1{
2 "$id": "https://github.com/ory/kratos/.schema/config.schema.json",
3 "$schema": "http://json-schema.org/draft-07/schema#",
4 "title": "ORY Kratos Configuration",
5 "type": "object",
6 "definitions": {
7 "defaultReturnTo": {
8 "title": "Redirect browsers to set URL per default",
9 "description": "ORY Kratos redirects to this URL per default on completion of self-service flows and other browser interaction. Read this [article for more information on browser redirects](https://www.ory.sh/kratos/docs/concepts/browser-redirect-flow-completion).",
10 "type": "string",
11 "format": "uri-reference",
12 "minLength": 1,
13 "examples": [
14 "https://my-app.com/dashboard",
15 "/dashboard"
16 ]
17 },
18 "selfServiceSessionRevokerHook": {
19 "type": "object",
20 "properties": {
21 "hook": {
22 "const": "revoke_active_sessions"
23 }
24 },
25 "additionalProperties": false,
26 "required": [
27 "hook"
28 ]
29 },
30 "selfServiceVerifyHook": {
31 "type": "object",
32 "properties": {
33 "hook": {
34 "const": "verify"
35 }
36 },
37 "additionalProperties": false,
38 "required": [
39 "hook"
40 ]
41 },
42 "selfServiceSessionIssuerHook": {
43 "type": "object",
44 "properties": {
45 "hook": {
46 "const": "session"
47 }
48 },
49 "additionalProperties": false,
50 "required": [
51 "hook"
52 ]
53 },
54 "OIDCClaims": {
55 "title": "OpenID Connect claims",
56 "description": "The OpenID Connect claims and optionally their properties which should be included in the id_token or returned from the UserInfo Endpoint.",
57 "type": "object",
58 "examples": [
59 {
60 "id_token": {
61 "email": null,
62 "email_verified": null
63 }
64 },
65 {
66 "userinfo": {
67 "given_name": {
68 "essential": true
69 },
70 "nickname": null,
71 "email": {
72 "essential": true
73 },
74 "email_verified": {
75 "essential": true
76 },
77 "picture": null,
78 "http://example.info/claims/groups": null
79 },
80 "id_token": {
81 "auth_time": {
82 "essential": true
83 },
84 "acr": {
85 "values": [
86 "urn:mace:incommon:iap:silver"
87 ]
88 }
89 }
90 }
91 ],
92 "patternProperties": {
93 "^userinfo$|^id_token$": {
94 "type": "object",
95 "additionalProperties": false,
96 "patternProperties": {
97 ".*": {
98 "oneOf": [
99 {
100 "const": null,
101 "description": "Indicates that this Claim is being requested in the default manner."
102 },
103 {
104 "type": "object",
105 "additionalProperties": false,
106 "properties": {
107 "essential": {
108 "description": "Indicates whether the Claim being requested is an Essential Claim.",
109 "type": "boolean"
110 },
111 "value": {
112 "description": "Requests that the Claim be returned with a particular value.",
113 "$comment": "There seem to be no constrains on value"
114 },
115 "values": {
116 "description": "Requests that the Claim be returned with one of a set of values, with the values appearing in order of preference.",
117 "type": "array",
118 "items": {
119 "$comment": "There seem to be no constrains on individual items"
120 }
121 }
122 }
123 }
124 ]
125 }
126 }
127 }
128 }
129 },
130 "selfServiceOIDCProvider": {
131 "type": "object",
132 "properties": {
133 "id": {
134 "type": "string",
135 "examples": [
136 "google"
137 ]
138 },
139 "provider": {
140 "title": "Provider",
141 "description": "Can be one of github, gitlab, generic, google, microsoft, discord.",
142 "type": "string",
143 "enum": [
144 "github",
145 "gitlab",
146 "generic",
147 "google",
148 "microsoft",
149 "discord"
150 ],
151 "examples": [
152 "google"
153 ]
154 },
155 "client_id": {
156 "type": "string"
157 },
158 "client_secret": {
159 "type": "string"
160 },
161 "issuer_url": {
162 "type": "string",
163 "format": "uri",
164 "examples": [
165 "https://accounts.google.com"
166 ]
167 },
168 "auth_url": {
169 "type": "string",
170 "format": "uri",
171 "examples": [
172 "https://accounts.google.com/o/oauth2/v2/auth"
173 ]
174 },
175 "token_url": {
176 "type": "string",
177 "format": "uri",
178 "examples": [
179 "https://www.googleapis.com/oauth2/v4/token"
180 ]
181 },
182 "mapper_url": {
183 "title": "Jsonnet Mapper URL",
184 "description": "The URL where the jsonnet source is located for mapping the provider's data to ORY Kratos data.",
185 "type": "string",
186 "format": "uri",
187 "examples": [
188 "file://path/to/oidc.jsonnet",
189 "https://foo.bar.com/path/to/oidc.jsonnet",
190 "base64://bG9jYWwgc3ViamVjdCA9I..."
191 ]
192 },
193 "scope": {
194 "type": "array",
195 "items": {
196 "type": "string",
197 "examples": [
198 "offline_access",
199 "profile"
200 ]
201 }
202 },
203 "tenant": {
204 "title": "Azure AD Tenant",
205 "description": "The Azure AD Tenant to use for authentication.",
206 "type": "string",
207 "examples": [
208 "common",
209 "organizations",
210 "consumers",
211 "8eaef023-2b34-4da1-9baa-8bc8c9d6a490",
212 "contoso.onmicrosoft.com"
213 ]
214 },
215 "requested_claims": {
216 "$ref": "#/definitions/OIDCClaims"
217 }
218 },
219 "additionalProperties": false,
220 "required": [
221 "id",
222 "provider",
223 "client_id",
224 "client_secret",
225 "mapper_url"
226 ],
227 "if": {
228 "properties": {
229 "provider": {
230 "const": "microsoft"
231 }
232 },
233 "required": [
234 "provider"
235 ]
236 },
237 "then": {
238 "required": [
239 "tenant"
240 ]
241 },
242 "else": {
243 "not": {
244 "properties": {
245 "tenant": {}
246 },
247 "required": [
248 "tenant"
249 ]
250 }
251 }
252 },
253 "selfServiceAfterSettingsMethod": {
254 "type": "object",
255 "additionalProperties": false,
256 "properties": {
257 "default_browser_return_url": {
258 "$ref": "#/definitions/defaultReturnTo"
259 },
260 "hooks": {
261 "type": "array",
262 "items": {
263 "anyOf": [
264 {
265 "$ref": "#/definitions/selfServiceVerifyHook"
266 }
267 ]
268 },
269 "uniqueItems": true,
270 "additionalItems": false
271 }
272 }
273 },
274 "selfServiceAfterLoginMethod": {
275 "type": "object",
276 "additionalProperties": false,
277 "properties": {
278 "default_browser_return_url": {
279 "$ref": "#/definitions/defaultReturnTo"
280 },
281 "hooks": {
282 "type": "array",
283 "items": {
284 "anyOf": [
285 {
286 "$ref": "#/definitions/selfServiceSessionRevokerHook"
287 }
288 ]
289 },
290 "uniqueItems": true,
291 "additionalItems": false
292 }
293 }
294 },
295 "selfServiceAfterRegistrationMethod": {
296 "type": "object",
297 "additionalProperties": false,
298 "properties": {
299 "default_browser_return_url": {
300 "$ref": "#/definitions/defaultReturnTo"
301 },
302 "hooks": {
303 "type": "array",
304 "items": {
305 "anyOf": [
306 {
307 "$ref": "#/definitions/selfServiceSessionIssuerHook"
308 }
309 ]
310 },
311 "uniqueItems": true,
312 "additionalItems": false
313 }
314 }
315 },
316 "selfServiceAfterSettings": {
317 "type": "object",
318 "additionalProperties": false,
319 "properties": {
320 "default_browser_return_url": {
321 "$ref": "#/definitions/defaultReturnTo"
322 },
323 "password": {
324 "$ref": "#/definitions/selfServiceAfterSettingsMethod"
325 },
326 "profile": {
327 "$ref": "#/definitions/selfServiceAfterSettingsMethod"
328 }
329 }
330 },
331 "selfServiceAfterLogin": {
332 "type": "object",
333 "additionalProperties": false,
334 "properties": {
335 "default_browser_return_url": {
336 "$ref": "#/definitions/defaultReturnTo"
337 },
338 "password": {
339 "$ref": "#/definitions/selfServiceAfterLoginMethod"
340 },
341 "oidc": {
342 "$ref": "#/definitions/selfServiceAfterLoginMethod"
343 }
344 }
345 },
346 "selfServiceAfterRegistration": {
347 "type": "object",
348 "additionalProperties": false,
349 "properties": {
350 "default_browser_return_url": {
351 "$ref": "#/definitions/defaultReturnTo"
352 },
353 "password": {
354 "$ref": "#/definitions/selfServiceAfterRegistrationMethod"
355 },
356 "oidc": {
357 "$ref": "#/definitions/selfServiceAfterRegistrationMethod"
358 }
359 }
360 }
361 },
362 "properties": {
363 "selfservice": {
364 "type": "object",
365 "additionalProperties": false,
366 "required": [
367 "default_browser_return_url"
368 ],
369 "properties": {
370 "default_browser_return_url": {
371 "$ref": "#/definitions/defaultReturnTo"
372 },
373 "whitelisted_return_urls": {
374 "title": "Whitelisted Return To URLs",
375 "description": "List of URLs that are allowed to be redirected to. A redirection request is made by appending `?return_to=...` to Login, Registration, and other self-service flows.",
376 "type": "array",
377 "items": {
378 "type": "string",
379 "format": "uri-reference"
380 },
381 "examples": [
382 [
383 "https://app.my-app.com/dashboard",
384 "/dashboard",
385 "https://www.my-app.com/"
386 ]
387 ],
388 "uniqueItems": true
389 },
390 "flows": {
391 "type": "object",
392 "additionalProperties": false,
393 "properties": {
394 "settings": {
395 "type": "object",
396 "additionalProperties": false,
397 "properties": {
398 "ui_url": {
399 "title": "URL of the Settings page.",
400 "description": "URL where the Settings UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).",
401 "type": "string",
402 "format": "uri-reference",
403 "examples": [
404 "https://my-app.com/user/settings"
405 ],
406 "default": "https://www.ory.sh/kratos/docs/fallback/settings"
407 },
408 "lifespan": {
409 "type": "string",
410 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
411 "default": "1h",
412 "examples": [
413 "1h",
414 "1m",
415 "1s"
416 ]
417 },
418 "privileged_session_max_age": {
419 "type": "string",
420 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
421 "default": "1h",
422 "examples": [
423 "1h",
424 "1m",
425 "1s"
426 ]
427 },
428 "after": {
429 "$ref": "#/definitions/selfServiceAfterSettings"
430 }
431 }
432 },
433 "logout": {
434 "type": "object",
435 "additionalProperties": false,
436 "properties": {
437 "after": {
438 "type": "object",
439 "additionalProperties": false,
440 "properties": {
441 "default_browser_return_url": {
442 "$ref": "#/definitions/defaultReturnTo"
443 }
444 }
445 }
446 }
447 },
448 "registration": {
449 "type": "object",
450 "additionalProperties": false,
451 "properties": {
452 "ui_url": {
453 "title": "Registration UI URL",
454 "description": "URL where the Registration UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).",
455 "type": "string",
456 "format": "uri-reference",
457 "examples": [
458 "https://my-app.com/signup"
459 ],
460 "default": "https://www.ory.sh/kratos/docs/fallback/registration"
461 },
462 "lifespan": {
463 "type": "string",
464 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
465 "default": "1h",
466 "examples": [
467 "1h",
468 "1m",
469 "1s"
470 ]
471 },
472 "after": {
473 "$ref": "#/definitions/selfServiceAfterRegistration"
474 }
475 }
476 },
477 "login": {
478 "type": "object",
479 "additionalProperties": false,
480 "properties": {
481 "ui_url": {
482 "title": "Login UI URL",
483 "description": "URL where the Login UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).",
484 "type": "string",
485 "format": "uri-reference",
486 "examples": [
487 "https://my-app.com/login"
488 ],
489 "default": "https://www.ory.sh/kratos/docs/fallback/login"
490 },
491 "lifespan": {
492 "type": "string",
493 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
494 "default": "1h",
495 "examples": [
496 "1h",
497 "1m",
498 "1s"
499 ]
500 },
501 "after": {
502 "$ref": "#/definitions/selfServiceAfterLogin"
503 }
504 }
505 },
506 "verification": {
507 "title": "Email and Phone Verification and Account Activation Configuration",
508 "type": "object",
509 "additionalProperties": false,
510 "properties": {
511 "enabled": {
512 "type": "boolean",
513 "title": "Enable Email/Phone Verification",
514 "description": "If set to true will enable [Email and Phone Verification and Account Activation](https://www.ory.sh/kratos/docs/self-service/flows/verify-email-account-activation/).",
515 "default": false
516 },
517 "ui_url": {
518 "title": "Verify UI URL",
519 "description": "URL where the ORY Verify UI is hosted. This is the page where users activate and / or verify their email or telephone number. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).",
520 "type": "string",
521 "format": "uri-reference",
522 "examples": [
523 "https://my-app.com/verify"
524 ],
525 "default": "https://www.ory.sh/kratos/docs/fallback/verification"
526 },
527 "after": {
528 "type": "object",
529 "properties": {
530 "default_browser_return_url": {
531 "$ref": "#/definitions/defaultReturnTo"
532 }
533 },
534 "additionalProperties": false
535 },
536 "lifespan": {
537 "title": "Self-Service Verification Request Lifespan",
538 "description": "Sets how long the verification request (for the UI interaction) is valid.",
539 "type": "string",
540 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
541 "default": "1h",
542 "examples": [
543 "1h",
544 "1m",
545 "1s"
546 ]
547 }
548 }
549 },
550 "recovery": {
551 "title": "Account Recovery Configuration",
552 "type": "object",
553 "additionalProperties": false,
554 "properties": {
555 "enabled": {
556 "type": "boolean",
557 "title": "Enable Account Recovery",
558 "description": "If set to true will enable [Account Recovery](https://www.ory.sh/kratos/docs/self-service/flows/password-reset-account-recovery/).",
559 "default": false
560 },
561 "ui_url": {
562 "title": "Recovery UI URL",
563 "description": "URL where the ORY Recovery UI is hosted. This is the page where users request and complete account recovery. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).",
564 "type": "string",
565 "format": "uri-reference",
566 "examples": [
567 "https://my-app.com/verify"
568 ],
569 "default": "https://www.ory.sh/kratos/docs/fallback/recovery"
570 },
571 "after": {
572 "type": "object",
573 "properties": {
574 "default_browser_return_url": {
575 "$ref": "#/definitions/defaultReturnTo"
576 }
577 },
578 "additionalProperties": false
579 },
580 "lifespan": {
581 "title": "Self-Service Recovery Request Lifespan",
582 "description": "Sets how long the recovery request is valid. If expired, the user has to redo the flow.",
583 "type": "string",
584 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
585 "default": "1h",
586 "examples": [
587 "1h",
588 "1m",
589 "1s"
590 ]
591 }
592 }
593 },
594 "error": {
595 "type": "object",
596 "additionalProperties": false,
597 "properties": {
598 "ui_url": {
599 "title": "ORY Kratos Error UI URL",
600 "description": "URL where the ORY Kratos Error UI is hosted. Check the [reference implementation](https://github.com/ory/kratos-selfservice-ui-node).",
601 "type": "string",
602 "format": "uri-reference",
603 "examples": [
604 "https://my-app.com/kratos-error"
605 ],
606 "default": "https://www.ory.sh/kratos/docs/fallback/error"
607 }
608 }
609 }
610 }
611 },
612 "methods": {
613 "type": "object",
614 "additionalProperties": false,
615 "properties": {
616 "profile": {
617 "type": "object",
618 "additionalProperties": false,
619 "properties": {
620 "enabled": {
621 "type": "boolean",
622 "title": "Enables Profile Management Method",
623 "default": true
624 }
625 }
626 },
627 "link": {
628 "type": "object",
629 "additionalProperties": false,
630 "properties": {
631 "enabled": {
632 "type": "boolean",
633 "title": "Enables Link Method",
634 "default": true
635 }
636 }
637 },
638 "password": {
639 "type": "object",
640 "additionalProperties": false,
641 "properties": {
642 "enabled": {
643 "type": "boolean",
644 "title": "Enables Username/Email and Password Method",
645 "default": true
646 }
647 }
648 },
649 "oidc": {
650 "type": "object",
651 "additionalProperties": false,
652 "properties": {
653 "enabled": {
654 "type": "boolean",
655 "title": "Enables OpenID Connect Method",
656 "default": false
657 },
658 "config": {
659 "type": "object",
660 "additionalProperties": false,
661 "properties": {
662 "providers": {
663 "title": "OpenID Connect and OAuth2 Providers",
664 "description": "A list and configuration of OAuth2 and OpenID Connect providers ORY Kratos should integrate with.",
665 "type": "array",
666 "items": {
667 "$ref": "#/definitions/selfServiceOIDCProvider"
668 }
669 }
670 }
671 }
672 }
673 }
674 }
675 }
676 }
677 },
678 "dsn": {
679 "type": "string",
680 "title": "Data Source Name",
681 "description": "DSN is used to specify the database credentials as a connection URI.",
682 "examples": [
683 "postgres://user: password@postgresd:5432/database?sslmode=disable&max_conns=20&max_idle_conns=4",
684 "mysql://user:secret@tcp(mysqld:3306)/database?max_conns=20&max_idle_conns=4",
685 "cockroach://user@cockroachdb:26257/database?sslmode=disable&max_conns=20&max_idle_conns=4",
686 "sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc"
687 ]
688 },
689 "courier": {
690 "type": "object",
691 "title": "Courier configuration",
692 "description": "The courier is responsible for sending and delivering messages over email, sms, and other means.",
693 "properties": {
694 "template_override_path": {
695 "type": "string",
696 "title": "Override message templates",
697 "description": "You can override certain or all message templates by pointing this key to the path where the templates are located.",
698 "examples": [
699 "/conf/courier-templates"
700 ]
701 },
702 "smtp": {
703 "title": "SMTP Configuration",
704 "description": "Configures outgoing emails using the SMTP protocol.",
705 "type": "object",
706 "properties": {
707 "connection_uri": {
708 "title": "SMTP connection string",
709 "description": "This URI will be used to connect to the SMTP server. Use the query parameter to allow (`?skip_ssl_verify=true`) or disallow (`?skip_ssl_verify=false`) self-signed TLS certificates. Please keep in mind that any host other than localhost / 127.0.0.1 must use smtp over TLS (smtps) or the connection will not be possible.",
710 "examples": [
711 "smtps://foo:bar@my-mailserver:1234/?skip_ssl_verify=false"
712 ],
713 "type": "string",
714 "format": "uri"
715 },
716 "from_address": {
717 "title": "SMTP Sender Address",
718 "description": "The recipient of an email will see this as the sender address.",
719 "type": "string",
720 "format": "email",
721 "default": "no-reply@ory.kratos.sh"
722 }
723 },
724 "required": [
725 "connection_uri"
726 ],
727 "additionalProperties": false
728 }
729 },
730 "required": [
731 "smtp"
732 ],
733 "additionalProperties": false
734 },
735 "serve": {
736 "type": "object",
737 "properties": {
738 "admin": {
739 "type": "object",
740 "properties": {
741 "base_url": {
742 "title": "Admin Base URL",
743 "description": "The URL where the admin endpoint is exposed at.",
744 "type": "string",
745 "format": "uri",
746 "examples": [
747 "https://kratos.private-network:4434/"
748 ]
749 },
750 "host": {
751 "title": "Admin Host",
752 "description": "The host (interface) kratos' admin endpoint listens on.",
753 "type": "string",
754 "default": "0.0.0.0"
755 },
756 "port": {
757 "title": "Admin Port",
758 "description": "The port kratos' admin endpoint listens on.",
759 "type": "integer",
760 "minimum": 1,
761 "maximum": 65535,
762 "examples": [
763 4434
764 ],
765 "default": 4434
766 }
767 },
768 "additionalProperties": false
769 },
770 "public": {
771 "type": "object",
772 "properties": {
773 "cors": {
774 "type": "object",
775 "additionalProperties": false,
776 "description": "Configures Cross Origin Resource Sharing for public endpoints.",
777 "properties": {
778 "enabled": {
779 "type": "boolean",
780 "description": "Sets whether CORS is enabled.",
781 "default": false
782 },
783 "allowed_origins": {
784 "type": "array",
785 "description": "A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.",
786 "items": {
787 "type": "string",
788 "minLength": 1,
789 "not": {
790 "type": "string",
791 "description": "does match all strings that contain two or more (*)",
792 "pattern": ".*\\*.*\\*.*"
793 },
794 "anyOf": [
795 {
796 "format": "uri"
797 },
798 {
799 "const": "*"
800 }
801 ]
802 },
803 "uniqueItems": true,
804 "default": [
805 "*"
806 ],
807 "examples": [
808 [
809 "https://example.com",
810 "https://*.example.com",
811 "https://*.foo.example.com"
812 ]
813 ]
814 },
815 "allowed_methods": {
816 "type": "array",
817 "description": "A list of HTTP methods the user agent is allowed to use with cross-domain requests.",
818 "default": [
819 "POST",
820 "GET",
821 "PUT",
822 "PATCH",
823 "DELETE"
824 ],
825 "items": {
826 "type": "string",
827 "enum": [
828 "POST",
829 "GET",
830 "PUT",
831 "PATCH",
832 "DELETE",
833 "CONNECT",
834 "HEAD",
835 "OPTIONS",
836 "TRACE"
837 ]
838 }
839 },
840 "allowed_headers": {
841 "type": "array",
842 "description": "A list of non simple headers the client is allowed to use with cross-domain requests.",
843 "default": [
844 "Authorization",
845 "Content-Type",
846 "X-Session-Token"
847 ],
848 "items": {
849 "type": "string"
850 }
851 },
852 "exposed_headers": {
853 "type": "array",
854 "description": "Sets which headers are safe to expose to the API of a CORS API specification.",
855 "default": [
856 "Content-Type"
857 ],
858 "items": {
859 "type": "string"
860 }
861 },
862 "allow_credentials": {
863 "type": "boolean",
864 "description": "Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.",
865 "default": true
866 },
867 "options_passthrough": {
868 "type": "boolean",
869 "description": "TODO",
870 "default": false
871 },
872 "max_age": {
873 "type": "integer",
874 "description": "Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.",
875 "default": 0,
876 "minimum": 0
877 },
878 "debug": {
879 "type": "boolean",
880 "description": "Adds additional log output to debug server side CORS issues.",
881 "default": false
882 }
883 }
884 },
885 "base_url": {
886 "title": "Public Base URL",
887 "description": "The URL where the public endpoint is exposed at.",
888 "type": "string",
889 "format": "uri-reference",
890 "examples": [
891 "https://my-app.com/.ory/kratos/public",
892 "/.ory/kratos/public/"
893 ]
894 },
895 "host": {
896 "title": "Public Host",
897 "description": "The host (interface) kratos' public endpoint listens on.",
898 "type": "string",
899 "default": "0.0.0.0"
900 },
901 "port": {
902 "title": "Public Port",
903 "description": "The port kratos' public endpoint listens on.",
904 "type": "integer",
905 "minimum": 1,
906 "maximum": 65535,
907 "examples": [
908 4433
909 ],
910 "default": 4433
911 }
912 },
913 "additionalProperties": false
914 }
915 },
916 "additionalProperties": false
917 },
918 "log": {
919 "type": "object",
920 "properties": {
921 "level": {
922 "type": "string",
923 "enum": [
924 "trace",
925 "debug",
926 "info",
927 "warning",
928 "error",
929 "fatal",
930 "panic"
931 ]
932 },
933 "leak_sensitive_values": {
934 "type": "boolean",
935 "title": "Leak Sensitive Log Values",
936 "description": "If set will leak sensitive values (e.g. emails) in the logs."
937 },
938 "format": {
939 "type": "string",
940 "enum": [
941 "json",
942 "text"
943 ]
944 }
945 },
946 "additionalProperties": false
947 },
948 "identity": {
949 "type": "object",
950 "properties": {
951 "default_schema_url": {
952 "title": "JSON Schema URL for default identity traits",
953 "description": "Path to the JSON Schema which describes a default identity's traits.",
954 "type": "string",
955 "format": "uri",
956 "examples": [
957 "file://path/to/identity.traits.schema.json",
958 "https://foo.bar.com/path/to/identity.traits.schema.json"
959 ]
960 },
961 "schemas": {
962 "type": "array",
963 "title": "Additional JSON Schemas for Identity Traits",
964 "examples": [
965 [
966 {
967 "id": "customer",
968 "url": "https://foo.bar.com/path/to/customer.traits.schema.json"
969 },
970 {
971 "id": "employee",
972 "url": "https://foo.bar.com/path/to/employee.traits.schema.json"
973 },
974 {
975 "id": "employee-v2",
976 "url": "https://foo.bar.com/path/to/employee.v2.traits.schema.json"
977 }
978 ]
979 ],
980 "items": {
981 "type": "object",
982 "properties": {
983 "id": {
984 "title": "The schema's ID.",
985 "type": "string",
986 "examples": [
987 "employee"
988 ]
989 },
990 "url": {
991 "type": "string",
992 "title": "Path to the JSON Schema",
993 "format": "uri",
994 "examples": [
995 "file://path/to/identity.traits.schema.json",
996 "https://foo.bar.com/path/to/identity.traits.schema.json"
997 ]
998 }
999 },
1000 "required": [
1001 "id",
1002 "url"
1003 ],
1004 "not": {
1005 "type": "object",
1006 "properties": {
1007 "id": {
1008 "const": "default"
1009 }
1010 },
1011 "additionalProperties": true
1012 }
1013 }
1014 }
1015 },
1016 "required": [
1017 "default_schema_url"
1018 ],
1019 "additionalProperties": false
1020 },
1021 "secrets": {
1022 "type": "object",
1023 "properties": {
1024 "default": {
1025 "type": "array",
1026 "title": "Default Encryption Signing Secrets",
1027 "description": "The first secret in the array is used for singing and encrypting things while all other keys are used to verify and decrypt older things that were signed with that old secret.",
1028 "items": {
1029 "type": "string",
1030 "minLength": 16
1031 },
1032 "uniqueItems": true
1033 },
1034 "cookie": {
1035 "type": "array",
1036 "title": "Singing Keys for Cookies",
1037 "description": "The first secret in the array is used for encrypting cookies while all other keys are used to decrypt older cookies that were signed with that old secret.",
1038 "items": {
1039 "type": "string",
1040 "minLength": 16
1041 },
1042 "uniqueItems": true
1043 }
1044 },
1045 "additionalProperties": false
1046 },
1047 "hashers": {
1048 "title": "Hashing Algorithm Configuration",
1049 "type": "object",
1050 "properties": {
1051 "argon2": {
1052 "title": "Configuration for the Argon2id hasher.",
1053 "type": "object",
1054 "properties": {
1055 "memory": {
1056 "type": "integer",
1057 "minimum": 16384
1058 },
1059 "iterations": {
1060 "type": "integer",
1061 "minimum": 1
1062 },
1063 "parallelism": {
1064 "type": "integer",
1065 "minimum": 1
1066 },
1067 "salt_length": {
1068 "type": "integer",
1069 "minimum": 16
1070 },
1071 "key_length": {
1072 "type": "integer",
1073 "minimum": 16
1074 }
1075 },
1076 "additionalProperties": false
1077 }
1078 },
1079 "additionalProperties": false
1080 },
1081 "session": {
1082 "type": "object",
1083 "additionalProperties": false,
1084 "properties": {
1085 "lifespan": {
1086 "title": "Session Lifespan",
1087 "description": "Defines how long a session is active. Once that lifespan has been reached, the user needs to sign in again.",
1088 "type": "string",
1089 "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
1090 "default": "24h",
1091 "examples": [
1092 "1h",
1093 "1m",
1094 "1s"
1095 ]
1096 },
1097 "cookie": {
1098 "type": "object",
1099 "properties": {
1100 "domain": {
1101 "title": "Session Cookie Domain",
1102 "description": "Sets the session cookie domain. Useful when dealing with subdomains. Use with care!",
1103 "type": "string"
1104 },
1105 "persistent": {
1106 "title": "Make Session Cookie Persistent",
1107 "description": "If set to true will persist the cookie in the end-user's browser using the `max-age` parameter which is set to the `session.lifespan` value. Persistent cookies are not deleted when the browser is closed (e.g. on reboot or alt+f4).",
1108 "type": "boolean",
1109 "default": true
1110 },
1111 "path": {
1112 "title": "Session Cookie Path",
1113 "description": "Sets the session cookie path. Use with care!",
1114 "type": "string",
1115 "default": "/"
1116 },
1117 "same_site": {
1118 "title": "Cookie Same Site Configuration",
1119 "type": "string",
1120 "enum": [
1121 "Strict",
1122 "Lax",
1123 "None"
1124 ],
1125 "default": "Lax"
1126 }
1127 },
1128 "additionalProperties": false
1129 }
1130 }
1131 },
1132 "version": {
1133 "title": "The kratos version this config is written for.",
1134 "description": "SemVer according to https://semver.org/ prefixed with `v` as in our releases.",
1135 "type": "string",
1136 "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
1137 "examples": [
1138 "v0.5.0-alpha.1"
1139 ]
1140 }
1141 },
1142 "allOf": [
1143 {
1144 "if": {
1145 "properties": {
1146 "selfservice": {
1147 "properties": {
1148 "flows": {
1149 "oneOf": [
1150 {
1151 "properties": {
1152 "verification": {
1153 "properties": {
1154 "enabled": {
1155 "const": true
1156 }
1157 },
1158 "required": [
1159 "enabled"
1160 ]
1161 }
1162 },
1163 "required": [
1164 "verification"
1165 ]
1166 },
1167 {
1168 "properties": {
1169 "recovery": {
1170 "properties": {
1171 "enabled": {
1172 "const": true
1173 }
1174 },
1175 "required": [
1176 "enabled"
1177 ]
1178 }
1179 },
1180 "required": [
1181 "recovery"
1182 ]
1183 }
1184 ]
1185 }
1186 },
1187 "required": [
1188 "flows"
1189 ]
1190 }
1191 },
1192 "required": [
1193 "selfservice"
1194 ]
1195 },
1196 "then": {
1197 "required": [
1198 "courier"
1199 ]
1200 }
1201 }
1202 ],
1203 "required": [
1204 "identity",
1205 "dsn",
1206 "selfservice"
1207 ]
1208}
View as plain text