1{
2 "$id": "https://github.com/ory/hydra/docs/config.schema.json",
3 "$schema": "http://json-schema.org/draft-07/schema#",
4 "title": "ORY Hydra Configuration",
5 "type": "object",
6 "definitions": {
7 "http_method": {
8 "type": "string",
9 "enum": [
10 "POST",
11 "GET",
12 "PUT",
13 "PATCH",
14 "DELETE",
15 "CONNECT",
16 "HEAD",
17 "OPTIONS",
18 "TRACE"
19 ]
20 },
21 "port_number": {
22 "type": "integer",
23 "description": "The port to listen on.",
24 "minimum": 1,
25 "maximum": 65535
26 },
27 "socket": {
28 "type": "object",
29 "additionalProperties": false,
30 "description": "Sets the permissions of the unix socket",
31 "properties": {
32 "owner": {
33 "type": "string",
34 "description": "Owner of unix socket. If empty, the owner will be the user running hydra.",
35 "default": ""
36 },
37 "group": {
38 "type": "string",
39 "description": "Group of unix socket. If empty, the group will be the primary group of the user running hydra.",
40 "default": ""
41 },
42 "mode": {
43 "type": "integer",
44 "description": "Mode of unix socket in numeric form",
45 "default": 493,
46 "minimum": 0,
47 "maximum": 511
48 }
49 }
50 },
51 "cors": {
52 "type": "object",
53 "additionalProperties": false,
54 "description": "Configures Cross Origin Resource Sharing for public endpoints.",
55 "properties": {
56 "enabled": {
57 "type": "boolean",
58 "description": "Sets whether CORS is enabled.",
59 "default": false
60 },
61 "allowed_origins": {
62 "type": "array",
63 "description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.",
64 "items": {
65 "type": "string",
66 "minLength": 1,
67 "not": {
68 "type": "string",
69 "description": "does match all strings that contain two or more (*)",
70 "pattern": ".*\\*.*\\*.*"
71 },
72 "anyOf": [
73 {
74 "format": "uri"
75 },
76 {
77 "const": "*"
78 }
79 ]
80 },
81 "uniqueItems": true,
82 "default": [
83 "*"
84 ],
85 "examples": [
86 [
87 "https://example.com",
88 "https://*.example.com",
89 "https://*.foo.example.com"
90 ]
91 ]
92 },
93 "allowed_methods": {
94 "type": "array",
95 "description": "A list of HTTP methods the user agent is allowed to use with cross-domain requests.",
96 "default": [
97 "POST",
98 "GET",
99 "PUT",
100 "PATCH",
101 "DELETE"
102 ],
103 "items": {
104 "type": "string",
105 "enum": [
106 "POST",
107 "GET",
108 "PUT",
109 "PATCH",
110 "DELETE",
111 "CONNECT",
112 "HEAD",
113 "OPTIONS",
114 "TRACE"
115 ]
116 }
117 },
118 "allowed_headers": {
119 "type": "array",
120 "description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
121 "default": [
122 "Authorization",
123 "Content-Type"
124 ],
125 "items": {
126 "type": "string"
127 }
128 },
129 "exposed_headers": {
130 "type": "array",
131 "description": "Sets which headers are safe to expose to the API of a CORS API specification.",
132 "default": [
133 "Content-Type"
134 ],
135 "items": {
136 "type": "string"
137 }
138 },
139 "allow_credentials": {
140 "type": "boolean",
141 "description": "Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.",
142 "default": true
143 },
144 "options_passthrough": {
145 "type": "boolean",
146 "description": "TODO",
147 "default": false
148 },
149 "max_age": {
150 "type": "integer",
151 "description": "Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.",
152 "default": 0,
153 "minimum": 0
154 },
155 "debug": {
156 "type": "boolean",
157 "description": "Adds additional log output to debug server side CORS issues.",
158 "default": false
159 }
160 }
161 },
162 "pem_file": {
163 "type": "object",
164 "oneOf": [
165 {
166 "properties": {
167 "path": {
168 "type": "string",
169 "description": "The path to the pem file.",
170 "examples": [
171 "/path/to/file.pem"
172 ]
173 }
174 },
175 "additionalProperties": false,
176 "required": [
177 "path"
178 ]
179 },
180 {
181 "properties": {
182 "base64": {
183 "type": "string",
184 "description": "The base64 encoded string (without padding).",
185 "contentEncoding": "base64",
186 "contentMediaType": "application/x-pem-file",
187 "examples": [
188 "b3J5IGh5ZHJhIGlzIGF3ZXNvbWUK"
189 ]
190 }
191 },
192 "additionalProperties": false,
193 "required": [
194 "base64"
195 ]
196 }
197 ]
198 },
199 "duration": {
200 "type": "string",
201 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
202 "examples": [
203 "1h"
204 ]
205 }
206 },
207 "properties": {
208 "log": {
209 "type": "object",
210 "additionalProperties": false,
211 "description": "Configures the logger",
212 "properties": {
213 "level": {
214 "type": "string",
215 "description": "Sets the log level.",
216 "enum": [
217 "panic",
218 "fatal",
219 "error",
220 "warn",
221 "info",
222 "debug",
223 "trace"
224 ],
225 "default": "info"
226 },
227 "leak_sensitive_values": {
228 "type": "boolean",
229 "description": "Logs sensitive values such as cookie and URL parameter.",
230 "default": false
231 },
232 "format": {
233 "type": "string",
234 "description": "Sets the log format.",
235 "enum": [
236 "json",
237 "json_pretty",
238 "text"
239 ],
240 "default": "text"
241 }
242 }
243 },
244 "serve": {
245 "type": "object",
246 "additionalProperties": false,
247 "description": "Controls the configuration for the http(s) daemon(s).",
248 "properties": {
249 "public": {
250 "type": "object",
251 "additionalProperties": false,
252 "description": "Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json",
253 "properties": {
254 "port": {
255 "default": 4444,
256 "allOf": [
257 {
258 "$ref": "#/definitions/port_number"
259 }
260 ]
261 },
262 "host": {
263 "type": "string",
264 "description": "The interface or unix socket ORY Hydra should listen and handle public API requests on. Use the prefix \"unix:\" to specify a path to a unix socket. Leave empty to listen on all interfaces.",
265 "default": "",
266 "examples": [
267 "localhost"
268 ]
269 },
270 "cors": {
271 "$ref": "#/definitions/cors"
272 },
273 "socket": {
274 "$ref": "#/definitions/socket"
275 },
276 "access_log": {
277 "type": "object",
278 "additionalProperties": false,
279 "description": "Access Log configuration for public server.",
280 "properties": {
281 "disable_for_health": {
282 "type": "boolean",
283 "description": "Disable access log for health endpoints.",
284 "default": false
285 }
286 }
287 }
288 }
289 },
290 "admin": {
291 "type": "object",
292 "additionalProperties": false,
293 "properties": {
294 "port": {
295 "default": 4445,
296 "allOf": [
297 {
298 "$ref": "#/definitions/port_number"
299 }
300 ]
301 },
302 "host": {
303 "type": "string",
304 "description": "The interface or unix socket ORY Hydra should listen and handle administrative API requests on. Use the prefix \"unix:\" to specify a path to a unix socket. Leave empty to listen on all interfaces.",
305 "default": "",
306 "examples": [
307 "localhost"
308 ]
309 },
310 "cors": {
311 "$ref": "#/definitions/cors"
312 },
313 "socket": {
314 "$ref": "#/definitions/socket"
315 },
316 "access_log": {
317 "type": "object",
318 "additionalProperties": false,
319 "description": "Access Log configuration for admin server.",
320 "properties": {
321 "disable_for_health": {
322 "type": "boolean",
323 "description": "Disable access log for health endpoints.",
324 "default": false
325 }
326 }
327 }
328 }
329 },
330 "tls": {
331 "type": "object",
332 "additionalProperties": false,
333 "description": "Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.",
334 "properties": {
335 "key": {
336 "description": "Configures the private key (pem encoded).",
337 "allOf": [
338 {
339 "$ref": "#/definitions/pem_file"
340 }
341 ]
342 },
343 "cert": {
344 "description": "Configures the private key (pem encoded).",
345 "allOf": [
346 {
347 "$ref": "#/definitions/pem_file"
348 }
349 ]
350 },
351 "allow_termination_from": {
352 "type": "array",
353 "description": "Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.",
354 "items": {
355 "type": "string",
356 "oneOf": [
357 {
358 "pattern": "^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$"
359 },
360 {
361 "pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
362 }
363 ],
364 "examples": [
365 "127.0.0.1/32"
366 ]
367 }
368 }
369 }
370 },
371 "cookies": {
372 "type": "object",
373 "additionalProperties": false,
374 "properties": {
375 "same_site_mode": {
376 "type": "string",
377 "description": "Specify the SameSite mode that cookies should be sent with.",
378 "enum": [
379 "Strict",
380 "Lax",
381 "None"
382 ],
383 "default": "None"
384 },
385 "same_site_legacy_workaround": {
386 "type": "boolean",
387 "description": "Some older browser versions don’t work with SameSite=None. This option enables the workaround defined in https://web.dev/samesite-cookie-recipes/ which essentially stores a second cookie without SameSite as a fallback.",
388 "default": false,
389 "examples": [
390 true
391 ]
392 }
393 }
394 }
395 }
396 },
397 "dsn": {
398 "type": "string",
399 "description": "Sets the data source name. This configures the backend where ORY Hydra persists data. If dsn is \"memory\", data will be written to memory and is lost when you restart this instance. ORY Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql"
400 },
401 "webfinger": {
402 "type": "object",
403 "additionalProperties": false,
404 "description": "Configures ./well-known/ settings.",
405 "properties": {
406 "jwks": {
407 "type": "object",
408 "additionalProperties": false,
409 "description": "Configures the /.well-known/jwks.json endpoint.",
410 "properties": {
411 "broadcast_keys": {
412 "type": "array",
413 "description": "A list of JSON Web Keys that should be exposed at that endpoint. This is usually the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.",
414 "items": {
415 "type": "string"
416 },
417 "default": [
418 "hydra.openid.id-token"
419 ],
420 "examples": [
421 "hydra.jwt.access-token"
422 ]
423 }
424 }
425 },
426 "oidc_discovery": {
427 "type": "object",
428 "additionalProperties": false,
429 "description": "Configures OpenID Connect Discovery (/.well-known/openid-configuration).",
430 "properties": {
431 "jwks_url": {
432 "type": "string",
433 "description": "Overwrites the JWKS URL",
434 "format": "uri",
435 "examples": [
436 "https://my-service.com/.well-known/jwks.json"
437 ]
438 },
439 "token_url": {
440 "type": "string",
441 "description": "Overwrites the OAuth2 Token URL",
442 "format": "uri",
443 "examples": [
444 "https://my-service.com/oauth2/token"
445 ]
446 },
447 "auth_url": {
448 "type": "string",
449 "description": "Overwrites the OAuth2 Auth URL",
450 "format": "uri",
451 "examples": [
452 "https://my-service.com/oauth2/auth"
453 ]
454 },
455 "client_registration_url": {
456 "description": "Sets the OpenID Connect Dynamic Client Registration Endpoint",
457 "type": "string",
458 "format": "uri",
459 "examples": [
460 "https://my-service.com/clients"
461 ]
462 },
463 "supported_claims": {
464 "type": "array",
465 "description": "A list of supported claims to be broadcasted. Claim \"sub\" is always included.",
466 "items": {
467 "type": "string"
468 },
469 "examples": [
470 [
471 "email",
472 "username"
473 ]
474 ]
475 },
476 "supported_scope": {
477 "type": "array",
478 "description": "The scope OAuth 2.0 Clients may request. Scope `offline`, `offline_access`, and `openid` are always included.",
479 "items": {
480 "type": "string"
481 },
482 "examples": [
483 [
484 "email",
485 "whatever",
486 "read.photos"
487 ]
488 ]
489 },
490 "userinfo_url": {
491 "type": "string",
492 "description": "A URL of the userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to ORY Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.",
493 "format": "uri",
494 "examples": [
495 "https://example.org/my-custom-userinfo-endpoint"
496 ]
497 }
498 }
499 }
500 }
501 },
502 "oidc": {
503 "type": "object",
504 "additionalProperties": false,
505 "description": "Configures OpenID Connect features.",
506 "properties": {
507 "subject_identifiers": {
508 "type": "object",
509 "additionalProperties": false,
510 "description": "Configures the Subject Identifier algorithm. For more information please head over to the documentation: https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms",
511 "properties": {
512 "enabled": {
513 "type": "array",
514 "description": "A list of algorithms to enable.",
515 "items": {
516 "type": "string",
517 "enum": [
518 "public",
519 "pairwise"
520 ]
521 }
522 },
523 "pairwise": {
524 "type": "object",
525 "additionalProperties": false,
526 "description": "Configures the pairwise algorithm.",
527 "properties": {
528 "salt": {
529 "type": "string"
530 }
531 },
532 "required": [
533 "salt"
534 ]
535 }
536 },
537 "if": {
538 "properties": {
539 "enabled": {
540 "contains": {
541 "const": "pairwise"
542 }
543 }
544 }
545 },
546 "then": {
547 "required": [
548 "pairwise"
549 ]
550 },
551 "else": {
552 "properties": {
553 "pairwise": {
554 "$comment": "This enforces pairwise to not be set if 'enabled' does not contain 'pairwise'",
555 "not": {}
556 }
557 }
558 },
559 "examples": [
560 {
561 "enabled": [
562 "public",
563 "pairwise"
564 ],
565 "pairwise": {
566 "salt": "some-random-salt"
567 }
568 }
569 ]
570 },
571 "dynamic_client_registration": {
572 "type": "object",
573 "additionalProperties": false,
574 "description": "Configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...).",
575 "properties": {
576 "default_scope": {
577 "type": "array",
578 "description": "The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients. Keep in mind that users can overwrite this default by setting the \"scope\" key in the registration payload, effectively disabling the concept of whitelisted scopes.",
579 "items": {
580 "type": "string"
581 },
582 "examples": [
583 [
584 "openid",
585 "offline",
586 "offline_access"
587 ]
588 ]
589 }
590 }
591 }
592 }
593 },
594 "urls": {
595 "type": "object",
596 "additionalProperties": false,
597 "properties": {
598 "self": {
599 "type": "object",
600 "additionalProperties": false,
601 "properties": {
602 "issuer": {
603 "type": "string",
604 "description": "This value will be used as the \"issuer\" in access and ID tokens. It must be specified and using HTTPS protocol, unless --dangerous-force-http is set. This should typically be equal to the public value.",
605 "format": "uri",
606 "examples": [
607 "https://localhost:4444/"
608 ]
609 },
610 "public": {
611 "type": "string",
612 "description": "This is the base location of the public endpoints of your ORY Hydra installation. This should typically be equal to the issuer value. If left unspecified, it falls back to the issuer value.",
613 "format": "uri",
614 "examples": [
615 "https://localhost:4444/"
616 ]
617 }
618 }
619 },
620 "login": {
621 "type": "string",
622 "description": "Sets the login endpoint of the User Login & Consent flow. Defaults to an internal fallback URL showing an error.",
623 "format": "uri",
624 "examples": [
625 "https://my-login.app/login"
626 ]
627 },
628 "consent": {
629 "type": "string",
630 "description": "Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL showing an error.",
631 "format": "uri",
632 "examples": [
633 "https://my-consent.app/consent"
634 ]
635 },
636 "logout": {
637 "type": "string",
638 "description": "Sets the logout endpoint. Defaults to an internal fallback URL showing an error.",
639 "format": "uri",
640 "examples": [
641 "https://my-logout.app/logout"
642 ]
643 },
644 "error": {
645 "type": "string",
646 "description": "Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL showing an error.",
647 "format": "uri",
648 "examples": [
649 "https://my-error.app/error"
650 ]
651 },
652 "post_logout_redirect": {
653 "type": "string",
654 "description": "When a user agent requests to logout, it will be redirected to this url afterwards per default.",
655 "format": "uri",
656 "examples": [
657 "https://my-example.app/logout-successful"
658 ]
659 }
660 }
661 },
662 "strategies": {
663 "type": "object",
664 "additionalProperties": false,
665 "properties": {
666 "scope": {
667 "type": "string",
668 "description": "Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes",
669 "enum": [
670 "exact",
671 "wildcard",
672 "DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY"
673 ],
674 "default": "wildcard"
675 },
676 "access_token": {
677 "type": "string",
678 "description": "Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens",
679 "enum": [
680 "opaque",
681 "jwt"
682 ]
683 }
684 }
685 },
686 "ttl": {
687 "type": "object",
688 "additionalProperties": false,
689 "description": "Configures time to live.",
690 "properties": {
691 "login_consent_request": {
692 "description": "Configures how long a user login and consent flow may take.",
693 "default": "1h",
694 "allOf": [
695 {
696 "$ref": "#/definitions/duration"
697 }
698 ]
699 },
700 "access_token": {
701 "description": "Configures how long access tokens are valid.",
702 "default": "1h",
703 "allOf": [
704 {
705 "$ref": "#/definitions/duration"
706 }
707 ]
708 },
709 "refresh_token": {
710 "description": "Configures how long refresh tokens are valid. Set to -1 for refresh tokens to never expire.",
711 "default": "720h",
712 "oneOf": [
713 {
714 "$ref": "#/definitions/duration"
715 },
716 {
717 "enum": [
718 "-1",
719 -1
720 ]
721 }
722 ]
723 },
724 "id_token": {
725 "description": "Configures how long id tokens are valid.",
726 "default": "1h",
727 "allOf": [
728 {
729 "$ref": "#/definitions/duration"
730 }
731 ]
732 },
733 "auth_code": {
734 "description": "Configures how long auth codes are valid.",
735 "default": "10m",
736 "allOf": [
737 {
738 "$ref": "#/definitions/duration"
739 }
740 ]
741 }
742 }
743 },
744 "oauth2": {
745 "type": "object",
746 "additionalProperties": false,
747 "properties": {
748 "expose_internal_errors": {
749 "type": "boolean",
750 "description": "Set this to true if you want to share error debugging information with your OAuth 2.0 clients. Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error codes and similar errors.",
751 "default": false,
752 "examples": [
753 true
754 ]
755 },
756 "session": {
757 "type": "object",
758 "properties": {
759 "encrypt_at_rest": {
760 "type": "boolean",
761 "default": true,
762 "title": "Encrypt OAuth2 Session",
763 "description": "If set to true (default) ORY Hydra encrypt OAuth2 and OpenID Connect session data using AES-GCM and the system secret before persisting it in the database."
764 }
765 }
766 },
767 "include_legacy_error_fields": {
768 "type": "boolean",
769 "description": "Set this to true if you want to include the `error_hint` and `error_debug` legacy fields in error responses. We recommend to set this to `false` unless you have clients using these fields.",
770 "default": false,
771 "examples": [
772 true
773 ]
774 },
775 "hashers": {
776 "type": "object",
777 "additionalProperties": false,
778 "description": "Configures hashing algorithms. Supports only BCrypt at the moment.",
779 "properties": {
780 "bcrypt": {
781 "type": "object",
782 "additionalProperties": false,
783 "description": "Configures the BCrypt hashing algorithm used for hashing Client Secrets.",
784 "properties": {
785 "cost": {
786 "type": "integer",
787 "description": "Sets the BCrypt cost. The higher the value, the more CPU time is being used to generate hashes.",
788 "default": 10,
789 "minimum": 4,
790 "maximum": 31
791 }
792 }
793 }
794 }
795 },
796 "pkce": {
797 "type": "object",
798 "additionalProperties": false,
799 "properties": {
800 "enforced": {
801 "type": "boolean",
802 "description": "Sets whether PKCE should be enforced for all clients.",
803 "examples": [
804 true
805 ]
806 },
807 "enforced_for_public_clients": {
808 "type": "boolean",
809 "description": "Sets whether PKCE should be enforced for public clients.",
810 "examples": [
811 true
812 ]
813 }
814 }
815 },
816 "client_credentials": {
817 "type": "object",
818 "additionalProperties": false,
819 "properties": {
820 "default_grant_allowed_scope": {
821 "type": "boolean",
822 "description": "Defines how scopes are added if the request doesn't contains any scope",
823 "examples": [
824 false
825 ]
826 }
827 }
828 }
829 }
830 },
831 "secrets": {
832 "type": "object",
833 "additionalProperties": false,
834 "description": "The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated, for more information on this topic go to: https://www.ory.sh/docs/hydra/advanced#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys",
835 "properties": {
836 "system": {
837 "description": "The system secret must be at least 16 characters long. If none is provided, one will be generated. They key is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
838 "type": "array",
839 "items": {
840 "type": "string",
841 "minLength": 16
842 },
843 "examples": [
844 [
845 "this-is-the-primary-secret",
846 "this-is-an-old-secret",
847 "this-is-another-old-secret"
848 ]
849 ]
850 },
851 "cookie": {
852 "type": "array",
853 "description": "A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.",
854 "items": {
855 "type": "string",
856 "minLength": 16
857 },
858 "examples": [
859 [
860 "this-is-the-primary-secret",
861 "this-is-an-old-secret",
862 "this-is-another-old-secret"
863 ]
864 ]
865 }
866 }
867 },
868 "profiling": {
869 "type": "string",
870 "description": "Enables profiling if set. For more details on profiling, head over to: https://blog.golang.org/profiling-go-programs",
871 "enum": [
872 "cpu",
873 "mem"
874 ],
875 "examples": [
876 "cpu"
877 ]
878 },
879 "tracing": {
880 "type": "object",
881 "additionalProperties": false,
882 "description": "ORY Hydra supports distributed tracing.",
883 "properties": {
884 "provider": {
885 "type": "string",
886 "description": "Set this to the tracing backend you wish to use. Supports Jaeger, Zipkin and DataDog. If omitted or empty, tracing will be disabled. Use environment variables to configure DataDog (see https://docs.datadoghq.com/tracing/setup/go/#configuration).",
887 "enum": [
888 "jaeger",
889 "zipkin",
890 "datadog",
891 "elastic-apm"
892 ],
893 "examples": [
894 "jaeger"
895 ]
896 },
897 "service_name": {
898 "type": "string",
899 "description": "Specifies the service name to use on the tracer.",
900 "examples": [
901 "ORY Hydra"
902 ]
903 },
904 "providers": {
905 "type": "object",
906 "additionalProperties": false,
907 "properties": {
908 "jaeger": {
909 "type": "object",
910 "additionalProperties": false,
911 "description": "Configures the jaeger tracing backend.",
912 "properties": {
913 "local_agent_address": {
914 "type": "string",
915 "description": "The address of the jaeger-agent where spans should be sent to.",
916 "oneOf": [
917 {
918 "pattern": "^\\[(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))]:([0-9]*)$"
919 },
920 {
921 "pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}:([0-9]*)$"
922 },
923 {
924 "format": "uri"
925 }
926 ],
927 "examples": [
928 "127.0.0.1:6831"
929 ]
930 },
931 "propagation": {
932 "type": "string",
933 "description": "The tracing header format",
934 "examples": [
935 "jaeger"
936 ]
937 },
938 "sampling": {
939 "type": "object",
940 "propertyNames": {
941 "enum": [
942 "type",
943 "value",
944 "server_url"
945 ]
946 },
947 "required": [
948 "type",
949 "value",
950 "server_url"
951 ],
952 "allOf": [
953 {
954 "oneOf": [
955 {
956 "properties": {
957 "type": {
958 "description": "The type of the sampler you want to use.",
959 "const": "const"
960 },
961 "value": {
962 "type": "integer",
963 "description": "The value passed to the sampler type that has been configured.",
964 "minimum": 0,
965 "maximum": 1
966 }
967 }
968 },
969 {
970 "properties": {
971 "type": {
972 "description": "The type of the sampler you want to use.",
973 "const": "rateLimiting"
974 },
975 "value": {
976 "type": "integer",
977 "description": "The value passed to the sampler type that has been configured.",
978 "minimum": 0
979 }
980 }
981 },
982 {
983 "properties": {
984 "type": {
985 "description": "The type of the sampler you want to use.",
986 "const": "probabilistic"
987 },
988 "value": {
989 "type": "number",
990 "description": "The value passed to the sampler type that has been configured.",
991 "minimum": 0,
992 "maximum": 1
993 }
994 }
995 }
996 ]
997 },
998 {
999 "properties": {
1000 "server_url": {
1001 "type": "string",
1002 "description": "The address of jaeger-agent's HTTP sampling server",
1003 "format": "uri"
1004 }
1005 }
1006 }
1007 ],
1008 "examples": [
1009 {
1010 "type": "const",
1011 "value": 1,
1012 "server_url": "http://localhost:5778/sampling"
1013 }
1014 ]
1015 }
1016 }
1017 },
1018 "zipkin": {
1019 "type": "object",
1020 "additionalProperties": false,
1021 "description": "Configures the zipkin tracing backend.",
1022 "properties": {
1023 "server_url": {
1024 "type": "string",
1025 "description": "The address of Zipkin server where spans should be sent to.",
1026 "format": "uri"
1027 }
1028 },
1029 "examples": [
1030 {
1031 "server_url": "http://localhost:9411/api/v2/spans"
1032 }
1033 ]
1034 }
1035 }
1036 }
1037 }
1038 },
1039 "version": {
1040 "type": "string",
1041 "title": "The Hydra version this config is written for.",
1042 "description": "SemVer according to https://semver.org/ prefixed with `v` as in our releases.",
1043 "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"
1044 },
1045 "cgroups": {
1046 "type": "object",
1047 "additionalProperties": false,
1048 "description": "ORY Hydra can respect Linux container CPU quota",
1049 "properties": {
1050 "v1": {
1051 "type": "object",
1052 "additionalProperties": false,
1053 "description": "Configures parameters using cgroups v1 hierarchy",
1054 "properties": {
1055 "auto_max_procs_enabled": {
1056 "type": "boolean",
1057 "description": "Set GOMAXPROCS automatically according to cgroups limits",
1058 "default": false,
1059 "examples": [
1060 true
1061 ]
1062 }
1063 }
1064 }
1065 }
1066 }
1067 },
1068 "required": [
1069 "dsn"
1070 ]
1071}
View as plain text