/
config.yaml
463 lines (425 loc) · 18.7 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
# Ory Hydra Configuration
#
#
# !!WARNING!!
# This configuration file is for documentation purposes only. Do not use it in production. As all configuration items
# are enabled, it will not work out of the box either.
#
#
# Ory Hydra can be configured using a configuration file and passing the file location using `--config path/to/config.yaml`.
# Per default, Ory Hydra will look up and load file ~/.hydra.yaml. All configuration keys can be set using environment
# variables as well.
#
# Setting environment variables is easy:
#
## Linux / OSX
#
# $ export MY_ENV_VAR=foo
# $ hydra ...
#
# alternatively:
#
# $ MY_ENV_VAR=foo hydra ...
#
## Windows
#
### Command Prompt
#
# > set MY_ENV_VAR=foo
# > hydra ...
#
### Powershell
#
# > $env:MY_ENV_VAR="foo"
# > hydra ...
#
## Docker
#
# $ docker run -e MY_ENV_VAR=foo oryd/hydra:...
#
#
# Assuming the following configuration layout:
#
# serve:
# public:
# port: 4444
# something_else: foobar
#
# Key `something_else` can be set as an environment variable by uppercasing it's path:
# `serve.public.port.somethihng_else` -> `SERVE.PUBLIC.PORT.SOMETHING_ELSE`
# and replacing `.` with `_`:
# `serve.public.port.somethihng_else` -> `SERVE_PUBLIC_PORT_SOMETHING_ELSE`
#
# Environment variables always override values from the configuration file. Here are some more examples:
#
# Configuration key | Environment variable |
# ------------------|----------------------|
# dsn | DSN |
# serve.admin.host | SERVE_ADMIN_HOST |
# ------------------|----------------------|
#
#
# List items such as
#
# secrets:
# system:
# - this-is-the-primary-secret
# - this-is-an-old-secret
# - this-is-another-old-secret
#
# must be separated using `,` when using environment variables. The environment variable equivalent to the code section#
# above is:
#
# Linux/macOS: $ export SECRETS_SYSTEM=this-is-the-primary-secret,this-is-an-old-secret,this-is-another-old-secret
# Windows: > set SECRETS_SYSTEM=this-is-the-primary-secret,this-is-an-old-secret,this-is-another-old-secret
# log configures the logger
log:
# Sets the log level, supports "panic", "fatal", "error", "warn", "info" and "debug". Defaults to "info".
level: info
# Sets the log format. Leave it undefined for text based log format, or set to "json" for JSON formatting.
format: json
# serve controls the configuration for the http(s) daemon(s).
serve:
# public controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json
public:
# The port to listen on. Defaults to 4444
port: 4444
# The interface or unix socket Ory Hydra should listen and handle public API requests on.
# Use the prefix "unix:" to specify a path to a unix socket.
# Leave empty to listen on all interfaces.
host: localhost # leave this out or empty to listen on all devices which is the default
# host: unix:/path/to/socket
# socket:
# owner: hydra
# group: hydra
# mode: 0775
# cors configures Cross Origin Resource Sharing for public endpoints.
cors:
# set enabled to true to enable CORS. Defaults to false.
enabled: true
# allowed_origins is a list of origins (comma separated values) a cross-domain request can be executed from.
# If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
# to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# If empty or undefined, this defaults to `*`, allowing CORS from every domain (if cors.enabled: true).
allowed_origins:
- https://example.com
- https://*.example.com
# allowed_methods is list of HTTP methods the user agent is allowed to use with cross-domain
# requests. Defaults to the methods listed.
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
# A list of non simple headers the client is allowed to use with cross-domain requests. Defaults to the listed values.
allowed_headers:
- Authorization
- Content-Type
# Sets which headers (comma separated values) are safe to expose to the API of a CORS API specification. Defaults to the listed values.
exposed_headers:
- Content-Type
# Sets whether the request can include user credentials like cookies, HTTP authentication
# or client side SSL certificates. Defaults to true.
allow_credentials: true
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request
# is preceded by a preflight request. Defaults to 0.
max_age: 10
# If set to true, adds additional log output to debug server side CORS issues. Defaults to false.
debug: true
# Access Log configuration for public server.
access_log:
# Disable access log for health endpoints.
disable_for_health: false
# admin controls the admin daemon serving admin API endpoints like /jwk, /client, ...
admin:
# The port to listen on. Defaults to 4445
port: 4445
# The interface or unix socket Ory Hydra should listen and handle administrative API requests on.
# Use the prefix "unix:" to specify a path to a unix socket.
# Leave empty to listen on all interfaces.
host: localhost # leave this out or empty to listen on all devices which is the default
# host: unix:/path/to/socket
# socket:
# owner: hydra
# group: hydra
# mode: 0775
# cors configures Cross Origin Resource Sharing for admin endpoints.
cors:
# set enabled to true to enable CORS. Defaults to false.
enabled: true
# allowed_origins is a list of origins (comma separated values) a cross-domain request can be executed from.
# If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
# to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# If empty or undefined, this defaults to `*`, allowing CORS from every domain (if cors.enabled: true).
allowed_origins:
- https://example.com
- https://*.example.com
# allowed_methods is list of HTTP methods the user agent is allowed to use with cross-domain
# requests. Defaults to GET and POST.
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
# A list of non simple headers the client is allowed to use with cross-domain requests. Defaults to the listed values.
allowed_headers:
- Authorization
- Content-Type
# Sets which headers (comma separated values) are safe to expose to the API of a CORS API specification. Defaults to the listed values.
exposed_headers:
- Content-Type
# Sets whether the request can include user credentials like cookies, HTTP authentication
# or client side SSL certificates.
allow_credentials: true
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request
# is preceded by a preflight request. Defaults to 0.
max_age: 10
# If set to true, adds additional log output to debug server side CORS issues. Defaults to false.
debug: true
# Access Log configuration for admin server.
access_log:
# Disable access log for health endpoints.
disable_for_health: false
# tls configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.
tls:
# key configures the private key (pem encoded)
key:
# The key can either be loaded from a file:
path: /path/to/key.pem
# Or from a base64 encoded (without padding) string:
base64: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLVxuTUlJRkRqQkFCZ2txaGtpRzl3MEJCUTB3...
# cert configures the TLS certificate (PEM encoded)
cert:
# The cert can either be loaded from a file:
path: /path/to/cert.pem
# Or from a base64 encoded (without padding) string:
base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
# Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections.
# Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but
# your proxy / gateway / load balancer. Supports ipv4 and ipv6.
#
# Hydra serves http instead of https when this option is set.
#
# For more information head over to: https://www.ory.sh/docs/hydra/production#tls-termination
allow_termination_from:
- 127.0.0.1/32
cookies:
# specify the SameSite mode that cookies should be sent with
same_site_mode: Lax
# Some older browser versions don't work with SameSite=None. This option enables the workaround
# defined in https://web.dev/samesite-cookie-recipes/ which essentially stores a second cookie
# without SameSite as a fallback.
same_site_legacy_workaround: false
# dsn sets the data source name. This configures the backend where Ory Hydra persists data.
#
## In-memory database
#
# If dsn is "memory", data will be written to memory and is lost when you restart this instance.
# You can set this value using the DSN environment variable:
#
## SQL databases
#
# Ory Hydra supports popular SQL databases. For more detailed configuration information go to:
# https://www.ory.sh/docs/hydra/dependencies-environment#sql
#
### PostgreSQL (recommended)
#
# If dsn is starting with postgres:// PostgreSQL will be used as storage backend:
# dsn: dsn=postgres://user:password@host:123/database
#
### MySQL database
#
# If dsn is starting with mysql:// MySQL will be used as storage backend:
# dsn: mysql://user:password@tcp(host:123)/database
#
### CockroachDB
#
# If dsn is starting with cockroach:// CockroachDB will be used as storage backend:
# dsn: cockroach://user:password@host:123/database
#
dsn: memory
# dsn: postgres://user:password@host:123/database
# dsn: mysql://user:password@tcp(host:123)/database
# hsm configures Hardware Security Module for hydra.openid.id-token, hydra.jwt.access-token keys
# Either slot or token_label must be set. If token_label is set, then first slot in index with this label is used.
hsm:
enabled: false
library: /path/to/hsm-vendor/library.so
pin: token-pin-code
slot: 0
token_label: hydra
# Key set prefix can be used in case of multiple Ory Hydra instances need to store keys on the same HSM partition.
# For example if `hsm.key_set_prefix=app1.` then key set `hydra.openid.id-token` would be generated/requested/deleted
# on HSM with `CKA_LABEL=app1.hydra.openid.id-token`.
key_set_prefix: app1.
# webfinger configures ./well-known/ settings
webfinger:
# jwks configures the /.well-known/jwks.json endpoint.
jwks:
# broadcast_keys is a list of JSON Web Keys that should be exposed at that endpoint. This is usually
# the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.
broadcast_keys:
- hydra.openid.id-token # This key is always exposed by default
# - hydra.jwt.access-token # This key will be exposed when the OAuth2 Access Token strategy is set to JWT.
# oidc_discovery configures OpenID Connect Discovery (/.well-known/openid-configuration)
oidc_discovery:
client_registration_url: https://my-service.com/clients
# A list of supported claims to be broadcasted. Claim `sub` is always included:
supported_claims:
- email
- username
# The scope OAuth 2.0 Clients may request. Scope `offline`, `offline_access`, and `openid` are always included.
supported_scope:
- email
- whatever
- read.photos
# A URL of the userinfo endpoint to be advertised at the OpenID Connect
# Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo.
# Set this value if you want to handle this endpoint yourself.
userinfo_url: https://example.org/my-custom-userinfo-endpoint
# oidc configures OpenID Connect features.
oidc:
# subject_identifiers configures the Subject Identifier algorithm.
#
# For more information please head over to the documentation:
# -> https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms
subject_identifiers:
# which algorithms to enable. Defaults to "public"
supported_types:
- pairwise
- public
# configures the pairwise algorithm
pairwise:
# if "pairwise" is enabled, the salt must be defined.
salt: some-random-salt
# dynamic_client_registration configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...)
dynamic_client_registration:
enabled: false
# The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you
# want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients.
# Keep in mind that users can overwrite this default by setting the "scope" key in the registration payload,
# effectively disabling the concept of whitelisted scopes.
default_scope:
- openid
- offline
- offline_access
urls:
self:
# This value will be used as the "issuer" in access and ID tokens. It must be
# specified and using HTTPS protocol, unless --dangerous-force-http is set. This should typically be equal
# to the public value.
issuer: https://localhost:4444/
# This is the base location of the public endpoints of your Ory Hydra installation. This should typically be equal
# to the issuer value. If left unspecified, it falls back to the issuer value.
public: https://localhost:4444/
# Sets the login endpoint of the User Login & Consent flow. Defaults to an internal fallback URL.
login: https://my-login.app/login
# Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL.
consent: https://my-consent.app/consent
# Sets the logout endpoint. Defaults to an internal fallback URL.
logout: https://my-logout.app/logout
# Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back
# to the client. Defaults to an internal fallback URL.
error: https://my-error.app/error
# When a user agent requests to logout, it will be redirected to this url afterwards per default.
post_logout_redirect: https://my-example.app/logout-successful
strategies:
scope: DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY
# You may use JSON Web Tokens as access tokens.
#
# But seriously. Don't do that. It's not a great idea and has a ton of caveats and subtle security implications. Read more:
# -> https://www.ory.sh/docs/hydra/advanced#json-web-tokens
#
# access_token: jwt
# configures time to live
ttl:
# configures how long a user login and consent flow may take. Defaults to 1h.
login_consent_request: 1h
# configures how long access tokens are valid. Defaults to 1h.
access_token: 1h
# configures how long refresh tokens are valid. Defaults to 720h. Set to -1 for refresh tokens to never expire.
refresh_token: 720h
# configures how long id tokens are valid. Defaults to 1h.
id_token: 1h
# configures how long auth codes are valid. Defaults to 10m.
auth_code: 10m
oauth2:
# Set this to true if you want to share error debugging information with your OAuth 2.0 clients.
# Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error
# codes and similar errors. Defaults to false.
expose_internal_errors: true
# Configures hashing algorithms. Supports only BCrypt at the moment.
hashers:
# Configures the BCrypt hashing algorithm used for hashing Client Secrets.
bcrypt:
# Sets the BCrypt cost. Minimum value is 4 and default value is 10. The higher the value, the more CPU time is being
# used to generate hashes.
cost: 10
pkce:
# Set this to true if you want PKCE to be enforced for all clients.
enforced: false
# Set this to true if you want PKCE to be enforced for public clients.
enforced_for_public_clients: false
session:
# store encrypted data in database, default true
encrypt_at_rest: true
# The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated,
# for more information on this topic navigate to:
# -> https://www.ory.sh/docs/hydra/advanced#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys
secrets:
# The system secret must be at least 16 characters long. If none is provided, one will be generated. They key
# is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures.
#
# The first item in the list is used for signing and encryption. The whole list is used for verifying signatures
# and decryption.
system:
- this-is-the-primary-secret
- this-is-an-old-secret
- this-is-another-old-secret
# A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use
# a separate secret in production.
#
# The first item in the list is used for signing and encryption. The whole list is used for verifying signatures
# and decryption.
cookie:
- this-is-the-primary-secret
- this-is-an-old-secret
- this-is-another-old-secret
# Enables profiling if set. Use "cpu" to enable cpu profiling and "mem" to enable memory profiling. For more details
# on profiling, head over to: https://blog.golang.org/profiling-go-programs
profiling: cpu
# profiling: mem
# Ory Hydra supports distributed tracing.
tracing:
# Set this to the tracing backend you wish to use. Currently supports jaeger. If omitted or empty, tracing will
# be disabled.
provider: jaeger
# Specifies the service name to use on the tracer.
service_name: Ory Hydra
providers:
# Configures the jaeger tracing backend.
jaeger:
# The address of the jaeger-agent where spans should be sent to
local_agent_address: 127.0.0.1:6831
# The tracing header format
propagation: jaeger
# The maximum length of jaeger tag value
max_tag_value_length: 1024
sampling:
# The type of the sampler you want to use. Supports:
# - const
# - probabilistic
# - ratelimiting
type: const
# The value passed to the sampler type that has been configured.
# Supported values: This is dependant on the sampling strategy used:
# - const: 0 or 1 (all or nothing)
# - rateLimiting: a constant rate (e.g. setting this to 3 will sample requests with the rate of 3 traces per second)
# - probabilistic: a value between 0..1
value: 1.0
# The address of jaeger-agent's HTTP sampling server
server_url: http://localhost:5778/sampling