matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity
Files
23571e87ea3891ec3f8ba3d699d58f09df10366d
authentication-service/docs/config.schema.json
Quentin Gliech 7fcd022eea Make sure we validate passwords & emails by the policy at all stages 
Also refactors the way we get the policy engines in requests
2023-08-30 19:39:39 +02:00

2048 lines
53 KiB
JSON
Raw Blame History

{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "RootConfig",
"description": "Application configuration root",
"type": "object",
"required": [
"matrix",
"secrets"
],
"properties": {
"clients": {
"description": "List of OAuth 2.0/OIDC clients config",
"default": [],
"type": "array",
"items": {
"$ref": "#/definitions/ClientConfig"
}
},
"csrf": {
"description": "Configuration related to Cross-Site Request Forgery protections",
"default": {
"ttl": 3600
},
"allOf": [
{
"$ref": "#/definitions/CsrfConfig"
}
]
},
"database": {
"description": "Database connection configuration",
"default": {
"connect_timeout": 30,
"idle_timeout": 600,
"max_connections": 10,
"max_lifetime": 1800,
"min_connections": 0,
"uri": "postgresql://"
},
"allOf": [
{
"$ref": "#/definitions/DatabaseConfig"
}
]
},
"email": {
"description": "Configuration related to sending emails",
"default": {
"from": "\"Authentication Service\" <root@localhost>",
"reply_to": "\"Authentication Service\" <root@localhost>",
"transport": "blackhole"
},
"allOf": [
{
"$ref": "#/definitions/EmailConfig"
}
]
},
"http": {
"description": "Configuration of the HTTP server",
"default": {
"issuer": "http://[::]:8080/",
"listeners": [
{
"binds": [
{
"address": "[::]:8080"
}
],
"name": "web",
"proxy_protocol": false,
"resources": [
{
"name": "discovery"
},
{
"name": "human"
},
{
"name": "oauth"
},
{
"name": "compat"
},
{
"name": "graphql",
"playground": true
},
{
"name": "assets",
"path": "./frontend/dist/"
}
]
},
{
"binds": [
{
"host": "localhost",
"port": 8081
}
],
"name": "internal",
"proxy_protocol": false,
"resources": [
{
"name": "health"
}
]
}
],
"public_base": "http://[::]:8080/"
},
"allOf": [
{
"$ref": "#/definitions/HttpConfig"
}
]
},
"matrix": {
"description": "Configuration related to the homeserver",
"allOf": [
{
"$ref": "#/definitions/MatrixConfig"
}
]
},
"passwords": {
"description": "Configuration related to user passwords",
"default": {
"enabled": true,
"schemes": [
{
"algorithm": "argon2id",
"version": 1
}
]
},
"allOf": [
{
"$ref": "#/definitions/PasswordsConfig"
}
]
},
"policy": {
"description": "Configuration related to the OPA policies",
"default": {
"authorization_grant_entrypoint": "authorization_grant/violation",
"client_registration_entrypoint": "client_registration/violation",
"data": null,
"email_entrypoint": "email/violation",
"password_entrypoint": "password/violation",
"register_entrypoint": "register/violation",
"wasm_module": "./policies/policy.wasm"
},
"allOf": [
{
"$ref": "#/definitions/PolicyConfig"
}
]
},
"secrets": {
"description": "Application secrets",
"allOf": [
{
"$ref": "#/definitions/SecretsConfig"
}
]
},
"telemetry": {
"description": "Configuration related to sending monitoring data",
"default": {
"metrics": {
"exporter": "none"
},
"sentry": {
"dsn": null
},
"tracing": {
"exporter": "none",
"propagators": []
}
},
"allOf": [
{
"$ref": "#/definitions/TelemetryConfig"
}
]
},
"templates": {
"description": "Configuration related to templates",
"default": {
"assets_manifest": "./frontend/dist/manifest.json",
"path": "./templates/"
},
"allOf": [
{
"$ref": "#/definitions/TemplatesConfig"
}
]
},
"upstream_oauth2": {
"description": "Configuration related to upstream OAuth providers",
"default": {
"providers": []
},
"allOf": [
{
"$ref": "#/definitions/UpstreamOAuth2Config"
}
]
}
},
"definitions": {
"BindConfig": {
"description": "Configuration of a single listener",
"anyOf": [
{
"description": "Listen on the specified host and port",
"type": "object",
"required": [
"port"
],
"properties": {
"host": {
"description": "Host on which to listen.\n\nDefaults to listening on all addresses",
"type": "string"
},
"port": {
"description": "Port on which to listen.",
"type": "integer",
"format": "uint16",
"minimum": 0.0
}
}
},
{
"description": "Listen on the specified address",
"type": "object",
"required": [
"address"
],
"properties": {
"address": {
"description": "Host and port on which to listen",
"examples": [
"[::1]:8080",
"[::]:8080",
"127.0.0.1:8080",
"0.0.0.0:8080"
],
"type": "string"
}
}
},
{
"description": "Listen on a UNIX domain socket",
"type": "object",
"required": [
"socket"
],
"properties": {
"socket": {
"description": "Path to the socket",
"type": "string"
}
}
},
{
"description": "Accept connections on file descriptors passed by the parent process.\n\nThis is useful for grabbing sockets passed by systemd.\n\nSee <https://www.freedesktop.org/software/systemd/man/sd_listen_fds.html>",
"type": "object",
"properties": {
"fd": {
"description": "Index of the file descriptor. Note that this is offseted by 3 because of the standard input/output sockets, so setting here a value of `0` will grab the file descriptor `3`",
"default": 0,
"type": "integer",
"format": "uint",
"minimum": 0.0
},
"kind": {
"description": "Whether the socket is a TCP socket or a UNIX domain socket. Defaults to TCP.",
"default": "tcp",
"allOf": [
{
"$ref": "#/definitions/UnixOrTcp"
}
]
}
}
}
]
},
"ClaimsImports": {
"description": "How claims should be imported",
"type": "object",
"properties": {
"displayname": {
"description": "Import the displayname of the user based on the `name` claim",
"default": null,
"allOf": [
{
"$ref": "#/definitions/ImportPreference"
}
]
},
"email": {
"description": "Import the email address of the user based on the `email` and `email_verified` claims",
"default": null,
"allOf": [
{
"$ref": "#/definitions/ImportPreference"
}
]
},
"localpart": {
"description": "Import the localpart of the MXID based on the `preferred_username` claim",
"default": null,
"allOf": [
{
"$ref": "#/definitions/ImportPreference"
}
]
}
}
},
"ClientConfig": {
"description": "An OAuth 2.0 client configuration",
"type": "object",
"oneOf": [
{
"description": "`none`: No authentication",
"type": "object",
"required": [
"client_auth_method"
],
"properties": {
"client_auth_method": {
"type": "string",
"enum": [
"none"
]
}
}
},
{
"description": "`client_secret_basic`: `client_id` and `client_secret` used as basic authorization credentials",
"type": "object",
"required": [
"client_auth_method",
"client_secret"
],
"properties": {
"client_auth_method": {
"type": "string",
"enum": [
"client_secret_basic"
]
},
"client_secret": {
"description": "The client secret",
"type": "string"
}
}
},
{
"description": "`client_secret_post`: `client_id` and `client_secret` sent in the request body",
"type": "object",
"required": [
"client_auth_method",
"client_secret"
],
"properties": {
"client_auth_method": {
"type": "string",
"enum": [
"client_secret_post"
]
},
"client_secret": {
"description": "The client secret",
"type": "string"
}
}
},
{
"description": "`client_secret_basic`: a `client_assertion` sent in the request body and signed using the `client_secret`",
"type": "object",
"required": [
"client_auth_method",
"client_secret"
],
"properties": {
"client_auth_method": {
"type": "string",
"enum": [
"client_secret_jwt"
]
},
"client_secret": {
"description": "The client secret",
"type": "string"
}
}
},
{
"description": "`client_secret_basic`: a `client_assertion` sent in the request body and signed by an asymmetric key",
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"jwks"
],
"properties": {
"jwks": {
"$ref": "#/definitions/JsonWebKeySet_for_JsonWebKeyPublicParameters"
}
},
"additionalProperties": false
},
{
"type": "object",
"required": [
"jwks_uri"
],
"properties": {
"jwks_uri": {
"type": "string",
"format": "uri"
}
},
"additionalProperties": false
}
],
"required": [
"client_auth_method"
],
"properties": {
"client_auth_method": {
"type": "string",
"enum": [
"private_key_jwt"
]
}
}
}
],
"required": [
"client_id"
],
"properties": {
"client_id": {
"description": "A ULID as per https://github.com/ulid/spec",
"type": "string",
"pattern": "^[0123456789ABCDEFGHJKMNPQRSTVWXYZ]{26}$"
},
"redirect_uris": {
"description": "List of allowed redirect URIs",
"default": [],
"type": "array",
"items": {
"type": "string",
"format": "uri"
}
}
}
},
"CsrfConfig": {
"description": "Configuration related to Cross-Site Request Forgery protections",
"type": "object",
"properties": {
"ttl": {
"description": "Time-to-live of a CSRF token in seconds",
"default": 3600,
"type": "integer",
"format": "uint64",
"maximum": 86400.0,
"minimum": 60.0
}
}
},
"DatabaseConfig": {
"description": "Database connection configuration",
"type": "object",
"anyOf": [
{
"description": "Connect via a full URI",
"type": "object",
"properties": {
"uri": {
"description": "Connection URI",
"default": "postgresql://",
"type": "string",
"format": "uri"
}
}
},
{
"description": "Connect via a map of options",
"type": "object",
"properties": {
"database": {
"description": "The database name",
"default": null,
"type": "string"
},
"host": {
"description": "Name of host to connect to",
"default": null,
"type": "string",
"format": "hostname"
},
"password": {
"description": "Password to be used if the server demands password authentication",
"default": null,
"type": "string"
},
"port": {
"description": "Port number to connect at the server host",
"default": null,
"type": "integer",
"maximum": 65535.0,
"minimum": 1.0
},
"socket": {
"description": "Directory containing the UNIX socket to connect to",
"default": null,
"type": "string"
},
"username": {
"description": "PostgreSQL user name to connect as",
"default": null,
"type": "string"
}
}
}
],
"properties": {
"connect_timeout": {
"description": "Set the amount of time to attempt connecting to the database",
"default": 30,
"type": "integer",
"format": "uint64",
"minimum": 0.0
},
"idle_timeout": {
"description": "Set a maximum idle duration for individual connections",
"default": 600,
"type": "integer",
"format": "uint64",
"minimum": 0.0
},
"max_connections": {
"description": "Set the maximum number of connections the pool should maintain",
"default": 10,
"type": "integer",
"format": "uint32",
"minimum": 1.0
},
"max_lifetime": {
"description": "Set the maximum lifetime of individual connections",
"default": 1800,
"type": "integer",
"format": "uint64",
"minimum": 0.0
},
"min_connections": {
"description": "Set the minimum number of connections the pool should maintain",
"default": 0,
"type": "integer",
"format": "uint32",
"minimum": 0.0
}
}
},
"EmailConfig": {
"description": "Configuration related to sending emails",
"type": "object",
"oneOf": [
{
"description": "Don't send emails anywhere",
"type": "object",
"required": [
"transport"
],
"properties": {
"transport": {
"type": "string",
"enum": [
"blackhole"
]
}
}
},
{
"description": "Send emails via an SMTP relay",
"type": "object",
"required": [
"hostname",
"mode",
"transport"
],
"properties": {
"hostname": {
"description": "Hostname to connect to",
"type": "string",
"format": "hostname"
},
"mode": {
"description": "Connection mode to the relay",
"allOf": [
{
"$ref": "#/definitions/EmailSmtpMode"
}
]
},
"password": {
"description": "Password for use to authenticate when connecting to the SMTP server",
"type": "string"
},
"port": {
"description": "Port to connect to. Default is 25 for plain, 465 for TLS and 587 for StartTLS",
"type": "integer",
"format": "uint16",
"minimum": 1.0
},
"transport": {
"type": "string",
"enum": [
"smtp"
]
},
"username": {
"description": "Username for use to authenticate when connecting to the SMTP server",
"type": "string"
}
}
},
{
"description": "Send emails by calling sendmail",
"type": "object",
"required": [
"transport"
],
"properties": {
"command": {
"description": "Command to execute",
"default": "sendmail",
"type": "string"
},
"transport": {
"type": "string",
"enum": [
"sendmail"
]
}
}
},
{
"description": "Send emails via the AWS SESv2 API",
"deprecated": true,
"type": "object",
"required": [
"transport"
],
"properties": {
"transport": {
"type": "string",
"enum": [
"aws_ses"
]
}
}
}
],
"properties": {
"from": {
"description": "Email address to use as From when sending emails",
"default": "\"Authentication Service\" <root@localhost>",
"type": "string",
"format": "email"
},
"reply_to": {
"description": "Email address to use as Reply-To when sending emails",
"default": "\"Authentication Service\" <root@localhost>",
"type": "string",
"format": "email"
}
}
},
"EmailSmtpMode": {
"description": "Encryption mode to use",
"oneOf": [
{
"description": "Plain text",
"type": "string",
"enum": [
"plain"
]
},
{
"description": "StartTLS (starts as plain text then upgrade to TLS)",
"type": "string",
"enum": [
"starttls"
]
},
{
"description": "TLS",
"type": "string",
"enum": [
"tls"
]
}
]
},
"HashingScheme": {
"description": "A hashing algorithm",
"type": "object",
"oneOf": [
{
"description": "bcrypt",
"type": "object",
"required": [
"algorithm"
],
"properties": {
"algorithm": {
"type": "string",
"enum": [
"bcrypt"
]
},
"cost": {
"description": "Hashing cost",
"default": 12,
"type": "integer",
"format": "uint32",
"minimum": 0.0
}
}
},
{
"description": "argon2id",
"type": "object",
"required": [
"algorithm"
],
"properties": {
"algorithm": {
"type": "string",
"enum": [
"argon2id"
]
}
}
},
{
"description": "PBKDF2",
"type": "object",
"required": [
"algorithm"
],
"properties": {
"algorithm": {
"type": "string",
"enum": [
"pbkdf2"
]
}
}
}
],
"required": [
"version"
],
"properties": {
"version": {
"type": "integer",
"format": "uint16",
"minimum": 0.0
}
}
},
"HttpConfig": {
"description": "Configuration related to the web server",
"type": "object",
"required": [
"public_base"
],
"properties": {
"issuer": {
"description": "OIDC issuer URL. Defaults to `public_base` if not set.",
"type": "string",
"format": "uri"
},
"listeners": {
"description": "List of listeners to run",
"default": [],
"type": "array",
"items": {
"$ref": "#/definitions/ListenerConfig"
}
},
"public_base": {
"description": "Public URL base from where the authentication service is reachable",
"type": "string",
"format": "uri"
}
}
},
"ImportAction": {
"description": "How to handle a claim",
"oneOf": [
{
"description": "Ignore the claim",
"type": "string",
"enum": [
"ignore"
]
},
{
"description": "Suggest the claim value, but allow the user to change it",
"type": "string",
"enum": [
"suggest"
]
},
{
"description": "Force the claim value, but don't fail if it is missing",
"type": "string",
"enum": [
"force"
]
},
{
"description": "Force the claim value, and fail if it is missing",
"type": "string",
"enum": [
"require"
]
}
]
},
"ImportPreference": {
"description": "What should be done with a claim",
"type": "object",
"properties": {
"action": {
"description": "How to handle the claim",
"default": "ignore",
"allOf": [
{
"$ref": "#/definitions/ImportAction"
}
]
}
}
},
"JsonWebKeyEcEllipticCurve": {
"description": "JSON Web Key EC Elliptic Curve",
"anyOf": [
{
"description": "P-256 Curve",
"const": "P-256"
},
{
"description": "P-384 Curve",
"const": "P-384"
},
{
"description": "P-521 Curve",
"const": "P-521"
},
{
"description": "SECG secp256k1 curve",
"const": "secp256k1"
}
]
},
"JsonWebKeyOkpEllipticCurve": {
"description": "JSON Web Key OKP Elliptic Curve",
"anyOf": [
{
"description": "Ed25519 signature algorithm key pairs",
"const": "Ed25519"
},
{
"description": "Ed448 signature algorithm key pairs",
"const": "Ed448"
},
{
"description": "X25519 function key pairs",
"const": "X25519"
},
{
"description": "X448 function key pairs",
"const": "X448"
}
]
},
"JsonWebKeyOperation": {
"description": "JSON Web Key Operation",
"anyOf": [
{
"description": "Compute digital signature or MAC",
"const": "sign"
},
{
"description": "Verify digital signature or MAC",
"const": "verify"
},
{
"description": "Encrypt content",
"const": "encrypt"
},
{
"description": "Decrypt content and validate decryption, if applicable",
"const": "decrypt"
},
{
"description": "Encrypt key",
"const": "wrapKey"
},
{
"description": "Decrypt key and validate decryption, if applicable",
"const": "unwrapKey"
},
{
"description": "Derive key",
"const": "deriveKey"
},
{
"description": "Derive bits not to be used as a key",
"const": "deriveBits"
}
]
},
"JsonWebKeySet_for_JsonWebKeyPublicParameters": {
"type": "object",
"required": [
"keys"
],
"properties": {
"keys": {
"type": "array",
"items": {
"$ref": "#/definitions/JsonWebKey_for_JsonWebKeyPublicParameters"
}
}
}
},
"JsonWebKeyUse": {
"description": "JSON Web Key Use",
"anyOf": [
{
"description": "Digital Signature or MAC",
"const": "sig"
},
{
"description": "Encryption",
"const": "enc"
}
]
},
"JsonWebKey_for_JsonWebKeyPublicParameters": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"e",
"kty",
"n"
],
"properties": {
"e": {
"type": "string"
},
"kty": {
"type": "string",
"enum": [
"RSA"
]
},
"n": {
"type": "string"
}
}
},
{
"type": "object",
"required": [
"crv",
"kty",
"x",
"y"
],
"properties": {
"crv": {
"$ref": "#/definitions/JsonWebKeyEcEllipticCurve"
},
"kty": {
"type": "string",
"enum": [
"EC"
]
},
"x": {
"type": "string"
},
"y": {
"type": "string"
}
}
},
{
"type": "object",
"required": [
"crv",
"kty",
"x"
],
"properties": {
"crv": {
"$ref": "#/definitions/JsonWebKeyOkpEllipticCurve"
},
"kty": {
"type": "string",
"enum": [
"OKP"
]
},
"x": {
"type": "string"
}
}
}
],
"properties": {
"alg": {
"$ref": "#/definitions/JsonWebSignatureAlg"
},
"key_ops": {
"type": "array",
"items": {
"$ref": "#/definitions/JsonWebKeyOperation"
}
},
"kid": {
"type": "string"
},
"use": {
"$ref": "#/definitions/JsonWebKeyUse"
},
"x5c": {
"type": "array",
"items": {
"type": "string"
}
},
"x5t": {
"type": "string"
},
"x5t#S256": {
"type": "string"
},
"x5u": {
"type": "string"
}
}
},
"JsonWebSignatureAlg": {
"description": "JSON Web Signature \"alg\" parameter",
"anyOf": [
{
"description": "HMAC using SHA-256",
"const": "HS256"
},
{
"description": "HMAC using SHA-384",
"const": "HS384"
},
{
"description": "HMAC using SHA-512",
"const": "HS512"
},
{
"description": "RSASSA-PKCS1-v1_5 using SHA-256",
"const": "RS256"
},
{
"description": "RSASSA-PKCS1-v1_5 using SHA-384",
"const": "RS384"
},
{
"description": "RSASSA-PKCS1-v1_5 using SHA-512",
"const": "RS512"
},
{
"description": "ECDSA using P-256 and SHA-256",
"const": "ES256"
},
{
"description": "ECDSA using P-384 and SHA-384",
"const": "ES384"
},
{
"description": "ECDSA using P-521 and SHA-512",
"const": "ES512"
},
{
"description": "RSASSA-PSS using SHA-256 and MGF1 with SHA-256",
"const": "PS256"
},
{
"description": "RSASSA-PSS using SHA-384 and MGF1 with SHA-384",
"const": "PS384"
},
{
"description": "RSASSA-PSS using SHA-512 and MGF1 with SHA-512",
"const": "PS512"
},
{
"description": "No digital signature or MAC performed",
"const": "none"
},
{
"description": "EdDSA signature algorithms",
"const": "EdDSA"
},
{
"description": "ECDSA using secp256k1 curve and SHA-256",
"const": "ES256K"
}
]
},
"KeyConfig": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"password"
],
"properties": {
"password": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"required": [
"password_file"
],
"properties": {
"password_file": {
"type": "string"
}
},
"additionalProperties": false
}
],
"required": [
"kid"
],
"properties": {
"kid": {
"type": "string"
}
}
},
"ListenerConfig": {
"description": "Configuration of a listener",
"type": "object",
"required": [
"binds",
"resources"
],
"properties": {
"binds": {
"description": "List of sockets to bind",
"type": "array",
"items": {
"$ref": "#/definitions/BindConfig"
}
},
"name": {
"description": "A unique name for this listener which will be shown in traces and in metrics labels",
"type": "string"
},
"proxy_protocol": {
"description": "Accept HAProxy's Proxy Protocol V1",
"default": false,
"type": "boolean"
},
"resources": {
"description": "List of resources to mount",
"type": "array",
"items": {
"$ref": "#/definitions/Resource"
}
},
"tls": {
"description": "If set, makes the listener use TLS with the provided certificate and key",
"allOf": [
{
"$ref": "#/definitions/TlsConfig"
}
]
}
}
},
"MatrixConfig": {
"description": "Configuration related to the Matrix homeserver",
"type": "object",
"required": [
"secret"
],
"properties": {
"endpoint": {
"description": "The base URL of the homeserver's client API",
"default": "http://localhost:8008/",
"type": "string",
"format": "uri"
},
"homeserver": {
"description": "The server name of the homeserver.",
"default": "localhost:8008",
"type": "string"
},
"secret": {
"description": "Shared secret to use for calls to the admin API",
"type": "string"
}
}
},
"MetricsConfig": {
"description": "Configuration related to exporting metrics",
"type": "object",
"oneOf": [
{
"description": "Don't export metrics",
"type": "object",
"required": [
"exporter"
],
"properties": {
"exporter": {
"type": "string",
"enum": [
"none"
]
}
}
},
{
"description": "Export metrics to stdout. Only useful for debugging",
"type": "object",
"required": [
"exporter"
],
"properties": {
"exporter": {
"type": "string",
"enum": [
"stdout"
]
}
}
},
{
"description": "Export metrics to an OpenTelemetry protocol compatible endpoint",
"type": "object",
"required": [
"exporter"
],
"properties": {
"endpoint": {
"description": "OTLP compatible endpoint",
"examples": [
"https://localhost:4317"
],
"type": "string",
"format": "uri"
},
"exporter": {
"type": "string",
"enum": [
"otlp"
]
}
}
},
{
"description": "Export metrics via Prometheus. An HTTP listener with the `prometheus` resource must be setup to expose the Promethes metrics.",
"type": "object",
"required": [
"exporter"
],
"properties": {
"exporter": {
"type": "string",
"enum": [
"prometheus"
]
}
}
}
]
},
"PasswordsConfig": {
"description": "User password hashing config",
"type": "object",
"properties": {
"enabled": {
"description": "Whether password-based authentication is enabled",
"default": true,
"type": "boolean"
},
"schemes": {
"default": [
{
"algorithm": "argon2id",
"version": 1
}
],
"type": "array",
"items": {
"$ref": "#/definitions/HashingScheme"
}
}
}
},
"PolicyConfig": {
"description": "Application secrets",
"type": "object",
"properties": {
"authorization_grant_entrypoint": {
"description": "Entrypoint to use when evaluating authorization grants",
"default": "authorization_grant/violation",
"type": "string"
},
"client_registration_entrypoint": {
"description": "Entrypoint to use when evaluating client registrations",
"default": "client_registration/violation",
"type": "string"
},
"data": {
"description": "Arbitrary data to pass to the policy",
"default": null
},
"email_entrypoint": {
"description": "Entrypoint to use when adding an email address",
"default": "email/violation",
"type": "string"
},
"password_entrypoint": {
"description": "Entrypoint to use when changing password",
"default": "password/violation",
"type": "string"
},
"register_entrypoint": {
"description": "Entrypoint to use when evaluating user registrations",
"default": "register/violation",
"type": "string"
},
"wasm_module": {
"description": "Path to the WASM module",
"default": "./policies/policy.wasm",
"type": "string"
}
}
},
"Propagator": {
"description": "Propagation format for incoming and outgoing requests",
"oneOf": [
{
"description": "Propagate according to the W3C Trace Context specification",
"type": "string",
"enum": [
"tracecontext"
]
},
{
"description": "Propagate according to the W3C Baggage specification",
"type": "string",
"enum": [
"baggage"
]
},
{
"description": "Propagate trace context with Jaeger compatible headers",
"type": "string",
"enum": [
"jaeger"
]
},
{
"description": "Propagate trace context with Zipkin compatible headers (single `b3` header variant)",
"type": "string",
"enum": [
"b3"
]
},
{
"description": "Propagate trace context with Zipkin compatible headers (multiple `x-b3-*` headers variant)",
"type": "string",
"enum": [
"b3multi"
]
}
]
},
"Provider": {
"description": "Authentication methods used against the OAuth 2.0 provider",
"type": "object",
"oneOf": [
{
"description": "`none`: No authentication",
"type": "object",
"required": [
"token_endpoint_auth_method"
],
"properties": {
"token_endpoint_auth_method": {
"type": "string",
"enum": [
"none"
]
}
}
},
{
"description": "`client_secret_basic`: `client_id` and `client_secret` used as basic authorization credentials",
"type": "object",
"required": [
"client_secret",
"token_endpoint_auth_method"
],
"properties": {
"client_secret": {
"type": "string"
},
"token_endpoint_auth_method": {
"type": "string",
"enum": [
"client_secret_basic"
]
}
}
},
{
"description": "`client_secret_post`: `client_id` and `client_secret` sent in the request body",
"type": "object",
"required": [
"client_secret",
"token_endpoint_auth_method"
],
"properties": {
"client_secret": {
"type": "string"
},
"token_endpoint_auth_method": {
"type": "string",
"enum": [
"client_secret_post"
]
}
}
},
{
"description": "`client_secret_basic`: a `client_assertion` sent in the request body and signed using the `client_secret`",
"type": "object",
"required": [
"client_secret",
"token_endpoint_auth_method"
],
"properties": {
"client_secret": {
"type": "string"
},
"token_endpoint_auth_method": {
"type": "string",
"enum": [
"client_secret_jwt"
]
},
"token_endpoint_auth_signing_alg": {
"$ref": "#/definitions/JsonWebSignatureAlg"
}
}
},
{
"description": "`client_secret_basic`: a `client_assertion` sent in the request body and signed by an asymmetric key",
"type": "object",
"required": [
"token_endpoint_auth_method"
],
"properties": {
"token_endpoint_auth_method": {
"type": "string",
"enum": [
"private_key_jwt"
]
},
"token_endpoint_auth_signing_alg": {
"$ref": "#/definitions/JsonWebSignatureAlg"
}
}
}
],
"required": [
"claims_imports",
"client_id",
"id",
"issuer",
"scope"
],
"properties": {
"claims_imports": {
"description": "How claims should be imported from the `id_token` provided by the provider",
"allOf": [
{
"$ref": "#/definitions/ClaimsImports"
}
]
},
"client_id": {
"description": "The client ID to use when authenticating with the provider",
"type": "string"
},
"id": {
"description": "A ULID as per https://github.com/ulid/spec",
"type": "string",
"pattern": "^[0123456789ABCDEFGHJKMNPQRSTVWXYZ]{26}$"
},
"issuer": {
"description": "The OIDC issuer URL",
"type": "string"
},
"scope": {
"description": "The scopes to request from the provider",
"type": "string"
}
}
},
"Resource": {
"description": "HTTP resources to mount",
"oneOf": [
{
"description": "Healthcheck endpoint (/health)",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"health"
]
}
}
},
{
"description": "Prometheus metrics endpoint (/metrics)",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"prometheus"
]
}
}
},
{
"description": "OIDC discovery endpoints",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"discovery"
]
}
}
},
{
"description": "Pages destined to be viewed by humans",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"human"
]
}
}
},
{
"description": "GraphQL endpoint",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"graphql"
]
},
"playground": {
"description": "Enabled the GraphQL playground",
"default": false,
"type": "boolean"
}
}
},
{
"description": "OAuth-related APIs",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"oauth"
]
}
}
},
{
"description": "Matrix compatibility API",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"compat"
]
}
}
},
{
"description": "Static files",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"assets"
]
},
"path": {
"description": "Path to the directory to serve.",
"default": "./frontend/dist/",
"type": "string"
}
}
},
{
"description": "Mount a \"/connection-info\" handler which helps debugging informations on the upstream connection",
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"connection-info"
]
}
}
},
{
"description": "Mount the single page app\n\nThis is deprecated and will be removed in a future release.",
"deprecated": true,
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"enum": [
"spa"
]
}
}
}
]
},
"SecretsConfig": {
"description": "Application secrets",
"type": "object",
"required": [
"encryption"
],
"properties": {
"encryption": {
"description": "Encryption key for secure cookies",
"examples": [
"0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff"
],
"type": "string",
"pattern": "[0-9a-fA-F]{64}"
},
"keys": {
"description": "List of private keys to use for signing and encrypting payloads",
"default": [],
"type": "array",
"items": {
"$ref": "#/definitions/KeyConfig"
}
}
}
},
"SentryConfig": {
"description": "Configuration related to the Sentry integration",
"type": "object",
"properties": {
"dsn": {
"description": "Sentry DSN",
"default": null,
"examples": [
"https://public@host:port/1"
],
"type": "string",
"format": "uri"
}
}
},
"TelemetryConfig": {
"description": "Configuration related to sending monitoring data",
"type": "object",
"properties": {
"metrics": {
"description": "Configuration related to exporting metrics",
"default": {
"exporter": "none"
},
"allOf": [
{
"$ref": "#/definitions/MetricsConfig"
}
]
},
"sentry": {
"description": "Configuration related to the Sentry integration",
"default": {
"dsn": null
},
"allOf": [
{
"$ref": "#/definitions/SentryConfig"
}
]
},
"tracing": {
"description": "Configuration related to exporting traces",
"default": {
"exporter": "none",
"propagators": []
},
"allOf": [
{
"$ref": "#/definitions/TracingConfig"
}
]
}
}
},
"TemplatesConfig": {
"description": "Configuration related to templates",
"type": "object",
"properties": {
"assets_manifest": {
"description": "Path to the assets manifest",
"default": "./frontend/dist/manifest.json",
"type": "string"
},
"path": {
"description": "Path to the folder which holds the templates",
"default": "./templates/",
"type": "string"
}
}
},
"TlsConfig": {
"description": "Configuration related to TLS on a listener",
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"certificate"
],
"properties": {
"certificate": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"required": [
"certificate_file"
],
"properties": {
"certificate_file": {
"type": "string"
}
},
"additionalProperties": false
}
]
},
"TracingConfig": {
"description": "Configuration related to exporting traces",
"type": "object",
"oneOf": [
{
"description": "Don't export traces",
"type": "object",
"required": [
"exporter"
],
"properties": {
"exporter": {
"type": "string",
"enum": [
"none"
]
}
},
"additionalProperties": false
},
{
"description": "Export traces to the standard output. Only useful for debugging",
"type": "object",
"required": [
"exporter"
],
"properties": {
"exporter": {
"type": "string",
"enum": [
"stdout"
]
}
},
"additionalProperties": false
},
{
"description": "Export traces to an OpenTelemetry protocol compatible endpoint",
"type": "object",
"required": [
"exporter"
],
"properties": {
"endpoint": {
"description": "OTLP compatible endpoint",
"examples": [
"https://localhost:4317"
],
"type": "string",
"format": "uri"
},
"exporter": {
"type": "string",
"enum": [
"otlp"
]
}
},
"additionalProperties": false
},
{
"description": "Export traces to a Jaeger agent",
"type": "object",
"oneOf": [
{
"description": "Thrift over HTTP",
"type": "object",
"required": [
"endpoint",
"protocol"
],
"properties": {
"endpoint": {
"description": "Full URL of the Jaeger HTTP endpoint\n\nDefaults to `http://localhost:14268/api/traces`",
"type": "string"
},
"password": {
"description": "Password to be used for HTTP basic authentication",
"type": "string"
},
"protocol": {
"type": "string",
"enum": [
"http/thrift.binary"
]
},
"username": {
"description": "Username to be used for HTTP basic authentication",
"type": "string"
}
}
},
{
"description": "Thrift with compact encoding over UDP",
"type": "object",
"required": [
"agent_host",
"agent_port",
"protocol"
],
"properties": {
"agent_host": {
"description": "Hostname of the Jaeger agent\n\nDefaults to `localhost`",
"type": "string"
},
"agent_port": {
"description": "`udp/thrift.compact` port of the Jaeger agent\n\nDefaults to `6831`",
"type": "integer",
"format": "uint16",
"minimum": 0.0
},
"protocol": {
"type": "string",
"enum": [
"udp/thrift.compact"
]
}
}
}
],
"required": [
"exporter"
],
"properties": {
"exporter": {
"type": "string",
"enum": [
"jaeger"
]
}
},
"additionalProperties": false
},
{
"description": "Export traces to a Zipkin collector",
"type": "object",
"required": [
"exporter"
],
"properties": {
"collector_endpoint": {
"description": "Zipkin collector endpoint",
"examples": [
"http://127.0.0.1:9411/api/v2/spans"
],
"type": "string",
"format": "uri"
},
"exporter": {
"type": "string",
"enum": [
"zipkin"
]
}
},
"additionalProperties": false
}
],
"required": [
"propagators"
],
"properties": {
"propagators": {
"description": "List of propagation formats to use for incoming and outgoing requests",
"type": "array",
"items": {
"$ref": "#/definitions/Propagator"
}
}
}
},
"UnixOrTcp": {
"description": "Kind of socket",
"oneOf": [
{
"description": "UNIX domain socket",
"type": "string",
"enum": [
"unix"
]
},
{
"description": "TCP socket",
"type": "string",
"enum": [
"tcp"
]
}
]
},
"UpstreamOAuth2Config": {
"description": "Upstream OAuth 2.0 providers configuration",
"type": "object",
"required": [
"providers"
],
"properties": {
"providers": {
"description": "List of OAuth 2.0 providers",
"type": "array",
"items": {
"$ref": "#/definitions/Provider"
}
}
}
}
}
}
View Git Blame Copy Permalink