1# Please find the documentation for this file at
2# https://www.ory.sh/oathkeeper/docs/configuration
3
4log:
5 level: debug
6 format: json
7
8profiling: cpu
9
10serve:
11 proxy:
12 port: 1234
13 host: 127.0.0.1
14
15 timeout:
16 read: 1s
17 write: 2s
18 idle: 3s
19
20 cors:
21 enabled: true
22 allowed_origins:
23 - https://example.com
24 - https://*.example.com
25 allowed_methods:
26 - POST
27 - GET
28 - PUT
29 - PATCH
30 - DELETE
31 allowed_headers:
32 - Authorization
33 - Content-Type
34 exposed_headers:
35 - Content-Type
36 allow_credentials: true
37 max_age: 10
38 debug: true
39 tls:
40 key:
41 path: /path/to/key.pem
42 base64: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLVxuTUlJRkRqQkFCZ2txaGtpRzl3MEJCUTB3...
43 cert:
44 path: /path/to/cert.pem
45 base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
46
47 api:
48 port: 1235
49 host: 127.0.0.2
50
51 timeout:
52 read: 1s
53 write: 2s
54 idle: 3s
55
56 cors:
57 enabled: true
58 allowed_origins:
59 - https://example.org
60 - https://*.example.org
61 allowed_methods:
62 - GET
63 - PUT
64 - PATCH
65 - DELETE
66 allowed_headers:
67 - Authorization
68 - Content-Type
69 exposed_headers:
70 - Content-Type
71 allow_credentials: true
72 max_age: 10
73 debug: true
74 tls:
75 key:
76 path: /path/to/key.pem
77 base64: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLVxuTUlJRkRqQkFCZ2txaGtpRzl3MEJCUTB3...
78 cert:
79 path: /path/to/cert.pem
80 base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlEWlRDQ0FrMmdBd0lCQWdJRVY1eE90REFOQmdr...
81
82 prometheus:
83 port: 9000
84 host: localhost
85 metrics_path: /metrics
86 collapse_request_paths: true
87
88# Configures Access Rules
89access_rules:
90 # Locations (list of URLs) where access rules should be fetched from on boot.
91 # It is expected that the documents at those locations return a JSON or YAML Array containing ORY Oathkeeper Access Rules.
92 repositories:
93 # If the URL Scheme is `file://`, the access rules (an array of access rules is expected) will be
94 # fetched from the local file system.
95 - file://path/to/rules.json
96 # If the URL Scheme is `inline://`, the access rules (an array of access rules is expected)
97 # are expected to be a base64 encoded (with padding!) JSON/YAML string (base64_encode(`[{"id":"foo-rule","authenticators":[....]}]`)):
98 - inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d
99 # If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be
100 # fetched from the provided HTTP(s) location.
101 - https://path-to-my-rules/rules.json
102 # Optional fields describing matching strategy, defaults to "regexp".
103 matching_strategy: glob
104
105errors:
106 fallback:
107 - json
108 handlers:
109 redirect:
110 enabled: true
111 config:
112 to: http://path-to/redirect
113 json:
114 enabled: true
115 config:
116 verbose: true
117 when:
118 -
119 error:
120 - unauthorized
121 - forbidden
122 - internal_server_error
123 request:
124 header:
125 content_type:
126 - application/json
127 accept:
128 - application/json
129 cidr:
130 - 127.0.0.0/24
131
132# All authenticators can be configured under this configuration key
133authenticators:
134 # Configures the anonymous authenticator
135 anonymous:
136 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
137 enabled: true
138
139 config:
140
141 # Sets the anonymous username. Defaults to "anonymous". Common names include "guest", "anon", "anonymous", "unknown".
142 subject: guest
143
144 # Configures the cookie session authenticator
145 cookie_session:
146 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
147 enabled: true
148
149 config:
150
151 # Sets the origin to proxy requests to. If the response is a 200 with body `{ "subject": "...", "extra": {} }`
152 # The request will pass the subject through successfully, otherwise it will be marked as unauthorized
153 check_session_url: https://session-store-host
154
155 # Sets a list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if
156 # none of the passed cookies are set on the request
157 only:
158 - sessionid
159
160 # Configures the jwt authenticator
161 jwt:
162 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
163 enabled: true
164
165 config:
166
167 # REQUIRED IF ENABLED - The URL where ORY Oathkeeper can retrieve JSON Web Keys from for validating the JSON Web
168 # Token. Usually something like "https://my-keys.com/.well-known/jwks.json". The response of that endpoint must
169 # return a JSON Web Key Set (JWKS).
170 jwks_urls:
171 - https://my-website.com/.well-known/jwks.json
172 - https://my-other-website.com/.well-known/jwks.json
173 - file://path/to/local/jwks.json
174
175 # Sets the strategy to be used to validate/match the scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults
176 # to "none".
177 scope_strategy: wildcard
178
179 # Configures the noop authenticator
180 noop:
181 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
182 enabled: true
183
184 # Configures the oauth2_client_credentials authenticator
185 oauth2_client_credentials:
186 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
187 enabled: true
188
189 config:
190
191 # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint that will be used to validate the client credentials.
192 token_url: https://my-website.com/oauth2/token
193
194 # Configures the oauth2_introspection authenticator
195 oauth2_introspection:
196 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
197 enabled: true
198
199 config:
200
201 # REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint.
202 introspection_url: https://my-website.com/oauth2/introspection
203
204 # Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults
205 # to "none".
206 scope_strategy: exact
207
208 # Enable pre-authorization in cases where the OAuth 2.0 Token Introspection endpoint is protected by OAuth 2.0 Bearer
209 # Tokens that can be retrieved using the OAuth 2.0 Client Credentials grant.
210 pre_authorization:
211 # Enable pre-authorization. Defaults to false.
212 enabled: true
213
214 # REQUIRED IF ENABLED - The OAuth 2.0 Client ID to be used for the OAuth 2.0 Client Credentials Grant.
215 client_id: some_id
216
217 # REQUIRED IF ENABLED - The OAuth 2.0 Client Secret to be used for the OAuth 2.0 Client Credentials Grant.
218 client_secret: some_secret
219
220 # The OAuth 2.0 Scope to be requested during the OAuth 2.0 Client Credentials Grant.
221 scope:
222 - foo
223 - bar
224
225 # REQUIRED IF ENABLED - The OAuth 2.0 Token Endpoint where the OAuth 2.0 Client Credentials Grant will be performed.
226 token_url: https://my-website.com/oauth2/token
227
228 # Configures the unauthorized authenticator
229 unauthorized:
230 # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
231 enabled: true
232
233# All authorizers can be configured under this configuration key
234authorizers:
235 # Configures the allow authorizer
236 allow:
237 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
238 enabled: true
239
240 # Configures the deny authorizer
241 deny:
242 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
243 enabled: true
244
245 # Configures the keto_engine_acp_ory authorizer
246 keto_engine_acp_ory:
247 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
248 enabled: true
249
250 config:
251 # REQUIRED IF ENABLED - The base URL of ORY Keto, typically something like http(s)://<host>[:<port>]/
252 base_url: http://my-keto/
253 required_action: unknown
254 required_resource: unknown
255
256 # Configures the remote authorizer
257 remote:
258 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
259 enabled: true
260
261 config:
262 remote: https://host/path
263 headers: {}
264
265 # Configures the remote_json authorizer
266 remote_json:
267 # Set enabled to true if the authorizer should be enabled and false to disable the authorizer. Defaults to false.
268 enabled: true
269
270 config:
271 remote: https://host/path
272 payload: "{}"
273
274# All mutators can be configured under this configuration key
275mutators:
276 header:
277 enabled: true
278 config:
279 headers:
280 foo: bar
281
282 # Configures the cookie mutator
283 cookie:
284 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
285 enabled: true
286 config:
287 cookies:
288 foo: bar
289
290 # Configures the hydrator mutator
291 hydrator:
292 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
293 enabled: true
294
295 config:
296 api:
297 url: https://some-url/
298
299 # Configures the id_token mutator
300 id_token:
301 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
302 enabled: true
303 config:
304 # REQUIRED IF ENABLED - Sets the "iss" value of the ID Token.
305 issuer_url: https://my-oathkeeper/
306 # REQUIRED IF ENABLED - Sets the URL where keys should be fetched from. Supports remote locations (http, https) as
307 # well as local filesystem paths.
308 jwks_url: https://fetch-keys/from/this/location.json
309 # jwks_url: file:///from/this/absolute/location.json
310 # jwks_url: file://../from/this/relative/location.json
311
312 # Sets the time-to-live of the ID token. Defaults to one minute. Valid time units are: s (second), m (minute), h (hour).
313 ttl: 1h
314
315 # Configures the noop mutator
316 noop:
317 # Set enabled to true if the mutator should be enabled and false to disable the mutator. Defaults to false.
318 enabled: true
View as plain text