
`spring.auth.oauth2.client-secret`	`173f8245-5f7d-4623-a612-aa0c68f6da4a`	Default client secret declared by `OAuth2TokenSettings`. Override it in real deployments.
`spring.auth.oauth2.issuer-uri`	`http://localhost:9000`	Issuer base URI.
`spring.auth.oauth2.token-endpoint`	`/oauth2/token`	Token endpoint path.
`spring.auth.oauth2.scope`	`read`	Default scope requested by the runtime.
`spring.auth.oauth2.redirect-uri`	`http://localhost:8080`	Post-authorization redirect URI.
`spring.auth.oauth2.authorized-uri`	`null`	Optional post-authorization redirect override.
`spring.auth.oauth2.jwk-key-store-path`	`null`	Path to the JWK keystore.
`spring.auth.oauth2.jwk-key-store-password`	`null`	Keystore password.
`spring.auth.oauth2.jwk-key-alias`	`null`	Key alias inside the keystore.
`spring.auth.oauth2.jwk-key-password`	`null`	Key password override.

YAML

spring:
  auth:
    token-issuer: authorization_server
    internal:
      login-uri: /api/login
      logout-uri: /logout
      refresh-uri: /api/refresh
    oauth2:
      client-id: default-client
      client-secret: replace-me
      issuer-uri: http://localhost:9000
      token-endpoint: /oauth2/token
      scope: read
      redirect-uri: http://localhost:8080

MFA Runtime Settings

spring.auth.mfa is bound to MfaSettings. It controls challenge lifecycles, retry policy, repository selection, factor delivery defaults, and diagnostics. These defaults are consumed by MFA filters, handlers, and state-machine-aware request handling code.

Property	Type	Default	Description
`spring.auth.mfa.session-timeout-ms`	`long`	`600000`	Overall MFA session timeout.
`spring.auth.mfa.challenge-timeout-ms`	`long`	`300000`	Per-challenge timeout window.
`spring.auth.mfa.inactivity-timeout`	`long`	`900000`	Idle-time cutoff for MFA state.
`spring.auth.mfa.cache-ttl`	`long`	`300000`	TTL for MFA runtime cache entries.
`spring.auth.mfa.session-refresh-interval-ms`	`long`	`30000`	Refresh cadence for active MFA sessions.
`spring.auth.mfa.state-machine-timeout-ms`	`long`	`10000`	Timeout budget for state-machine-aware MFA handlers.
`spring.auth.mfa.max-retry-attempts`	`int`	`5`	Maximum verification retries before lockout logic applies.
`spring.auth.mfa.account-lockout-duration-ms`	`long`	`900000`	Duration of MFA lockout after retry exhaustion.
`spring.auth.mfa.minimum-delay-ms`	`long`	`500`	Minimum timing floor used to reduce response timing variance.
`spring.auth.mfa.device-remember-duration-ms`	`long`	`2592000000`	Remember-device duration.
`spring.auth.mfa.otp-token-validity-seconds`	`int`	`300`	OTP validity window.
`spring.auth.mfa.otp-token-length`	`int`	`6`	OTP code length.
`spring.auth.mfa.sms-resend-interval-seconds`	`int`	`60`	SMS resend throttle.
`spring.auth.mfa.email-resend-interval-seconds`	`int`	`120`	Email resend throttle.
`spring.auth.mfa.state-machine-pool-size`	`int`	`100`	Legacy MFA state-machine pool size setting preserved by `MfaSettings`.
`spring.auth.mfa.state-machine-cache-ttl-ms`	`long`	`300000`	Legacy MFA state-machine cache TTL preserved by `MfaSettings`.
`spring.auth.mfa.circuit-breaker-failure-threshold`	`int`	`5`	Failure threshold before the MFA circuit breaker opens.
`spring.auth.mfa.circuit-breaker-timeout-seconds`	`int`	`30`	Open-state timeout for the MFA circuit breaker.
`spring.auth.mfa.detailed-logging-enabled`	`boolean`	`false`	Enables verbose MFA diagnostics.
`spring.auth.mfa.metrics-enabled`	`boolean`	`true`	Enables MFA metrics.
`spring.auth.mfa.audit-logging-enabled`	`boolean`	`true`	Enables MFA audit logging.
`spring.auth.mfa.session-storage-type`	`String`	`http-session`	Primary MFA session repository label.
`spring.auth.mfa.auto-select-repository`	`boolean`	`false`	Enables automatic repository selection.
`spring.auth.mfa.repository-priority`	`String`	`redis,memory,http-session`	Repository priority order string.
`spring.auth.mfa.fallback-repository-type`	`String`	`http-session`	Fallback repository label.

MFA Repository Settings

Property	Default	Description
`spring.auth.mfa.http-session.enabled`	`true`	Enables the HTTP-session-backed MFA repository.
`spring.auth.mfa.http-session.create-session-if-not-exists`	`true`	Creates an HTTP session on demand.
`spring.auth.mfa.http-session.session-attribute-name`	`MFA_SESSION_ID`	Attribute name used to store the MFA session identifier.
`spring.auth.mfa.redis.enabled`	`true`	Enables the Redis-backed MFA repository.
`spring.auth.mfa.redis.key-prefix`	`mfa:session:`	Redis key prefix for MFA sessions.
`spring.auth.mfa.redis.cookie-name`	`MFA_SID`	Cookie carrying the Redis-backed MFA session identifier.
`spring.auth.mfa.redis.secure-cookie`	`true`	Marks the MFA session cookie as secure.
`spring.auth.mfa.redis.http-only-cookie`	`true`	Marks the MFA session cookie as HTTP-only.
`spring.auth.mfa.redis.same-site`	`Strict`	SameSite cookie attribute.
`spring.auth.mfa.redis.connection-timeout`	`3000`	Redis connection timeout.
`spring.auth.mfa.redis.max-retries`	`3`	Redis retry limit.
`spring.auth.mfa.memory.enabled`	`true`	Enables the in-memory MFA repository.
`spring.auth.mfa.memory.cleanup-interval-minutes`	`5`	Cleanup interval for in-memory MFA sessions.
`spring.auth.mfa.memory.max-sessions`	`10000`	Maximum number of in-memory MFA sessions.
`spring.auth.mfa.memory.enable-metrics`	`true`	Enables repository metrics for the in-memory backend.

MFA Factor Settings

Property	Default	Description
`spring.auth.mfa.sms-factor.provider`	`default`	SMS provider identifier.
`spring.auth.mfa.sms-factor.template-id`	`mfa_sms_template`	SMS template identifier.
`spring.auth.mfa.sms-factor.max-daily-attempts`	`10`	Daily SMS delivery cap.
`spring.auth.mfa.sms-factor.enabled`	`true`	Enables SMS MFA factor support.
`spring.auth.mfa.email-factor.from-address`	`noreply@company.com`	Sender address for email OTP messages.
`spring.auth.mfa.email-factor.template-id`	`mfa_email_template`	Email template identifier.
`spring.auth.mfa.email-factor.max-daily-attempts`	`5`	Daily email delivery cap.
`spring.auth.mfa.email-factor.enabled`	`true`	Enables email MFA factor support.

YAML

spring:
  auth:
    mfa:
      session-timeout-ms: 600000
      challenge-timeout-ms: 300000
      max-retry-attempts: 5
      repository-priority: redis,memory,http-session
      redis:
        enabled: true
        key-prefix: mfa:session:
        cookie-name: MFA_SID
      memory:
        enabled: true
        max-sessions: 10000
      sms-factor:
        enabled: true
        provider: default
      email-factor:
        enabled: true
        from-address: noreply@company.com

State Machine Properties

StateMachineProperties is bound to contexa.identity.statemachine. It controls the MFA state machine runtime used by the identity module and related filters and handlers.

Core State Machine Settings

Property	Type	Default	Description
`contexa.identity.statemachine.enabled`	`boolean`	`true`	Master switch for the MFA state machine runtime.
`contexa.identity.statemachine.operation-timeout-seconds`	`int`	`10`	Timeout budget for state machine operations.
`contexa.identity.statemachine.circuit-breaker.failure-threshold`	`int`	`5`	Failure threshold before the circuit breaker opens.
`contexa.identity.statemachine.circuit-breaker.timeout-seconds`	`int`	`30`	Open-state timeout for the circuit breaker.
`contexa.identity.statemachine.circuit-breaker.half-open-requests`	`int`	`3`	Requests allowed while half-open.

Pool, Persistence, Cache, and Events

Property	Default	Description
`contexa.identity.statemachine.pool.core-size`	`10`	Core state-machine executor size.
`contexa.identity.statemachine.pool.max-size`	`50`	Maximum state-machine executor size.
`contexa.identity.statemachine.pool.keep-alive-time`	`10`	Keep-alive time for pooled workers.
`contexa.identity.statemachine.pool.expansion-threshold`	`0.8`	Expansion threshold for worker scaling.
`contexa.identity.statemachine.pool.shrink-threshold`	`0.2`	Shrink threshold for worker scaling.
`contexa.identity.statemachine.persistence.type`	`memory`	Persistence backend label.
`contexa.identity.statemachine.persistence.enable-fallback`	`true`	Enables fallback persistence.
`contexa.identity.statemachine.persistence.ttl-minutes`	`30`	Persistence TTL in minutes.
`contexa.identity.statemachine.persistence.enable-compression`	`true`	Enables compressed persistence payloads.
`contexa.identity.statemachine.persistence.compression-threshold`	`1024`	Compression threshold in bytes.
`contexa.identity.statemachine.cache.max-size`	`1000`	In-memory cache size for state-machine snapshots.
`contexa.identity.statemachine.cache.ttl-minutes`	`5`	Cache TTL in minutes.
`contexa.identity.statemachine.cache.enable-warmup`	`false`	Enables cache warmup on startup.
`contexa.identity.statemachine.events.enabled`	`true`	Enables state-machine event publishing.
`contexa.identity.statemachine.events.type`	`local`	Event transport type.
`contexa.identity.statemachine.events.batch-size`	`100`	Event batch size.
`contexa.identity.statemachine.events.batch-interval-ms`	`100`	Event batch interval.
`contexa.identity.statemachine.events.backpressure-threshold`	`1000`	Backpressure threshold.

MFA, Redis, and Distributed Lock

Property	Default	Description
`contexa.identity.statemachine.mfa.enable-metrics`	`true`	Enables state-machine MFA metrics.
`contexa.identity.statemachine.mfa.max-retries`	`3`	Retry ceiling used by the state machine.
`contexa.identity.statemachine.mfa.session-timeout-minutes`	`30`	Session timeout in minutes.
`contexa.identity.statemachine.mfa.max-concurrent-sessions`	`1000`	Concurrent state-machine session ceiling.
`contexa.identity.statemachine.mfa.transition-timeout-seconds`	`30`	Transition timeout per state change.
`contexa.identity.statemachine.redis.enabled`	`false`	Enables Redis-backed state-machine storage.
`contexa.identity.statemachine.redis.ttl-minutes`	`30`	Redis TTL in minutes.
`contexa.identity.statemachine.redis.key-prefix`	`mfa:statemachine:`	Redis key prefix for state-machine entries.
`contexa.identity.statemachine.redis.connection-timeout-ms`	`2000`	Redis connection timeout.
`contexa.identity.statemachine.redis.command-timeout-ms`	`1000`	Redis command timeout.
`contexa.identity.statemachine.distributed-lock.enabled`	`true`	Enables distributed locking around state transitions.
`contexa.identity.statemachine.distributed-lock.timeout-seconds`	`10`	Distributed lock timeout.
`contexa.identity.statemachine.distributed-lock.max-retry-attempts`	`3`	Retry ceiling for lock acquisition.
`contexa.identity.statemachine.distributed-lock.retry-interval-ms`	`100`	Retry interval for lock acquisition.
`contexa.identity.statemachine.distributed-lock.enable-deadlock-detection`	`true`	Enables deadlock detection for distributed locking.

YAML

contexa:
  identity:
    statemachine:
      enabled: true
      operation-timeout-seconds: 10
      pool:
        core-size: 10
        max-size: 50
      persistence:
        type: memory
        ttl-minutes: 30
      events:
        enabled: true
        type: local
      mfa:
        max-retries: 3
        session-timeout-minutes: 30
      distributed-lock:
        enabled: true
        timeout-seconds: 10

Related runtime references: Identity DSL, Authentication, Adaptive MFA, and State Management.

Bridge Properties

BridgeProperties is bound to contexa.bridge. It controls the bridge layer that maps user, authority, delegation, and session information bidirectionally between an external (legacy) authentication system and Contexa. The properties define SecurityContext extraction keys, session attribute candidates, request-attribute keys, HTTP header names, sync policy, and the trusted-proxy list.

Bridge Core Toggles

Property	Type	Default	Description
`contexa.bridge.enabled`	`boolean`	`true`	Master switch for the entire bridge layer.
`contexa.bridge.populate-security-context`	`boolean`	`true`	Whether to populate Spring SecurityContext from the external principal.

Synchronization (Sync)

Property	Type	Default	Description
`contexa.bridge.sync.enabled`	`boolean`	`true`	Enables periodic synchronization of external user information.
`contexa.bridge.sync.min-refresh-interval-seconds`	`long`	`60`	Minimum seconds between sync calls for the same principal — acts as a throttle.
`contexa.bridge.sync.synthetic-email-domain`	`String`	`shadow.contexa.local`	Domain suffix used to synthesize an email address when none is provided externally.

Trusted Proxies (Network)

Property	Type	Default	Description
`contexa.bridge.network.trusted-proxy-validation-enabled`	`boolean`	`true`	Whether to validate the reverse-proxy origin before trusting `X-Forwarded-*` headers.
`contexa.bridge.network.trusted-proxies`	`List<String>`	`[] (empty list)`	Trusted reverse-proxy IPs or CIDR ranges. When empty, headers are not trusted even if validation is enabled.

Authentication SecurityContext Keys

Properties under contexa.bridge.authentication.security-context, bound to Authentication.SecurityContext. Defines the candidate keys used to extract display name, principal type, authentication method, assurance level, MFA state, authentication time, and additional attributes from the external token's claims/attributes. The first matching key wins.

Property	Type	Default	Description
`contexa.bridge.authentication.security-context.enabled`	`boolean`	`true`	Enables SecurityContext extraction.
`contexa.bridge.authentication.security-context.display-name-keys`	`List<String>`	`[displayName, name, fullName, userName, username, preferred_username]`	Candidate keys used to extract the display name.
`contexa.bridge.authentication.security-context.principal-type-keys`	`List<String>`	`[principalType, userType, actorType, token_use]`	Candidate keys used to extract the principal type (user / service / agent, etc.).
`contexa.bridge.authentication.security-context.authentication-type-keys`	`List<String>`	`[authenticationType, authMethod, loginMethod, method, factorType]`	Candidate keys used to extract the authentication method.
`contexa.bridge.authentication.security-context.authentication-assurance-keys`	`List<String>`	`[authenticationAssurance, authLevel, loa, acr]`	Candidate keys used to extract the authentication assurance level (LoA/ACR).
`contexa.bridge.authentication.security-context.mfa-keys`	`List<String>`	`[mfa, mfaVerified, mfaCompleted, secondFactorVerified, amr]`	Candidate keys used to extract MFA-completion state.
`contexa.bridge.authentication.security-context.auth-time-keys`	`List<String>`	`[authenticationTime, authenticatedAt, loginTime, issuedAt, auth_time, iat]`	Candidate keys used to extract the authentication time.
`contexa.bridge.authentication.security-context.attribute-keys`	`List<String>`	`[organizationId, orgId, tenantId, department, team, email, loginIp, authenticationType, authenticationAssurance, mfaVerified, mfaCompleted, authenticatedAt, loginTime, iss, aud, azp, scope, scp, amr, acr]`	Additional attribute keys preserved in the SecurityContext (20 entries by default).

Authentication Session Keys

Properties under contexa.bridge.authentication.session, bound to the shared Bridge.Session class. When an external system stores the authenticated user object as an HTTP session attribute, these keys define which attribute names to try and which keys to use to extract principal id, display name, authorities, authentication method, MFA state, authentication time, and additional attributes from that object.

Property	Type	Default	Description
`contexa.bridge.authentication.session.enabled`	`boolean`	`true`	Enables HTTP-session-based user extraction.
`contexa.bridge.authentication.session.attribute`	`String`	`"" (empty)`	Explicit session-attribute name where the user object is stored. When empty and `auto-discover` is true, the candidate list is tried.
`contexa.bridge.authentication.session.attribute-candidates`	`List<String>`	`[currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal]`	Candidate attribute names tried in auto-discover mode.
`contexa.bridge.authentication.session.auto-discover`	`boolean`	`true`	Whether to walk the candidate-attribute list automatically.
`contexa.bridge.authentication.session.object-type-name`	`String`	`"" (empty)`	Optional fully-qualified class name the discovered object must match.
`contexa.bridge.authentication.session.principal-id-keys`	`List<String>`	`[userId, username, id, loginId, email]`	Candidate keys used to extract the principal identifier from the session object.
`contexa.bridge.authentication.session.display-name-keys`	`List<String>`	`[displayName, name, fullName, userName, preferred_username]`	Candidate keys used to extract the display name.
`contexa.bridge.authentication.session.authorities-keys`	`List<String>`	`[roles, authorities, permissions, scopes]`	Candidate keys used to extract authorities, roles, or scopes.
`contexa.bridge.authentication.session.authentication-type-keys`	`List<String>`	`[authenticationType, authMethod, loginMethod]`	Candidate keys used to extract the authentication method.
`contexa.bridge.authentication.session.authentication-assurance-keys`	`List<String>`	`[authenticationAssurance, authLevel, loa]`	Candidate keys used to extract the authentication assurance level.
`contexa.bridge.authentication.session.mfa-keys`	`List<String>`	`[mfa, mfaVerified, mfa_verified]`	Candidate keys used to extract MFA-completion state.
`contexa.bridge.authentication.session.auth-time-keys`	`List<String>`	`[authenticationTime, authenticatedAt, loginTime]`	Candidate keys used to extract the authentication time.
`contexa.bridge.authentication.session.attribute-keys`	`List<String>`	`[department, organizationId, orgId, authMethod, loginIp, loginTime]`	Additional attribute keys preserved in the SecurityContext.

Authentication RequestAttributes Keys

Properties under contexa.bridge.authentication.request-attributes, bound to the shared Bridge.RequestAttributes class. Defines which attribute candidates to try when an external filter stores the user object on HttpServletRequest, which keys to read from that object, and which flat key names Contexa uses when re-exposing values back as request attributes.

Discovery / Extraction (13 shared)

Property	Type	Default	Description
`contexa.bridge.authentication.request-attributes.enabled`	`boolean`	`true`	Enables request-attribute-based user extraction.
`contexa.bridge.authentication.request-attributes.attribute`	`String`	`"" (empty)`	Explicit request-attribute name where the user object is stored.
`contexa.bridge.authentication.request-attributes.attribute-candidates`	`List<String>`	`[currentUser, authenticatedUser, requestUser, principal, user, authenticatedPrincipal, authUser]`	Candidate attribute names tried in auto-discover mode.
`contexa.bridge.authentication.request-attributes.auto-discover`	`boolean`	`true`	Whether to walk the candidate-attribute list automatically.
`contexa.bridge.authentication.request-attributes.object-type-name`	`String`	`"" (empty)`	Optional fully-qualified class name the discovered object must match.
`contexa.bridge.authentication.request-attributes.principal-id-keys`	`List<String>`	`[userId, username, id, loginId, email]`	Candidate keys used to extract the principal identifier.
`contexa.bridge.authentication.request-attributes.display-name-keys`	`List<String>`	`[displayName, name, fullName, userName, preferred_username]`	Candidate keys used to extract the display name.
`contexa.bridge.authentication.request-attributes.authorities-keys`	`List<String>`	`[roles, authorities, permissions, scopes]`	Candidate keys used to extract authorities, roles, or scopes.
`contexa.bridge.authentication.request-attributes.authentication-type-keys`	`List<String>`	`[authenticationType, authMethod, loginMethod]`	Candidate keys used to extract the authentication method.
`contexa.bridge.authentication.request-attributes.authentication-assurance-keys`	`List<String>`	`[authenticationAssurance, authLevel, loa]`	Candidate keys used to extract the authentication assurance level.
`contexa.bridge.authentication.request-attributes.mfa-keys`	`List<String>`	`[mfa, mfaVerified, mfa_verified]`	Candidate keys used to extract MFA-completion state.
`contexa.bridge.authentication.request-attributes.auth-time-keys`	`List<String>`	`[authenticationTime, authenticatedAt, loginTime]`	Candidate keys used to extract the authentication time.
`contexa.bridge.authentication.request-attributes.attribute-keys`	`List<String>`	`[department, organizationId, orgId, authMethod, loginIp, loginTime]`	Additional attribute keys preserved in the SecurityContext.

Flat authentication attribute keys (flat-*, 8)

Single key names Contexa uses when flattening values back onto request attributes so downstream components can read them directly.

Property	Default	Description
`contexa.bridge.authentication.request-attributes.flat-principal-id`	`ctxa.auth.principalId`	Principal identifier.
`contexa.bridge.authentication.request-attributes.flat-display-name`	`ctxa.auth.displayName`	Display name.
`contexa.bridge.authentication.request-attributes.flat-authenticated`	`ctxa.auth.authenticated`	Authenticated boolean.
`contexa.bridge.authentication.request-attributes.flat-authorities`	`ctxa.auth.authorities`	Authorities collection.
`contexa.bridge.authentication.request-attributes.flat-authentication-type`	`ctxa.auth.type`	Authentication method.
`contexa.bridge.authentication.request-attributes.flat-authentication-assurance`	`ctxa.auth.assurance`	Authentication assurance level.
`contexa.bridge.authentication.request-attributes.flat-mfa-completed`	`ctxa.auth.mfaCompleted`	MFA completion state.
`contexa.bridge.authentication.request-attributes.flat-authentication-time`	`ctxa.auth.time`	Authentication time.

Authorization mapping keys (7)

Property	Default	Description
`contexa.bridge.authentication.request-attributes.authorization-effect`	`ctxa.authz.effect`	Authorization decision effect (ALLOW/DENY).
`contexa.bridge.authentication.request-attributes.privileged`	`ctxa.authz.privileged`	Whether this is a privileged flow.
`contexa.bridge.authentication.request-attributes.policy-id`	`ctxa.authz.policyId`	ID of the matching policy.
`contexa.bridge.authentication.request-attributes.policy-version`	`ctxa.authz.policyVersion`	Policy version.
`contexa.bridge.authentication.request-attributes.scope-tags`	`ctxa.authz.scopeTags`	Scope tags.
`contexa.bridge.authentication.request-attributes.effective-roles`	`ctxa.authz.roles`	Effective role set.
`contexa.bridge.authentication.request-attributes.effective-authorities`	`ctxa.authz.authorities`	Effective authority set.

Delegation mapping keys (11)

Property	Default	Description
`contexa.bridge.authentication.request-attributes.delegated`	`ctxa.delegation.enabled`	Whether delegation is active.
`contexa.bridge.authentication.request-attributes.agent-id`	`ctxa.delegation.agentId`	Delegated agent ID.
`contexa.bridge.authentication.request-attributes.objective-id`	`ctxa.delegation.objectiveId`	Delegation objective ID.
`contexa.bridge.authentication.request-attributes.objective-family`	`ctxa.delegation.objectiveFamily`	Objective family / type.
`contexa.bridge.authentication.request-attributes.objective-summary`	`ctxa.delegation.objectiveSummary`	Objective summary.
`contexa.bridge.authentication.request-attributes.allowed-operations`	`ctxa.delegation.allowedOperations`	Permitted operations list.
`contexa.bridge.authentication.request-attributes.allowed-resources`	`ctxa.delegation.allowedResources`	Permitted resources list.
`contexa.bridge.authentication.request-attributes.approval-required`	`ctxa.delegation.approvalRequired`	Whether approval is required.
`contexa.bridge.authentication.request-attributes.privileged-export-allowed`	`ctxa.delegation.privilegedExportAllowed`	Whether privileged export is allowed.
`contexa.bridge.authentication.request-attributes.containment-only`	`ctxa.delegation.containmentOnly`	Containment-only restriction flag.
`contexa.bridge.authentication.request-attributes.expires-at`	`ctxa.delegation.expiresAt`	Delegation expiry instant.

Authentication HTTP Header Names

Properties under contexa.bridge.authentication.headers, bound to the shared Bridge.Headers class. Defines which header names Contexa reads from (and emits onto) HTTP traffic when a reverse proxy or gateway propagates authentication, authorization, or delegation context. All header names are configurable.

Toggle

Property	Type	Default	Description
`contexa.bridge.authentication.headers.enabled`	`boolean`	`true`	Enables HTTP-header-based extraction and emission.

Authentication headers (8)

Property	Default	Description
`contexa.bridge.authentication.headers.principal-id`	`X-Contexa-Principal-Id`	Principal-identifier header.
`contexa.bridge.authentication.headers.display-name`	`X-Contexa-Principal-Name`	Display-name header.
`contexa.bridge.authentication.headers.authenticated`	`X-Contexa-Authenticated`	Authenticated boolean header.
`contexa.bridge.authentication.headers.authorities`	`X-Contexa-Authorities`	Authorities collection header.
`contexa.bridge.authentication.headers.authentication-type`	`X-Contexa-Authentication-Type`	Authentication-method header.
`contexa.bridge.authentication.headers.authentication-assurance`	`X-Contexa-Authentication-Assurance`	Authentication-assurance header.
`contexa.bridge.authentication.headers.mfa-completed`	`X-Contexa-Mfa-Completed`	MFA-completion header.
`contexa.bridge.authentication.headers.authentication-time`	`X-Contexa-Authenticated-At`	Authentication-time header.

Authorization headers (7)

Property	Default	Description
`contexa.bridge.authentication.headers.authorization-effect`	`X-Contexa-Authz-Effect`	Authorization-effect header.
`contexa.bridge.authentication.headers.privileged`	`X-Contexa-Authz-Privileged`	Privileged-flow boolean header.
`contexa.bridge.authentication.headers.policy-id`	`X-Contexa-Authz-Policy`	Matching-policy ID header.
`contexa.bridge.authentication.headers.policy-version`	`X-Contexa-Authz-Policy-Version`	Policy-version header.
`contexa.bridge.authentication.headers.scope-tags`	`X-Contexa-Authz-Scope`	Scope-tag header.
`contexa.bridge.authentication.headers.effective-roles`	`X-Contexa-Authz-Roles`	Effective-roles header.
`contexa.bridge.authentication.headers.effective-authorities`	`X-Contexa-Authz-Authorities`	Effective-authorities header.

Delegation headers (11)

Property	Default	Description
`contexa.bridge.authentication.headers.delegated`	`X-Contexa-Delegated`	Delegation-active header.
`contexa.bridge.authentication.headers.agent-id`	`X-Contexa-Agent-Id`	Delegated-agent ID header.
`contexa.bridge.authentication.headers.objective-id`	`X-Contexa-Objective-Id`	Objective ID header.
`contexa.bridge.authentication.headers.objective-family`	`X-Contexa-Objective-Family`	Objective family / type header.
`contexa.bridge.authentication.headers.objective-summary`	`X-Contexa-Objective-Summary`	Objective summary header.
`contexa.bridge.authentication.headers.allowed-operations`	`X-Contexa-Allowed-Operations`	Permitted-operations header.
`contexa.bridge.authentication.headers.allowed-resources`	`X-Contexa-Allowed-Resources`	Permitted-resources header.
`contexa.bridge.authentication.headers.approval-required`	`X-Contexa-Approval-Required`	Approval-required header.
`contexa.bridge.authentication.headers.privileged-export-allowed`	`X-Contexa-Privileged-Export-Allowed`	Privileged-export-allowed header.
`contexa.bridge.authentication.headers.containment-only`	`X-Contexa-Containment-Only`	Containment-only header.
`contexa.bridge.authentication.headers.expires-at`	`X-Contexa-Delegation-Expires-At`	Delegation-expiry header.

Authorization SecurityContext Keys

Properties under contexa.bridge.authorization.security-context, bound to Authorization.SecurityContext. When an external system stores authorization decisions (effect, policy ID, authorities, etc.) as attributes on the Spring SecurityContext Authentication, these keys define which candidate names Contexa tries to read that information. The first matching key wins.

Property	Type	Default	Description
`contexa.bridge.authorization.security-context.enabled`	`boolean`	`true`	Enables SecurityContext-based authorization extraction.
`contexa.bridge.authorization.security-context.authorization-effect-keys`	`List<String>`	`[authorizationEffect, effect, decision, decisionEffect]`	Candidate keys used to extract the authorization effect (ALLOW/DENY).
`contexa.bridge.authorization.security-context.privileged-keys`	`List<String>`	`[privileged, isPrivileged, privilegedFlow]`	Candidate keys used to extract the privileged-flow boolean.
`contexa.bridge.authorization.security-context.policy-id-keys`	`List<String>`	`[policyId, policy, decisionPolicy]`	Candidate keys used to extract the matching policy ID.
`contexa.bridge.authorization.security-context.policy-version-keys`	`List<String>`	`[policyVersion, version]`	Candidate keys used to extract the policy version.
`contexa.bridge.authorization.security-context.scope-tag-keys`	`List<String>`	`[scopeTags, scopes, scope, permissionScopes, scp]`	Candidate keys used to extract scope tags.
`contexa.bridge.authorization.security-context.role-keys`	`List<String>`	`[effectiveRoles, roles, roleSet, groups]`	Candidate keys used to extract the effective role set.
`contexa.bridge.authorization.security-context.authority-keys`	`List<String>`	`[effectiveAuthorities, authorities, permissions, grantedAuthorities, scope, scp]`	Candidate keys used to extract the effective authority set.
`contexa.bridge.authorization.security-context.attribute-keys`	`List<String>`	`[authorizationEffect, effect, privileged, policyId, policyVersion, scopeTags, scopes, scope, scp, roles, effectiveRoles, permissions, effectiveAuthorities]`	Additional attribute keys preserved in the authorization context (13 defaults).

Authorization Session Keys

Properties under contexa.bridge.authorization.session, bound to Authorization.Session. When an external system stores authorization decisions on a session-scoped user object, these keys define which attribute candidates to try and which keys to read for effect, policy, scope, role, and authority extraction.

Property	Type	Default	Description
`contexa.bridge.authorization.session.enabled`	`boolean`	`true`	Enables session-based authorization extraction.
`contexa.bridge.authorization.session.attribute`	`String`	`"" (empty)`	Explicit session attribute name carrying the user object.
`contexa.bridge.authorization.session.attribute-candidates`	`List<String>`	`[currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal]`	Candidate attribute names tried in auto-discover mode.
`contexa.bridge.authorization.session.auto-discover`	`boolean`	`true`	Whether to walk the candidate-attribute list automatically.
`contexa.bridge.authorization.session.object-type-name`	`String`	`"" (empty)`	Optional fully-qualified class name the discovered object must match.
`contexa.bridge.authorization.session.principal-id-keys`	`List<String>`	`[userId, username, id, loginId, email]`	Candidate keys used to extract the principal identifier.
`contexa.bridge.authorization.session.authorization-effect-keys`	`List<String>`	`[authorizationEffect, effect, decision, decisionEffect]`	Candidate keys used to extract the authorization effect.
`contexa.bridge.authorization.session.privileged-keys`	`List<String>`	`[privileged, isPrivileged, privilegedFlow]`	Candidate keys used to extract the privileged flag.
`contexa.bridge.authorization.session.policy-id-keys`	`List<String>`	`[policyId, policy, decisionPolicy]`	Candidate keys used to extract the policy ID.
`contexa.bridge.authorization.session.policy-version-keys`	`List<String>`	`[policyVersion, version]`	Candidate keys used to extract the policy version.
`contexa.bridge.authorization.session.scope-tag-keys`	`List<String>`	`[scopeTags, scopes, scope, permissionScopes]`	Candidate keys used to extract scope tags (note: `scp` is not included here, unlike Authorization.SecurityContext).
`contexa.bridge.authorization.session.role-keys`	`List<String>`	`[effectiveRoles, roles, roleSet]`	Candidate keys used to extract the effective role set (no `groups`).
`contexa.bridge.authorization.session.authority-keys`	`List<String>`	`[effectiveAuthorities, authorities, permissions, grantedAuthorities]`	Candidate keys used to extract the effective authority set (no `scope, scp`).
`contexa.bridge.authorization.session.attribute-keys`	`List<String>`	`[authorizationEffect, effect, privileged, policyId, policyVersion, scopeTags, scopes, roles, effectiveRoles, permissions, effectiveAuthorities, organizationId, orgId, tenantId, department, team]`	Additional attribute keys preserved in the authorization context (16 defaults).

Authorization RequestAttributes / Headers

Authorization reuses the same shared Bridge.RequestAttributes / Bridge.Headers classes. Key structure and defaults are identical to the Authentication RequestAttributes Keys and Authentication HTTP Header Names tables — only the prefix differs:

contexa.bridge.authorization.request-attributes.* — 39 fields, same table
contexa.bridge.authorization.headers.* — 27 fields, same table

The tables are not duplicated because BridgeProperties.java references a single class from three locations — keeping the documentation single-sourced.

Delegation Session Keys

Properties under contexa.bridge.delegation.session, bound to Delegation.Session. When an external system stores agent-delegation context — agent ID, objective, allowed operations/resources, approval requirement, expiry — on a session-scoped user object, these keys define which attribute candidates to try and which keys to read.

Property	Type	Default	Description
`contexa.bridge.delegation.session.enabled`	`boolean`	`true`	Enables session-based delegation extraction.
`contexa.bridge.delegation.session.attribute`	`String`	`"" (empty)`	Explicit session attribute name carrying the user object.
`contexa.bridge.delegation.session.attribute-candidates`	`List<String>`	`[currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal]`	Candidate attribute names tried in auto-discover mode.
`contexa.bridge.delegation.session.auto-discover`	`boolean`	`true`	Whether to walk the candidate list automatically. (Note: Delegation.Session does not expose an `object-type-name` field.)
`contexa.bridge.delegation.session.principal-id-keys`	`List<String>`	`[userId, username, id, loginId, email]`	Candidate keys used to extract the principal identifier.
`contexa.bridge.delegation.session.delegated-keys`	`List<String>`	`[delegated, delegationEnabled, agentDelegated]`	Candidate keys used to extract the delegation-active flag.
`contexa.bridge.delegation.session.agent-id-keys`	`List<String>`	`[agentId, delegateAgentId]`	Candidate keys used to extract the agent ID.
`contexa.bridge.delegation.session.objective-id-keys`	`List<String>`	`[objectiveId, taskPurpose, delegationObjectiveId]`	Candidate keys used to extract the delegation objective ID.
`contexa.bridge.delegation.session.objective-family-keys`	`List<String>`	`[objectiveFamily, objectiveType, delegationObjectiveFamily]`	Candidate keys used to extract the objective family / type.
`contexa.bridge.delegation.session.objective-summary-keys`	`List<String>`	`[objectiveSummary, taskSummary, delegationObjectiveSummary]`	Candidate keys used to extract the objective summary.
`contexa.bridge.delegation.session.allowed-operations-keys`	`List<String>`	`[allowedOperations, delegatedOperations, permittedOperations]`	Candidate keys used to extract the permitted operations list.
`contexa.bridge.delegation.session.allowed-resources-keys`	`List<String>`	`[allowedResources, delegatedResources, permittedResources]`	Candidate keys used to extract the permitted resources list.
`contexa.bridge.delegation.session.approval-required-keys`	`List<String>`	`[approvalRequired, requiresApproval]`	Candidate keys used to extract the approval-required flag.
`contexa.bridge.delegation.session.privileged-export-allowed-keys`	`List<String>`	`[privilegedExportAllowed, allowPrivilegedExport]`	Candidate keys used to extract the privileged-export-allowed flag.
`contexa.bridge.delegation.session.containment-only-keys`	`List<String>`	`[containmentOnly, restrictedContainment]`	Candidate keys used to extract the containment-only flag.
`contexa.bridge.delegation.session.expires-at-keys`	`List<String>`	`[expiresAt, delegationExpiresAt]`	Candidate keys used to extract the delegation expiry instant.
`contexa.bridge.delegation.session.attribute-keys`	`List<String>`	`[delegated, agentId, objectiveId, objectiveFamily, objectiveSummary, allowedOperations, allowedResources, approvalRequired, privilegedExportAllowed, containmentOnly, expiresAt, organizationId, orgId, tenantId, department, team]`	Additional attribute keys preserved in the delegation context (16 defaults).

Delegation RequestAttributes / Headers

Delegation reuses the same shared Bridge.RequestAttributes / Bridge.Headers classes. Key structure and defaults match the Authentication RequestAttributes Keys and Authentication HTTP Header Names tables — only the prefix differs:

contexa.bridge.delegation.request-attributes.* — 39 fields, same table
contexa.bridge.delegation.headers.* — 27 fields, same table