github.com/icyphox/x@v0.0.355-0.20220311094250-029bd783e8b8/configx/stub/benchmark/benchmark.yaml (about) 1 # Please find the documentation for this file at 2 # https://www.ory.sh/oathkeeper/docs/configuration 3 4 log: 5 level: debug 6 format: json 7 8 profiling: cpu 9 10 serve: 11 proxy: 12 port: 1234 13 host: 127.0.0.1 14 15 timeout: 16 read: 1s 17 write: 2s 18 idle: 3s 19 20 cors: 21 enabled: true 22 allowed_origins: 23 - https://example.com 24 - https://*.example.com 25 allowed_methods: 26 - POST 27 - GET 28 - PUT 29 - PATCH 30 - DELETE 31 allowed_headers: 32 - Authorization 33 - Content-Type 34 exposed_headers: 35 - Content-Type 36 allow_credentials: true 37 max_age: 10 38 debug: true 39 tls: 40 key: 41 path: /path/to/key.pem 42 base64: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLVxuTUlJRkRqQkFCZ2txaGtpRzl3MEJCUTB3... 43 cert: 44 path: /path/to/cert.pem 45 base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr... 46 47 api: 48 port: 1235 49 host: 127.0.0.2 50 51 timeout: 52 read: 1s 53 write: 2s 54 idle: 3s 55 56 cors: 57 enabled: true 58 allowed_origins: 59 - https://example.org 60 - https://*.example.org 61 allowed_methods: 62 - GET 63 - PUT 64 - PATCH 65 - DELETE 66 allowed_headers: 67 - Authorization 68 - Content-Type 69 exposed_headers: 70 - Content-Type 71 allow_credentials: true 72 max_age: 10 73 debug: true 74 tls: 75 key: 76 path: /path/to/key.pem 77 base64: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLVxuTUlJRkRqQkFCZ2txaGtpRzl3MEJCUTB3... 78 cert: 79 path: /path/to/cert.pem 80 base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr... 81 82 prometheus: 83 port: 9000 84 host: localhost 85 metrics_path: /metrics 86 collapse_request_paths: true 87 88 # Configures Access Rules 89 access_rules: 90 # Locations (list of URLs) where access rules should be fetched from on boot. 91 # It is expected that the documents at those locations return a JSON or YAML Array containing ORY Oathkeeper Access Rules. 92 repositories: 93 # If the URL Scheme is `file://`, the access rules (an array of access rules is expected) will be 94 # fetched from the local file system. 95 - file://path/to/rules.json 96 # If the URL Scheme is `inline://`, the access rules (an array of access rules is expected) 97 # are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{"id":"foo-rule","authenticators":[....]}]`)): 98 - inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d 99 # If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be 100 # fetched from the provided HTTP(s) location. 101 - https://path-to-my-rules/rules.json 102 # Optional fields describing matching strategy, defaults to "regexp". 103 matching_strategy: glob 104 105 errors: 106 fallback: 107 - json 108 handlers: 109 redirect: 110 enabled: true 111 config: 112 to: http://path-to/redirect 113 json: 114 enabled: true 115 config: 116 verbose: true 117 when: 118 - 119 error: 120 - unauthorized 121 - forbidden 122 - internal_server_error 123 request: 124 header: 125 content_type: 126 - application/json 127 accept: 128 - application/json 129 cidr: 130 - 127.0.0.0/24 131 132 # All authenticators can be configured under this configuration key 133 authenticators: 134 # Configures the anonymous authenticator 135 anonymous: 136 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 137 enabled: true 138 139 config: 140 141 # Sets the anonymous username. Defaults to "anonymous". Common names include "guest", "anon", "anonymous", "unknown". 142 subject: guest 143 144 # Configures the cookie session authenticator 145 cookie_session: 146 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 147 enabled: true 148 149 config: 150 151 # Sets the origin to proxy requests to. If the response is a 200 with body `{ "subject": "...", "extra": {} }` 152 # The request will pass the subject through successfully, otherwise it will be marked as unauthorized 153 check_session_url: https://session-store-host 154 155 # Sets a list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if 156 # none of the passed cookies are set on the request 157 only: 158 - sessionid 159 160 # Configures the jwt authenticator 161 jwt: 162 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 163 enabled: true 164 165 config: 166 167 # REQUIRED IF ENABLED - The URL where ORY Oathkeeper can retrieve JSON Web Keys from for validating the JSON Web 168 # Token. Usually something like "https://my-keys.com/.well-known/jwks.json". The response of that endpoint must 169 # return a JSON Web Key Set (JWKS). 170 jwks_urls: 171 - https://my-website.com/.well-known/jwks.json 172 - https://my-other-website.com/.well-known/jwks.json 173 - file://path/to/local/jwks.json 174 175 # Sets the strategy to be used to validate/match the scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults 176 # to "none". 177 scope_strategy: wildcard 178 179 # Configures the noop authenticator 180 noop: 181 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 182 enabled: true 183 184 # Configures the oauth2_client_credentials authenticator 185 oauth2_client_credentials: 186 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 187 enabled: true 188 189 config: 190 191 # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials. 192 token_url: https://my-website.com/oauth2/token 193 194 # Configures the oauth2_introspection authenticator 195 oauth2_introspection: 196 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 197 enabled: true 198 199 config: 200 201 # REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint. 202 introspection_url: https://my-website.com/oauth2/introspection 203 204 # Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults 205 # to "none". 206 scope_strategy: exact 207 208 # Enable pre-authorization in cases where the OAuth 2.0 Token Introspection endpoint is protected by OAuth 2.0 Bearer 209 # Tokens that can be retrieved using the OAuth 2.0 Client Credentials grant. 210 pre_authorization: 211 # Enable pre-authorization. Defaults to false. 212 enabled: true 213 214 # REQUIRED IF ENABLED - The OAuth 2.0 Client ID to be used for the OAuth 2.0 Client Credentials Grant. 215 client_id: some_id 216 217 # REQUIRED IF ENABLED - The OAuth 2.0 Client Secret to be used for the OAuth 2.0 Client Credentials Grant. 218 client_secret: some_secret 219 220 # The OAuth 2.0 Scope to be requested during the OAuth 2.0 Client Credentials Grant. 221 scope: 222 - foo 223 - bar 224 225 # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint where the OAuth 2.0 Client Credentials Grant will be performed. 226 token_url: https://my-website.com/oauth2/token 227 228 # Configures the unauthorized authenticator 229 unauthorized: 230 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false. 231 enabled: true 232 233 # All authorizers can be configured under this configuration key 234 authorizers: 235 # Configures the allow authorizer 236 allow: 237 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false. 238 enabled: true 239 240 # Configures the deny authorizer 241 deny: 242 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false. 243 enabled: true 244 245 # Configures the keto_engine_acp_ory authorizer 246 keto_engine_acp_ory: 247 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false. 248 enabled: true 249 250 config: 251 # REQUIRED IF ENABLED - The base URL of ORY Keto, typically something like http(s)://<host>[:<port>]/ 252 base_url: http://my-keto/ 253 required_action: unknown 254 required_resource: unknown 255 256 # Configures the remote authorizer 257 remote: 258 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false. 259 enabled: true 260 261 config: 262 remote: https://host/path 263 headers: {} 264 265 # Configures the remote_json authorizer 266 remote_json: 267 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false. 268 enabled: true 269 270 config: 271 remote: https://host/path 272 payload: "{}" 273 274 # All mutators can be configured under this configuration key 275 mutators: 276 header: 277 enabled: true 278 config: 279 headers: 280 foo: bar 281 282 # Configures the cookie mutator 283 cookie: 284 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false. 285 enabled: true 286 config: 287 cookies: 288 foo: bar 289 290 # Configures the hydrator mutator 291 hydrator: 292 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false. 293 enabled: true 294 295 config: 296 api: 297 url: https://some-url/ 298 299 # Configures the id_token mutator 300 id_token: 301 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false. 302 enabled: true 303 config: 304 # REQUIRED IF ENABLED - Sets the "iss" value of the ID Token. 305 issuer_url: https://my-oathkeeper/ 306 # REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as 307 # well as local filesystem paths. 308 jwks_url: https://fetch-keys/from/this/location.json 309 # jwks_url: file:///from/this/absolute/location.json 310 # jwks_url: file://../from/this/relative/location.json 311 312 # Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour). 313 ttl: 1h 314 315 # Configures the noop mutator 316 noop: 317 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false. 318 enabled: true