Compare commits

..

No commits in common. "08ab522e2b921dadde042b361b46dfdd94ee953f" and "dec15868636e57d8119f19b1edb974fb2aa5dac3" have entirely different histories.

4 changed files with 622 additions and 1084 deletions

View File

@ -1,157 +1,86 @@
## ORY Hydra Configuration ## ORY Hydra Configuration
# #
## log ##
#
# Configures the logger
#
log:
## level ##
#
# Sets the log level.
#
# Default value: info
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_LEVEL=<value>
# - Windows Command Line (CMD):
# > set LOG_LEVEL=<value>
#
level: info
## format ##
#
# Sets the log format.
#
# Default value: text
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_FORMAT=<value>
# - Windows Command Line (CMD):
# > set LOG_FORMAT=<value>
#
format: text
## serve ## ## serve ##
# #
# Controls the configuration for the http(s) daemon(s). # Controls the configuration for the http(s) daemon(s).
# #
serve: serve:
## admin ##
## public ##
# #
admin: # Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json
## host ## #
public:
## port ##
# #
# The interface or unix socket ORY Hydra should listen and handle administrative API requests on. Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces. # Default value: 4444
#
# Examples:
# - localhost
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export SERVE_ADMIN_HOST=<value> # $ export SERVE_PUBLIC_PORT=<value>
# - Windows Command Line (CMD): # - Windows Command Line (CMD):
# > set SERVE_ADMIN_HOST=<value> # > set SERVE_PUBLIC_PORT=<value>
# #
host: localhost port: 4444
## host ##
#
# The interface or unix socket ORY Hydra should listen and handle public API requests on. Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
#
# Examples:
# - localhost
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_HOST=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_HOST=<value>
#
host: ""
## cors ## ## cors ##
# #
# Configures Cross Origin Resource Sharing for public endpoints. # Configures Cross Origin Resource Sharing for public endpoints.
# #
cors: cors:
## allowed_origins ##
#
# A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# Default value: *
#
# Examples:
# - - https://example.com
# - https://*.example.com
# - https://*.foo.example.com
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_ORIGINS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_ORIGINS=<value>
#
allowed_origins:
- https://example.com
- https://*.example.com
- https://*.foo.example.com
## allowed_methods ##
#
# A list of HTTP methods the user agent is allowed to use with cross-domain requests.
#
# Default value: POST,GET,PUT,PATCH,DELETE
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_METHODS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_METHODS=<value>
#
allowed_methods:
- POST
## allowed_headers ##
#
# A list of non simple headers the client is allowed to use with cross-domain requests.
#
# Default value: Authorization,Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_HEADERS=<value>
#
allowed_headers:
- ''
## exposed_headers ##
#
# Sets which headers are safe to expose to the API of a CORS API specification.
#
# Default value: Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_EXPOSED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_EXPOSED_HEADERS=<value>
#
exposed_headers:
- ''
## allow_credentials ##
#
# Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
#
# Default value: true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOW_CREDENTIALS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOW_CREDENTIALS=<value>
#
allow_credentials: false
## options_passthrough ##
#
# TODO
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=<value>
#
options_passthrough: false
## max_age ##
#
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
#
# Minimum value: 0
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_MAX_AGE=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_MAX_AGE=<value>
#
max_age: 0
## debug ##
#
# Adds additional log output to debug server side CORS issues.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_DEBUG=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_DEBUG=<value>
#
debug: false
## enabled ## ## enabled ##
# #
# Sets whether CORS is enabled. # Sets whether CORS is enabled.
@ -160,252 +89,12 @@ serve:
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ENABLED=<value> # $ export SERVE_PUBLIC_CORS_ENABLED=<value>
# - Windows Command Line (CMD): # - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ENABLED=<value> # > set SERVE_PUBLIC_CORS_ENABLED=<value>
# #
enabled: false enabled: false
## socket ##
#
# Sets the permissions of the unix socket
#
socket:
## group ##
#
# Group of unix socket. If empty, the group will be the primary group of the user running hydra.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_SOCKET_GROUP=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_SOCKET_GROUP=<value>
#
group: ''
## mode ##
#
# Mode of unix socket in numeric form
#
# Default value: 493
#
# Minimum value: 0
#
# Maximum value: 511
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_SOCKET_MODE=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_SOCKET_MODE=<value>
#
mode: 0
## owner ##
#
# Owner of unix socket. If empty, the owner will be the user running hydra.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_SOCKET_OWNER=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_SOCKET_OWNER=<value>
#
owner: ''
## access_log ##
#
# Access Log configuration for admin server.
#
access_log:
## disable_for_health ##
#
# Disable access log for health endpoints.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
#
disable_for_health: false
## tls ##
#
tls:
## cert ##
#
cert:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_TLS_CERT_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_TLS_CERT_PATH=<value>
#
path: /etc/ssl/certs/ssl-cert-snakeoil.pem
## allow_termination_from ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_TLS_ALLOW_TERMINATION_FROM=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_TLS_ALLOW_TERMINATION_FROM=<value>
#
allow_termination_from:
- 127.0.0.1/32
## enabled ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_TLS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_TLS_ENABLED=<value>
#
enabled: false
## key ##
#
key:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_TLS_KEY_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_TLS_KEY_PATH=<value>
#
path: /etc/ssl/private/ssl-cert-snakeoil.key
## port ##
#
# Default value: 4445
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_PORT=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_PORT=<value>
#
port: 1
## tls ##
#
# Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.
#
tls:
## cert ##
#
# Configures the public certificate (pem encoded).
#
cert:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_CERT_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_CERT_PATH=<value>
#
path: /etc/ssl/certs/ssl-cert-snakeoil.pem
## allow_termination_from ##
#
# Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_ALLOW_TERMINATION_FROM=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_ALLOW_TERMINATION_FROM=<value>
#
allow_termination_from:
- 127.0.0.1/32
## key ##
#
# Configures the private key (pem encoded).
#
key:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_KEY_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_KEY_PATH=<value>
#
path: /etc/ssl/private/ssl-cert-snakeoil.key
## cookies ##
#
cookies:
## same_site_legacy_workaround ##
#
# Some older browser versions dont work with SameSite=None. This option enables the workaround defined in https://web.dev/samesite-cookie-recipes/ which essentially stores a second cookie without SameSite as a fallback.
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=<value>
# - Windows Command Line (CMD):
# > set SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=<value>
#
same_site_legacy_workaround: true
## same_site_mode ##
#
# Specify the SameSite mode that cookies should be sent with.
#
# Default value: None
#
# One of:
# - Strict
# - Lax
# - None
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_COOKIES_SAME_SITE_MODE=<value>
# - Windows Command Line (CMD):
# > set SERVE_COOKIES_SAME_SITE_MODE=<value>
#
same_site_mode: Strict
## public ##
#
# Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json
#
public:
## host ##
#
# The interface or unix socket ORY Hydra should listen and handle public API requests on. Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
#
# Examples:
# - localhost
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_HOST=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_HOST=<value>
#
host: localhost
## cors ##
#
# Configures Cross Origin Resource Sharing for public endpoints.
#
cors:
## allowed_origins ## ## allowed_origins ##
# #
# A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin. # A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
@ -416,7 +105,7 @@ serve:
# - - https://example.com # - - https://example.com
# - https://*.example.com # - https://*.example.com
# - https://*.foo.example.com # - https://*.foo.example.com
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<value> # $ export SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<value>
@ -424,9 +113,7 @@ serve:
# > set SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<value> # > set SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<value>
# #
allowed_origins: allowed_origins:
- https://example.com - "*"
- https://*.example.com
- https://*.foo.example.com
## allowed_methods ## ## allowed_methods ##
# #
@ -441,7 +128,11 @@ serve:
# > set SERVE_PUBLIC_CORS_ALLOWED_METHODS=<value> # > set SERVE_PUBLIC_CORS_ALLOWED_METHODS=<value>
# #
allowed_methods: allowed_methods:
- POST - TRACE
- GET
- HEAD
- GET
- HEAD
## allowed_headers ## ## allowed_headers ##
# #
@ -456,7 +147,9 @@ serve:
# > set SERVE_PUBLIC_CORS_ALLOWED_HEADERS=<value> # > set SERVE_PUBLIC_CORS_ALLOWED_HEADERS=<value>
# #
allowed_headers: allowed_headers:
- '' - ea
- exercitation consectetur
- exercitation
## exposed_headers ## ## exposed_headers ##
# #
@ -471,7 +164,7 @@ serve:
# > set SERVE_PUBLIC_CORS_EXPOSED_HEADERS=<value> # > set SERVE_PUBLIC_CORS_EXPOSED_HEADERS=<value>
# #
exposed_headers: exposed_headers:
- '' - Excepteur adipisicing
## allow_credentials ## ## allow_credentials ##
# #
@ -505,15 +198,13 @@ serve:
# #
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request. # Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
# #
# Minimum value: 0
#
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_MAX_AGE=<value> # $ export SERVE_PUBLIC_CORS_MAX_AGE=<value>
# - Windows Command Line (CMD): # - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_MAX_AGE=<value> # > set SERVE_PUBLIC_CORS_MAX_AGE=<value>
# #
max_age: 0 max_age: 77402945
## debug ## ## debug ##
# #
@ -529,72 +220,12 @@ serve:
# #
debug: false debug: false
## enabled ##
#
# Sets whether CORS is enabled.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_ENABLED=<value>
#
enabled: false
## socket ##
#
# Sets the permissions of the unix socket
#
socket:
## group ##
#
# Group of unix socket. If empty, the group will be the primary group of the user running hydra.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_SOCKET_GROUP=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_SOCKET_GROUP=<value>
#
group: ''
## mode ##
#
# Mode of unix socket in numeric form
#
# Default value: 493
#
# Minimum value: 0
#
# Maximum value: 511
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_SOCKET_MODE=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_SOCKET_MODE=<value>
#
mode: 0
## owner ##
#
# Owner of unix socket. If empty, the owner will be the user running hydra.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_SOCKET_OWNER=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_SOCKET_OWNER=<value>
#
owner: ''
## access_log ## ## access_log ##
# #
# Access Log configuration for public server. # Access Log configuration for public server.
# #
access_log: access_log:
## disable_for_health ## ## disable_for_health ##
# #
# Disable access log for health endpoints. # Disable access log for health endpoints.
@ -607,67 +238,292 @@ serve:
# - Windows Command Line (CMD): # - Windows Command Line (CMD):
# > set SERVE_PUBLIC_ACCESS_LOG_DISABLE_FOR_HEALTH=<value> # > set SERVE_PUBLIC_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
# #
disable_for_health: false disable_for_health: true
## tls ##
#
# Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.
#
tls:
## cert ##
#
# Configures the public certificate (pem encoded).
#
cert:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_TLS_CERT_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_TLS_CERT_PATH=<value>
#
path: /etc/ssl/certs/ssl-cert-snakeoil.pem
## allow_termination_from ##
#
# Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_TLS_ALLOW_TERMINATION_FROM=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_TLS_ALLOW_TERMINATION_FROM=<value>
#
allow_termination_from:
- 127.0.0.1/32
## key ##
#
# Configures the private key (pem encoded).
#
key:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_TLS_KEY_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_TLS_KEY_PATH=<value>
#
path: /etc/ssl/private/ssl-cert-snakeoil.key
## admin ##
#
admin:
## port ## ## port ##
# #
# Default value: 4444 # Default value: 4445
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export SERVE_PUBLIC_PORT=<value> # $ export SERVE_ADMIN_PORT=<value>
# - Windows Command Line (CMD): # - Windows Command Line (CMD):
# > set SERVE_PUBLIC_PORT=<value> # > set SERVE_ADMIN_PORT=<value>
# #
port: 1 port: 4445
## host ##
#
# The interface or unix socket ORY Hydra should listen and handle administrative API requests on. Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
#
# Examples:
# - localhost
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_HOST=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_HOST=<value>
#
host: localhost
## cors ##
#
# Configures Cross Origin Resource Sharing for public endpoints.
#
cors:
## enabled ##
#
# Sets whether CORS is enabled.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ENABLED=<value>
#
enabled: false
## allowed_origins ##
#
# A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# Default value: *
#
# Examples:
# - - https://example.com
# - https://*.example.com
# - https://*.foo.example.com
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_ORIGINS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_ORIGINS=<value>
#
allowed_origins:
- "*"
## allowed_methods ##
#
# A list of HTTP methods the user agent is allowed to use with cross-domain requests.
#
# Default value: POST,GET,PUT,PATCH,DELETE
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_METHODS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_METHODS=<value>
#
allowed_methods:
- POST
- PUT
- DELETE
- TRACE
- PUT
## allowed_headers ##
#
# A list of non simple headers the client is allowed to use with cross-domain requests.
#
# Default value: Authorization,Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_HEADERS=<value>
#
allowed_headers:
# - in ex mollit
# - mollit velit ad
## exposed_headers ##
#
# Sets which headers are safe to expose to the API of a CORS API specification.
#
# Default value: Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_EXPOSED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_EXPOSED_HEADERS=<value>
#
exposed_headers:
# - consectetur sed commodo cupidatat
# - consequat anim id
# - aute dolor ipsum irure
## allow_credentials ##
#
# Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
#
# Default value: true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOW_CREDENTIALS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOW_CREDENTIALS=<value>
#
allow_credentials: false
## options_passthrough ##
#
# TODO
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=<value>
#
options_passthrough: true
## max_age ##
#
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_MAX_AGE=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_MAX_AGE=<value>
#
max_age: 6684720
## debug ##
#
# Adds additional log output to debug server side CORS issues.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_DEBUG=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_DEBUG=<value>
#
debug: false
## access_log ##
#
# Access Log configuration for admin server.
#
access_log:
## disable_for_health ##
#
# Disable access log for health endpoints.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
#
disable_for_health: false
## tls ##
#
# Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.
#
tls:
## key ##
#
# Configures the private key (pem encoded).
#
key:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_KEY_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_KEY_PATH=<value>
#
# path: /path/to/file.pem
## cert ##
#
# Configures the private key (pem encoded).
#
cert:
## base64 ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_CERT_BASE64=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_CERT_BASE64=<value>
#
# base64: b3J5IGh5ZHJhIGlzIGF3ZXNvbWUK
## allow_termination_from ##
#
# Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_ALLOW_TERMINATION_FROM=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_ALLOW_TERMINATION_FROM=<value>
#
allow_termination_from:
- 127.0.0.1/32
- 127.0.0.1/32
- 127.0.0.1/32
## cookies ##
#
cookies:
## same_site_mode ##
#
# Specify the SameSite mode that cookies should be sent with.
#
# Default value: None
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_COOKIES_SAME_SITE_MODE=<value>
# - Windows Command Line (CMD):
# > set SERVE_COOKIES_SAME_SITE_MODE=<value>
#
same_site_mode: None
## same_site_legacy_workaround ##
#
# Some older browser versions dont work with SameSite=None. This option enables the workaround defined in https://web.dev/samesite-cookie-recipes/ which essentially stores a second cookie without SameSite as a fallback.
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=<value>
# - Windows Command Line (CMD):
# > set SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=<value>
#
same_site_legacy_workaround: true
## dsn ## ## dsn ##
# #
@ -679,55 +535,49 @@ serve:
# - Windows Command Line (CMD): # - Windows Command Line (CMD):
# > set DSN=<value> # > set DSN=<value>
# #
dsn: 'memory' dsn: memory
## webfinger ## ## webfinger ##
# #
# Configures ./well-known/ settings. # Configures ./well-known/ settings.
# #
webfinger: webfinger:
## jwks ##
#
# Configures the /.well-known/jwks.json endpoint.
#
jwks:
## broadcast_keys ##
#
# A list of JSON Web Keys that should be exposed at that endpoint. This is usually the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.
#
# Default value: hydra.openid.id-token
#
# Examples:
# - hydra.jwt.access-token
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_JWKS_BROADCAST_KEYS=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_JWKS_BROADCAST_KEYS=<value>
#
broadcast_keys:
- hydra.jwt.access-token
## oidc_discovery ## ## oidc_discovery ##
# #
# Configures OpenID Connect Discovery (/.well-known/openid-configuration). # Configures OpenID Connect Discovery (/.well-known/openid-configuration).
# #
oidc_discovery: oidc_discovery:
## token_url ##
#
# Overwrites the OAuth2 Token URL
#
# Examples:
# - https://my-service.com/oauth2/token
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_TOKEN_URL=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_TOKEN_URL=<value>
#
token_url: https://my-service.com/oauth2/token
## auth_url ##
#
# Overwrites the OAuth2 Auth URL
#
# Examples:
# - https://my-service.com/oauth2/auth
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_AUTH_URL=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_AUTH_URL=<value>
#
auth_url: https://my-service.com/oauth2/auth
## client_registration_url ## ## client_registration_url ##
# #
# Sets the OpenID Connect Dynamic Client Registration Endpoint
#
# Examples: # Examples:
# - https://my-service.com/clients # - https://my-service.com/clients
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_CLIENT_REGISTRATION_URL=<value> # $ export WEBFINGER_OIDC_DISCOVERY_CLIENT_REGISTRATION_URL=<value>
@ -743,7 +593,7 @@ webfinger:
# Examples: # Examples:
# - - email # - - email
# - username # - username
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=<value> # $ export WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=<value>
@ -762,7 +612,7 @@ webfinger:
# - - email # - - email
# - whatever # - whatever
# - read.photos # - read.photos
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPE=<value> # $ export WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPE=<value>
@ -780,7 +630,7 @@ webfinger:
# #
# Examples: # Examples:
# - https://example.org/my-custom-userinfo-endpoint # - https://example.org/my-custom-userinfo-endpoint
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_USERINFO_URL=<value> # $ export WEBFINGER_OIDC_DISCOVERY_USERINFO_URL=<value>
@ -789,54 +639,61 @@ webfinger:
# #
userinfo_url: https://example.org/my-custom-userinfo-endpoint userinfo_url: https://example.org/my-custom-userinfo-endpoint
## jwks_url ##
#
# Overwrites the JWKS URL
#
# Examples:
# - https://my-service.com/.well-known/jwks.json
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_JWKS_URL=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_JWKS_URL=<value>
#
jwks_url: https://my-service.com/.well-known/jwks.json
## jwks ##
#
# Configures the /.well-known/jwks.json endpoint.
#
jwks:
## broadcast_keys ##
#
# A list of JSON Web Keys that should be exposed at that endpoint. This is usually the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.
#
# Default value: hydra.openid.id-token
#
# Examples:
# - hydra.jwt.access-token
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_JWKS_BROADCAST_KEYS=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_JWKS_BROADCAST_KEYS=<value>
#
broadcast_keys:
- hydra.jwt.access-token
## oidc ## ## oidc ##
# #
# Configures OpenID Connect features. # Configures OpenID Connect features.
# #
oidc: oidc:
## subject_identifiers ##
#
# Configures the Subject Identifier algorithm. For more information please head over to the documentation: https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms
#
# Examples:
# - enabled:
# - public
# - pairwise
# pairwise:
# salt: some-random-salt
#
subject_identifiers:
## enabled ##
#
# A list of algorithms to enable.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_SUBJECT_IDENTIFIERS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set OIDC_SUBJECT_IDENTIFIERS_ENABLED=<value>
#
enabled:
- public
- pairwise
## pairwise ##
#
# Configures the pairwise algorithm.
#
pairwise:
## salt ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=<value>
# - Windows Command Line (CMD):
# > set OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=<value>
#
salt: some-random-salt
## dynamic_client_registration ## ## dynamic_client_registration ##
# #
# Configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...). # Configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...).
# #
dynamic_client_registration: dynamic_client_registration:
## default_scope ## ## default_scope ##
# #
# The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients. Keep in mind that users can overwrite this default by setting the "scope" key in the registration payload, effectively disabling the concept of whitelisted scopes. # The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients. Keep in mind that users can overwrite this default by setting the "scope" key in the registration payload, effectively disabling the concept of whitelisted scopes.
@ -845,7 +702,7 @@ oidc:
# - - openid # - - openid
# - offline # - offline
# - offline_access # - offline_access
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE=<value> # $ export OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE=<value>
@ -857,57 +714,51 @@ oidc:
- offline - offline
- offline_access - offline_access
## subject_identifiers ##
#
# Configures the Subject Identifier algorithm. For more information please head over to the documentation: https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms
#
# Examples:
# - supported_types:
# - public
# - pairwise
# pairwise:
# salt: some-random-salt
#
subject_identifiers:
## supported_types ##
#
# A list of algorithms to enable.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=<value>
# - Windows Command Line (CMD):
# > set OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=<value>
#
supported_types:
- public
- pairwise
## pairwise ##
#
# Configures the pairwise algorithm.
#
pairwise:
## salt ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=<value>
# - Windows Command Line (CMD):
# > set OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=<value>
#
salt: some-random-salt
## urls ## ## urls ##
# #
urls: urls:
## self ##
#
self:
## issuer ##
#
# This value will be used as the "issuer" in access and ID tokens. It must be specified and using HTTPS protocol, unless --dangerous-force-http is set. This should typically be equal to the public value.
#
# Examples:
# - https://localhost:4444/
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_SELF_ISSUER=<value>
# - Windows Command Line (CMD):
# > set URLS_SELF_ISSUER=<value>
#
issuer: https://localhost:4444/
## public ##
#
# This is the base location of the public endpoints of your ORY Hydra installation. This should typically be equal to the issuer value. If left unspecified, it falls back to the issuer value.
#
# Examples:
# - https://localhost:4444/
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_SELF_PUBLIC=<value>
# - Windows Command Line (CMD):
# > set URLS_SELF_PUBLIC=<value>
#
public: https://localhost:4444/
## login ## ## login ##
# #
# Sets the login endpoint of the User Login & Consent flow. Defaults to an internal fallback URL showing an error. # Sets the login endpoint of the User Login & Consent flow. Defaults to an internal fallback URL.
# #
# Examples: # Examples:
# - https://my-login.app/login # - https://my-login.app/login
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export URLS_LOGIN=<value> # $ export URLS_LOGIN=<value>
@ -918,11 +769,11 @@ urls:
## consent ## ## consent ##
# #
# Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL showing an error. # Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL.
# #
# Examples: # Examples:
# - https://my-consent.app/consent # - https://my-consent.app/consent
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export URLS_CONSENT=<value> # $ export URLS_CONSENT=<value>
@ -933,11 +784,11 @@ urls:
## logout ## ## logout ##
# #
# Sets the logout endpoint. Defaults to an internal fallback URL showing an error. # Sets the logout endpoint. Defaults to an internal fallback URL.
# #
# Examples: # Examples:
# - https://my-logout.app/logout # - https://my-logout.app/logout
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export URLS_LOGOUT=<value> # $ export URLS_LOGOUT=<value>
@ -948,11 +799,11 @@ urls:
## error ## ## error ##
# #
# Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL showing an error. # Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL.
# #
# Examples: # Examples:
# - https://my-error.app/error # - https://my-error.app/error
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export URLS_ERROR=<value> # $ export URLS_ERROR=<value>
@ -967,7 +818,7 @@ urls:
# #
# Examples: # Examples:
# - https://my-example.app/logout-successful # - https://my-example.app/logout-successful
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export URLS_POST_LOGOUT_REDIRECT=<value> # $ export URLS_POST_LOGOUT_REDIRECT=<value>
@ -976,71 +827,16 @@ urls:
# #
post_logout_redirect: https://my-example.app/logout-successful post_logout_redirect: https://my-example.app/logout-successful
## self ##
#
self:
## public ##
#
# This is the base location of the public endpoints of your ORY Hydra installation. This should typically be equal to the issuer value. If left unspecified, it falls back to the issuer value.
#
# Examples:
# - https://localhost:4444/
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_SELF_PUBLIC=<value>
# - Windows Command Line (CMD):
# > set URLS_SELF_PUBLIC=<value>
#
public: https://localhost:4444/
## issuer ##
#
# This value will be used as the "issuer" in access and ID tokens. It must be specified and using HTTPS protocol, unless --dangerous-force-http is set. This should typically be equal to the public value.
#
# Examples:
# - https://localhost:4444/
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_SELF_ISSUER=<value>
# - Windows Command Line (CMD):
# > set URLS_SELF_ISSUER=<value>
#
issuer: https://localhost:4444/
## strategies ## ## strategies ##
# #
strategies: strategies:
## access_token ##
#
# Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
#
# Default value: opaque
#
# One of:
# - opaque
# - jwt
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export STRATEGIES_ACCESS_TOKEN=<value>
# - Windows Command Line (CMD):
# > set STRATEGIES_ACCESS_TOKEN=<value>
#
access_token: opaque
## scope ## ## scope ##
# #
# Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes # Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes
# #
# Default value: wildcard # Default value: wildcard
# #
# One of:
# - exact
# - wildcard
# - DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY
#
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export STRATEGIES_SCOPE=<value> # $ export STRATEGIES_SCOPE=<value>
@ -1049,11 +845,38 @@ strategies:
# #
scope: exact scope: exact
## access_token ##
#
# Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export STRATEGIES_ACCESS_TOKEN=<value>
# - Windows Command Line (CMD):
# > set STRATEGIES_ACCESS_TOKEN=<value>
#
access_token: opaque
## ttl ## ## ttl ##
# #
# Configures time to live. # Configures time to live.
# #
ttl: ttl:
## login_consent_request ##
#
# Configures how long a user login and consent flow may take.
#
# Default value: 1h
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_LOGIN_CONSENT_REQUEST=<value>
# - Windows Command Line (CMD):
# > set TTL_LOGIN_CONSENT_REQUEST=<value>
#
login_consent_request: 1h
## access_token ## ## access_token ##
# #
# Configures how long access tokens are valid. # Configures how long access tokens are valid.
@ -1110,173 +933,10 @@ ttl:
# #
auth_code: 1h auth_code: 1h
## login_consent_request ##
#
# Configures how long a user login and consent flow may take.
#
# Default value: 30m
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_LOGIN_CONSENT_REQUEST=<value>
# - Windows Command Line (CMD):
# > set TTL_LOGIN_CONSENT_REQUEST=<value>
#
login_consent_request: 1h
## oauth2 ## ## oauth2 ##
# #
oauth2: oauth2:
## session ##
#
session:
## Encrypt OAuth2 Session ##
#
# If set to true (default) ORY Hydra encrypt OAuth2 and OpenID Connect session data using AES-GCM and the system secret before persisting it in the database.
#
# Default value: true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_SESSION_ENCRYPT_AT_REST=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_SESSION_ENCRYPT_AT_REST=<value>
#
encrypt_at_rest: false
## include_legacy_error_fields ##
#
# Set this to true if you want to include the `error_hint` and `error_debug` legacy fields in error responses. We recommend to set this to `false` unless you have clients using these fields.
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_INCLUDE_LEGACY_ERROR_FIELDS=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_INCLUDE_LEGACY_ERROR_FIELDS=<value>
#
include_legacy_error_fields: true
## exclude_not_before_claim ##
#
# Set to true if you want to exclude claim `nbf (not before)` part of access token.
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_EXCLUDE_NOT_BEFORE_CLAIM=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_EXCLUDE_NOT_BEFORE_CLAIM=<value>
#
exclude_not_before_claim: true
## allowed_top_level_claims ##
#
# A list of custom claims which are allowed to be added top level to the Access Token. They cannot override reserved claims.
#
# Examples:
# - - username
# - email
# - user_uuid
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_ALLOWED_TOP_LEVEL_CLAIMS=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_ALLOWED_TOP_LEVEL_CLAIMS=<value>
#
allowed_top_level_claims:
- username
- email
- user_uuid
## hashers ##
#
# Configures hashing algorithms. Supports only BCrypt at the moment.
#
hashers:
## bcrypt ##
#
# Configures the BCrypt hashing algorithm used for hashing Client Secrets.
#
bcrypt:
## cost ##
#
# Sets the BCrypt cost. The higher the value, the more CPU time is being used to generate hashes.
#
# Default value: 10
#
# Minimum value: 4
#
# Maximum value: 31
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_HASHERS_BCRYPT_COST=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_HASHERS_BCRYPT_COST=<value>
#
cost: 4
## pkce ##
#
pkce:
## enforced_for_public_clients ##
#
# Sets whether PKCE should be enforced for public clients.
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_PKCE_ENFORCED_FOR_PUBLIC_CLIENTS=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_PKCE_ENFORCED_FOR_PUBLIC_CLIENTS=<value>
#
enforced_for_public_clients: true
## enforced ##
#
# Sets whether PKCE should be enforced for all clients.
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_PKCE_ENFORCED=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_PKCE_ENFORCED=<value>
#
enforced: true
## client_credentials ##
#
client_credentials:
## default_grant_allowed_scope ##
#
# Defines how scopes are added if the request doesn't contains any scope
#
# Examples:
# - false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_CLIENT_CREDENTIALS_DEFAULT_GRANT_ALLOWED_SCOPE=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_CLIENT_CREDENTIALS_DEFAULT_GRANT_ALLOWED_SCOPE=<value>
#
default_grant_allowed_scope: false
## expose_internal_errors ## ## expose_internal_errors ##
# #
# Set this to true if you want to share error debugging information with your OAuth 2.0 clients. Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error codes and similar errors. # Set this to true if you want to share error debugging information with your OAuth 2.0 clients. Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error codes and similar errors.
@ -1285,7 +945,7 @@ oauth2:
# #
# Examples: # Examples:
# - true # - true
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export OAUTH2_EXPOSE_INTERNAL_ERRORS=<value> # $ export OAUTH2_EXPOSE_INTERNAL_ERRORS=<value>
@ -1294,31 +954,57 @@ oauth2:
# #
expose_internal_errors: true expose_internal_errors: true
## hashers ##
#
# Configures hashing algorithms. Supports only BCrypt at the moment.
#
hashers:
## bcrypt ##
#
# Configures the BCrypt hashing algorithm used for hashing Client Secrets.
#
bcrypt:
## cost ##
#
# Sets the BCrypt cost. The higher the value, the more CPU time is being used to generate hashes.
#
# Default value: 10
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_HASHERS_BCRYPT_COST=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_HASHERS_BCRYPT_COST=<value>
#
cost: 40935632
## pkce ##
#
pkce:
## enforced ##
#
# Sets whether PKCE should be enforced for all clients.
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_PKCE_ENFORCED=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_PKCE_ENFORCED=<value>
#
enforced: true
## secrets ## ## secrets ##
# #
# The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated, for more information on this topic go to: https://www.ory.sh/docs/hydra/advanced#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys # The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated, for more information on this topic go to: https://www.ory.sh/docs/hydra/advanced#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys
# #
secrets: secrets:
## cookie ##
#
# A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.
#
# Examples:
# - - this-is-the-primary-secret
# - this-is-an-old-secret
# - this-is-another-old-secret
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SECRETS_COOKIE=<value>
# - Windows Command Line (CMD):
# > set SECRETS_COOKIE=<value>
#
cookie:
- this-is-the-primary-secret
- this-is-an-old-secret
- this-is-another-old-secret
## system ## ## system ##
# #
# The system secret must be at least 16 characters long. If none is provided, one will be generated. They key is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption. # The system secret must be at least 16 characters long. If none is provided, one will be generated. They key is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.
@ -1327,7 +1013,7 @@ secrets:
# - - this-is-the-primary-secret # - - this-is-the-primary-secret
# - this-is-an-old-secret # - this-is-an-old-secret
# - this-is-another-old-secret # - this-is-another-old-secret
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export SECRETS_SYSTEM=<value> # $ export SECRETS_SYSTEM=<value>
@ -1339,17 +1025,33 @@ secrets:
- this-is-an-old-secret - this-is-an-old-secret
- this-is-another-old-secret - this-is-another-old-secret
## cookie ##
#
# A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.
#
# Examples:
# - - this-is-the-primary-secret
# - this-is-an-old-secret
# - this-is-another-old-secret
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SECRETS_COOKIE=<value>
# - Windows Command Line (CMD):
# > set SECRETS_COOKIE=<value>
#
cookie:
- this-is-the-primary-secret
- this-is-an-old-secret
- this-is-another-old-secret
## profiling ## ## profiling ##
# #
# Enables profiling if set. For more details on profiling, head over to: https://blog.golang.org/profiling-go-programs # Enables profiling if set. For more details on profiling, head over to: https://blog.golang.org/profiling-go-programs
# #
# One of:
# - cpu
# - mem
#
# Examples: # Examples:
# - cpu # - cpu
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export PROFILING=<value> # $ export PROFILING=<value>
@ -1363,13 +1065,29 @@ profiling: cpu
# ORY Hydra supports distributed tracing. # ORY Hydra supports distributed tracing.
# #
tracing: tracing:
## provider ##
#
# Set this to the tracing backend you wish to use. Currently supports jaeger. If omitted or empty, tracing will be disabled.
#
# Examples:
# - jaeger
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDER=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDER=<value>
#
provider: jaeger
## service_name ## ## service_name ##
# #
# Specifies the service name to use on the tracer. # Specifies the service name to use on the tracer.
# #
# Examples: # Examples:
# - ORY Hydra # - ORY Hydra
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export TRACING_SERVICE_NAME=<value> # $ export TRACING_SERVICE_NAME=<value>
@ -1381,38 +1099,35 @@ tracing:
## providers ## ## providers ##
# #
providers: providers:
## zipkin ##
#
# Configures the zipkin tracing backend.
#
# Examples:
# - server_url: http://localhost:9411/api/v2/spans
#
zipkin:
## server_url ##
#
# The address of Zipkin server where spans should be sent to.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_ZIPKIN_SERVER_URL=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_ZIPKIN_SERVER_URL=<value>
#
server_url: http://localhost:9411/api/v2/spans
## jaeger ## ## jaeger ##
# #
# Configures the jaeger tracing backend. # Configures the jaeger tracing backend.
# #
jaeger: jaeger:
## local_agent_address ##
#
# The address of the jaeger-agent where spans should be sent to.
#
# Examples:
# - 127.0.0.1:6831
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=<value>
#
local_agent_address: 127.0.0.1:6831
## propagation ## ## propagation ##
# #
# The tracing header format # The tracing header format
# #
# Examples: # Examples:
# - jaeger # - jaeger
# #
# Set this value using environment variables on # Set this value using environment variables on
# - Linux/macOS: # - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_PROPAGATION=<value> # $ export TRACING_PROVIDERS_JAEGER_PROPAGATION=<value>
@ -1421,28 +1136,15 @@ tracing:
# #
propagation: jaeger propagation: jaeger
## max_tag_value_length ##
#
# The value passed to the max tag value length that has been configured.
#
# Minimum value: 0
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_MAX_TAG_VALUE_LENGTH=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_MAX_TAG_VALUE_LENGTH=<value>
#
max_tag_value_length: 0
## sampling ## ## sampling ##
# #
# Examples: # Examples:
# - type: const # - type: const
# value: 1 # value: 1
# server_url: http://localhost:5778/sampling # server_url: http://localhost:5778/sampling
# #
sampling: sampling:
## type ## ## type ##
# #
# Set this value using environment variables on # Set this value using environment variables on
@ -1472,165 +1174,3 @@ tracing:
# > set TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<value> # > set TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<value>
# #
server_url: http://localhost:5778/sampling server_url: http://localhost:5778/sampling
## local_agent_address ##
#
# The address of the jaeger-agent where spans should be sent to.
#
# Examples:
# - 127.0.0.1:6831
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=<value>
#
local_agent_address: 127.0.0.1:6831
## provider ##
#
# Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin DataDog, Elastic APM and Instana. If omitted or empty, tracing will be disabled. Use environment variables to configure DataDog (see https://docs.datadoghq.com/tracing/setup/go/#configuration).
#
# One of:
# - jaeger
# - zipkin
# - datadog
# - elastic-apm
# - instana
#
# Examples:
# - jaeger
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDER=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDER=<value>
#
provider: jaeger
## sqa ##
#
# Software Quality Assurance telemetry configuration section
#
# Examples:
# - opt_out: true
#
sqa:
## opt_out ##
#
# Disables anonymized telemetry reports - for more information please visit https://www.ory.sh/docs/ecosystem/sqa
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SQA_OPT_OUT=<value>
# - Windows Command Line (CMD):
# > set SQA_OPT_OUT=<value>
#
opt_out: true
## The Hydra version this config is written for. ##
#
# SemVer according to https://semver.org/ prefixed with `v` as in our releases.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export VERSION=<value>
# - Windows Command Line (CMD):
# > set VERSION=<value>
#
version: v1.10.6
## cgroups ##
#
# ORY Hydra can respect Linux container CPU quota
#
cgroups:
## v1 ##
#
# Configures parameters using cgroups v1 hierarchy
#
v1:
## auto_max_procs_enabled ##
#
# Set GOMAXPROCS automatically according to cgroups limits
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export CGROUPS_V1_AUTO_MAX_PROCS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set CGROUPS_V1_AUTO_MAX_PROCS_ENABLED=<value>
#
auto_max_procs_enabled: true
## log ##
#
# Configures the logger
#
log:
## leak_sensitive_values ##
#
# Logs sensitive values such as cookie and URL parameter.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_LEAK_SENSITIVE_VALUES=<value>
# - Windows Command Line (CMD):
# > set LOG_LEAK_SENSITIVE_VALUES=<value>
#
leak_sensitive_values: false
## format ##
#
# Sets the log format.
#
# Default value: text
#
# One of:
# - json
# - json_pretty
# - text
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_FORMAT=<value>
# - Windows Command Line (CMD):
# > set LOG_FORMAT=<value>
#
format: text
## level ##
#
# Sets the log level.
#
# Default value: info
#
# One of:
# - panic
# - fatal
# - error
# - warn
# - info
# - debug
# - trace
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_LEVEL=<value>
# - Windows Command Line (CMD):
# > set LOG_LEVEL=<value>
#
level: error

2
debian/control vendored
View File

@ -10,5 +10,5 @@ Vcs-Browser: http://forge.cadoles.com/wpetit/debian-hydra
Package: hydra Package: hydra
Architecture: amd64 Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, ssl-cert Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Serveur OpenID Connect Description: Serveur OpenID Connect

2
debian/rules vendored
View File

@ -4,7 +4,7 @@
# Uncomment this to turn on verbose mode. # Uncomment this to turn on verbose mode.
export DH_VERBOSE=1 export DH_VERBOSE=1
HYDRA_VERSION := v1.10.6 HYDRA_VERSION := v1.5.1
%: %:
dh $@ --with systemd dh $@ --with systemd

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
set -e set -e
# Code generated by godownloader on 2020-10-22T12:52:40Z. DO NOT EDIT. # Code generated by godownloader on 2020-04-25T10:38:57Z. DO NOT EDIT.
# #
usage() { usage() {
@ -117,20 +117,18 @@ adjust_format() {
adjust_os() { adjust_os() {
# adjust archive name based on OS # adjust archive name based on OS
case ${OS} in case ${OS} in
386) OS=32bit ;; 386) OS=32-bit ;;
amd64) OS=64bit ;; amd64) OS=64-bit ;;
arm) OS=arm32 ;; darwin) OS=macOS ;;
darwin) OS=macos ;;
esac esac
true true
} }
adjust_arch() { adjust_arch() {
# adjust archive name based on ARCH # adjust archive name based on ARCH
case ${ARCH} in case ${ARCH} in
386) ARCH=32bit ;; 386) ARCH=32-bit ;;
amd64) ARCH=64bit ;; amd64) ARCH=64-bit ;;
arm) ARCH=arm32 ;; darwin) ARCH=macOS ;;
darwin) ARCH=macos ;;
esac esac
true true
} }
@ -398,11 +396,11 @@ adjust_arch
log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}" log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
NAME=${PROJECT_NAME}_${VERSION}-sqlite_${OS}_${ARCH} NAME=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH}
TARBALL=${NAME}.${FORMAT} TARBALL=${NAME}.${FORMAT}
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL} TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM} CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
execute execute