serve:
  admin:
    host: localhost
    cors:
      allowed_origins:
        - https://example.com
        - https://*.example.com
        - https://*.foo.example.com
      allowed_methods:
        - POST
      allowed_headers:
        - ''
      exposed_headers:
        - ''
      allow_credentials: false
      options_passthrough: false
      max_age: 0
      debug: false
      enabled: false
    socket:
      group: ''
      mode: 0
      owner: ''
    access_log:
      disable_for_health: false
    tls:
      cert:
        path: /etc/ssl/certs/ssl-cert-snakeoil.pem
      allow_termination_from:
        - 127.0.0.1/32
      enabled: false
      key:
        path: /etc/ssl/private/ssl-cert-snakeoil.key
    port: 1
  tls:
    cert:
      path: /etc/ssl/certs/ssl-cert-snakeoil.pem
    allow_termination_from:
      - 127.0.0.1/32
    key:
      path: /etc/ssl/private/ssl-cert-snakeoil.key
  cookies:
    same_site_legacy_workaround: true
    same_site_mode: Strict
  public:
    host: localhost
    cors:
      allowed_origins:
        - https://example.com
        - https://*.example.com
        - https://*.foo.example.com
      allowed_methods:
        - POST
      allowed_headers:
        - ''
      exposed_headers:
        - ''
      allow_credentials: false
      options_passthrough: false
      max_age: 0
      debug: false
      enabled: false
    socket:
      group: ''
      mode: 0
      owner: ''
    access_log:
      disable_for_health: false
    tls:
      cert:
        path: /etc/ssl/certs/ssl-cert-snakeoil.pem
      allow_termination_from:
        - 127.0.0.1/32
      key:
        path: /etc/ssl/private/ssl-cert-snakeoil.key
    port: 1
dsn: 'memory'
webfinger:
  oidc_discovery:
    token_url: https://my-service.com/oauth2/token
    auth_url: https://my-service.com/oauth2/auth
    client_registration_url: https://my-service.com/clients
    supported_claims:
      - email
      - username
    supported_scope:
      - email
      - whatever
      - read.photos
    userinfo_url: https://example.org/my-custom-userinfo-endpoint
    jwks_url: https://my-service.com/.well-known/jwks.json
  jwks:
    broadcast_keys:
      - hydra.jwt.access-token
oidc:
  dynamic_client_registration:
    default_scope:
      - openid
      - offline
      - offline_access
  subject_identifiers:
    supported_types:
      - public
      - pairwise
    pairwise:
      salt: some-random-salt
urls:
  login: https://my-login.app/login
  consent: https://my-consent.app/consent
  logout: https://my-logout.app/logout
  error: https://my-error.app/error
  post_logout_redirect: https://my-example.app/logout-successful
  self:
    public: https://localhost:4444/
    issuer: https://localhost:4444/
strategies:
  access_token: opaque
  scope: exact
ttl:
  access_token: 1h
  refresh_token: 1h
  id_token: 1h
  auth_code: 1h
  login_consent_request: 1h
oauth2:
  session:
    encrypt_at_rest: false
  include_legacy_error_fields: true
  exclude_not_before_claim: true
  allowed_top_level_claims:
    - username
    - email
    - user_uuid
  hashers:
    bcrypt:
      cost: 4
  pkce:
    enforced_for_public_clients: true
    enforced: true
  client_credentials:
    default_grant_allowed_scope: false
  expose_internal_errors: true
secrets:
  cookie:
    - this-is-the-primary-secret
    - this-is-an-old-secret
    - this-is-another-old-secret
  system:
    - this-is-the-primary-secret
    - this-is-an-old-secret
    - this-is-another-old-secret
profiling: cpu
tracing:
  service_name: ORY Hydra
  providers:
    zipkin:
      server_url: http://localhost:9411/api/v2/spans
    jaeger:
      propagation: jaeger
      max_tag_value_length: 0
      sampling:
        type: const
        value: 1
        server_url: http://localhost:5778/sampling
      local_agent_address: 127.0.0.1:6831
  provider: jaeger
sqa:
  opt_out: true
version: v1.10.6
cgroups:
  v1:
    auto_max_procs_enabled: true
log:
  leak_sensitive_values: false
  format: text
  level: error