mirror of
https://github.com/netbirdio/dex.git
synced 2026-05-22 18:43:53 -07:00
Maksim Nabokikh
277 lines
8.9 KiB
YAML
277 lines
8.9 KiB
YAML
# DEPRECATED: use config.yaml.dist and config.dev.yaml examples in the repository root.
|
|
# TODO: keep this until all references are updated.
|
|
|
|
# The base path of dex and the external name of the OpenID Connect service.
|
|
# This is the canonical URL that all clients MUST use to refer to dex. If a
|
|
# path is provided, dex's HTTP service will listen at a non-root URL.
|
|
issuer: http://127.0.0.1:5556/dex
|
|
|
|
# The storage configuration determines where dex stores its state. Supported
|
|
# options include SQL flavors and Kubernetes third party resources.
|
|
#
|
|
# See the documentation (https://dexidp.io/docs/storage/) for further information.
|
|
storage:
|
|
type: sqlite3
|
|
config:
|
|
file: examples/dex.db
|
|
|
|
# type: mysql
|
|
# config:
|
|
# host: localhost
|
|
# port: 3306
|
|
# database: dex
|
|
# user: mysql
|
|
# password: mysql
|
|
# ssl:
|
|
# mode: "false"
|
|
|
|
# type: postgres
|
|
# config:
|
|
# host: localhost
|
|
# port: 5432
|
|
# database: dex
|
|
# user: postgres
|
|
# password: postgres
|
|
# ssl:
|
|
# mode: disable
|
|
|
|
# type: etcd
|
|
# config:
|
|
# endpoints:
|
|
# - http://localhost:2379
|
|
# namespace: dex/
|
|
|
|
# type: kubernetes
|
|
# config:
|
|
# kubeConfigFile: $HOME/.kube/config
|
|
|
|
# Configuration for the HTTP endpoints.
|
|
web:
|
|
http: 0.0.0.0:5556
|
|
# Uncomment for HTTPS options.
|
|
# https: 127.0.0.1:5554
|
|
# tlsCert: /etc/dex/tls.crt
|
|
# tlsKey: /etc/dex/tls.key
|
|
# headers:
|
|
# X-Frame-Options: "DENY"
|
|
# X-Content-Type-Options: "nosniff"
|
|
# X-XSS-Protection: "1; mode=block"
|
|
# Content-Security-Policy: "default-src 'self'"
|
|
# Strict-Transport-Security: "max-age=31536000; includeSubDomains"
|
|
# clientRemoteIP:
|
|
# header: X-Forwarded-For
|
|
# trustedProxies:
|
|
# - 10.0.0.0/8
|
|
|
|
# Configuration for dex appearance
|
|
# frontend:
|
|
# issuer: dex
|
|
# logoURL: theme/logo.png
|
|
# dir: web/
|
|
# Allowed values: light, dark
|
|
# theme: light
|
|
|
|
# Configuration for telemetry
|
|
telemetry:
|
|
http: 0.0.0.0:5558
|
|
# enableProfiling: true
|
|
|
|
# Uncomment this block to enable the gRPC API. This values MUST be different
|
|
# from the HTTP endpoints.
|
|
# grpc:
|
|
# addr: 127.0.0.1:5557
|
|
# tlsCert: examples/grpc-client/server.crt
|
|
# tlsKey: examples/grpc-client/server.key
|
|
# tlsClientCA: examples/grpc-client/ca.crt
|
|
|
|
# Uncomment this block to enable configuration for the expiration time durations.
|
|
# Is possible to specify units using only s, m and h suffixes.
|
|
# expiry:
|
|
# deviceRequests: "5m"
|
|
# signingKeys: "6h" # deprecated, use signer.config.keysRotationPeriod
|
|
# idTokens: "24h"
|
|
# refreshTokens:
|
|
# reuseInterval: "3s"
|
|
# validIfNotUsedFor: "2160h" # 90 days
|
|
# absoluteLifetime: "3960h" # 165 days
|
|
|
|
# Authentication sessions configuration.
|
|
# Requires DEX_SESSIONS_ENABLED=true feature flag.
|
|
# sessions:
|
|
# cookieName: "dex_session"
|
|
# absoluteLifetime: "24h"
|
|
# validIfNotUsedFor: "1h"
|
|
# rememberMeCheckedByDefault: false
|
|
# # Default SSO sharing policy for clients without explicit ssoSharedWith.
|
|
# # "all" = share with all clients (Keycloak-like), "none" = no sharing (default).
|
|
# ssoSharedWithDefault: "none"
|
|
|
|
# Options for controlling the logger.
|
|
# logger:
|
|
# level: "debug"
|
|
# format: "text" # can also be "json"
|
|
|
|
# Default values shown below
|
|
# oauth2:
|
|
# # grantTypes determines the allowed set of authorization flows.
|
|
# grantTypes:
|
|
# - "authorization_code"
|
|
# - "client_credentials"
|
|
# - "refresh_token"
|
|
# - "implicit"
|
|
# - "password"
|
|
# - "urn:ietf:params:oauth:grant-type:device_code"
|
|
# - "urn:ietf:params:oauth:grant-type:token-exchange"
|
|
# # responseTypes determines the allowed response contents of a successful authorization flow.
|
|
# # use ["code", "token", "id_token"] to enable implicit flow for web-only clients.
|
|
# responseTypes: [ "code" ] # also allowed are "token" and "id_token"
|
|
# # By default, Dex will ask for approval to share data with application
|
|
# # (approval for sharing data from connected IdP to Dex is separate process on IdP)
|
|
# skipApprovalScreen: false
|
|
# # If only one authentication method is enabled, the default behavior is to
|
|
# # go directly to it. For connected IdPs, this redirects the browser away
|
|
# # from application to upstream provider such as the Google login page
|
|
# alwaysShowLoginScreen: false
|
|
# # Uncomment the passwordConnector to use a specific connector for password grants
|
|
# passwordConnector: local
|
|
# # PKCE (Proof Key for Code Exchange) configuration
|
|
# pkce:
|
|
# # If true, PKCE is required for all authorization code flows (OAuth 2.1).
|
|
# enforce: false
|
|
# # Supported code challenge methods. Defaults to ["S256", "plain"].
|
|
# codeChallengeMethodsSupported: ["S256", "plain"]
|
|
|
|
# Multi-factor authentication configuration.
|
|
# Requires DEX_SESSIONS_ENABLED=true feature flag.
|
|
# mfa:
|
|
# authenticators:
|
|
# - id: totp-1
|
|
# type: TOTP
|
|
# config:
|
|
# issuer: "dex-1"
|
|
# # Optional: limit this authenticator to specific connector types (e.g., ldap, oidc, saml).
|
|
# # If omitted or empty, applies to all connector types.
|
|
# # It is recommended to use this option to prevent MFA from being used for connectors
|
|
# # with their own MFA mechanisms, e.g., OIDC, Google, etc. (but technically, it is possible).
|
|
# connectorTypes:
|
|
# - mockCallback
|
|
# - id: webauthn-1
|
|
# type: WebAuthn
|
|
# config:
|
|
# rpDisplayName: "Dex Dev"
|
|
# # rpID defaults to the hostname of the issuer URL.
|
|
# # rpID: "127.0.0.1"
|
|
# # rpOrigins defaults to the issuer URL.
|
|
# # rpOrigins:
|
|
# # - "http://127.0.0.1:5556"
|
|
# attestationPreference: "indirect" # none, indirect, or direct
|
|
# userVerification: "preferred" # required, preferred, or discouraged
|
|
# # authenticatorAttachment: "" # platform, cross-platform, or empty (any)
|
|
# timeout: "60s"
|
|
# defaultMFAChain:
|
|
# - totp-1
|
|
|
|
# Instead of reading from an external storage, use this list of clients.
|
|
#
|
|
# If this option isn't chosen clients may be added through the gRPC API.
|
|
staticClients:
|
|
- id: example-app
|
|
redirectURIs:
|
|
- 'http://127.0.0.1:5555/callback'
|
|
- '/dex/device/callback'
|
|
postLogoutRedirectURIs:
|
|
- 'http://127.0.0.1:5555/'
|
|
name: 'Example App'
|
|
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
|
|
# Optional: restrict which connectors this client can use for authentication.
|
|
# If omitted or empty, all connectors are allowed.
|
|
# allowedConnectors:
|
|
# - mock
|
|
# Optional: ordered list of MFA authenticator IDs the user must complete during login.
|
|
# References authenticator IDs from mfa.authenticators.
|
|
# If omitted, mfa.defaultMFAChain is used.
|
|
# mfaChain:
|
|
# - totp-1
|
|
# Optional: which other clients can reuse this client's authentication session (SSO).
|
|
# ["*"] = share with all clients, [] = share with no one.
|
|
# If omitted, ssoSharedWithDefault from sessions config is used.
|
|
# ssoSharedWith:
|
|
# - "*"
|
|
|
|
# Example using environment variables
|
|
# Set DEX_CLIENT_ID and DEX_SECURE_CLIENT_SECRET before starting Dex
|
|
# - idEnv: DEX_CLIENT_ID
|
|
# secretEnv: DEX_CLIENT_SECRET
|
|
# redirectURIs:
|
|
# - 'http://127.0.0.1:5556/callback'
|
|
# name: 'Secure Example App'
|
|
|
|
# - id: example-device-client
|
|
# redirectURIs:
|
|
# - /device/callback
|
|
# name: 'Static Client for Device Flow'
|
|
# public: true
|
|
|
|
connectors:
|
|
- type: mockCallback
|
|
id: mock
|
|
name: Example
|
|
# grantTypes restricts which grant types can use this connector.
|
|
# If not specified, all grant types are allowed.
|
|
# Supported values:
|
|
# - "authorization_code"
|
|
# - "implicit"
|
|
# - "refresh_token"
|
|
# - "password"
|
|
# - "urn:ietf:params:oauth:grant-type:device_code"
|
|
# - "urn:ietf:params:oauth:grant-type:token-exchange"
|
|
# grantTypes:
|
|
# - "authorization_code"
|
|
# - "refresh_token"
|
|
# - type: google
|
|
# id: google
|
|
# name: Google
|
|
# config:
|
|
# issuer: https://accounts.google.com
|
|
# # Connector config values starting with a "$" will read from the environment.
|
|
# clientID: $GOOGLE_CLIENT_ID
|
|
# clientSecret: $GOOGLE_CLIENT_SECRET
|
|
# redirectURI: http://127.0.0.1:5556/dex/callback
|
|
# hostedDomains:
|
|
# - $GOOGLE_HOSTED_DOMAIN
|
|
|
|
# Let dex keep a list of passwords which can be used to login to dex.
|
|
enablePasswordDB: true
|
|
|
|
# A static list of passwords to login the end user. By identifying here, dex
|
|
# won't look in its underlying storage for passwords.
|
|
#
|
|
# If this option isn't chosen users may be added through the gRPC API.
|
|
staticPasswords:
|
|
- email: "admin@example.com"
|
|
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
|
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
|
username: "admin"
|
|
name: "Admin User"
|
|
emailVerified: true
|
|
preferredUsername: "admin"
|
|
groups:
|
|
- "team-a"
|
|
- "team-a/admins"
|
|
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
|
|
|
|
# Configuration for signing JWT tokens.
|
|
# - "local": use local keys (supports RS256 (default) and ES256)
|
|
# - "vault": use Vault Transit backend (supports RSA, ECDSA, and Ed25519)
|
|
signer:
|
|
type: local
|
|
config:
|
|
keysRotationPeriod: "6h"
|
|
algorithm: "RS256" # changes apply on the next key rotation
|
|
# signer
|
|
# type: vault
|
|
# config:
|
|
# addr: http://127.0.0.1:8200
|
|
# token: root
|
|
# keyName: dex-key
|